Operational risk management with a focus on compliance
Introduction
The approach to evaluating internal controls and risks has become more standardised in the past two decades due to the intervention of governments, regulators, stock exchanges, credit-rating agencies and institutional investors demanding increased assurance and insight on risk and the effectiveness of controls.
The Sarbanes-Oxley Act 2002 and the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control — Integrated Framework in 1992, prompted by financial fraud such as at WorldCom and Enron — have led to increasing pressure on companies to focus more on operational risk and risk management.
Operational risk refers to the possibility of experiencing financial loss because of inadequate or ineffective policies, plans, procedures or other events that obstruct business operations. Operational risk could be a result of a number of factors, such as employee mistakes, natural disasters and fraud.
Most companies are aware that mistakes could arise in the process or due to human error. To minimise exposure and ensure efficient responses, operational risk should be evaluated and practical corrective solutions specified.
The goal of operational risk management
Operational risk management aims primarily to reduce risk associated with a company’s daily operations. New business models, complex value chains, regulatory challenges and increasing digitalisation have resulted in hitherto unknown operational risk, including cybersecurity risk, third-party risk, business disruption/system failure and internal and external fraud, affecting every internal process.
Operational risk management could be utilised for the following purposes:
- Identify and address major vulnerabilities and risks
- Operate effectively in a high-risk environment
- Improve business resilience
- Make the company safer and more profitable
When dealing with operational risk, a company must consider all aspects of its goals. Given how pervasive operational risk is, the aim is to reduce risk to an acceptable level. In addition to determining who controls operational risk, operational risk management seeks to mitigate hazards through risk identification, assessment, measurement, mitigation, monitoring and reporting.
Source: Acuity Knowledge Partners
What is compliance management?
Corporate responsibility is now more important than ever for both customers and investors, and any company that fails to take compliance management seriously would face multiple negative effects. A company should ensure all regulatory policies are adhered to in order to mitigate risk and avoid regulator attention that could lead to harsh penalties. Regulatory compliance is just one aspect of risk management. To fulfil regulatory obligations, businesses must also demonstrate that they have drafted and are creating and adhering to their own internal compliance procedures.
Managing compliance risk
The regulatory environment is becoming increasingly complex, with an increasing number of laws, regulations and guidelines. Companies need to handle situations with proper planning and execution while being cognisant of operational performance. Once they have a solid understanding of the numerous compliance risks they face, they could devise strategies to address them. A step-by-step method would ensure all the boxes are checked.
Factors affecting compliance risk:
- Third parties, such as vendors, partners, contractors and service providers, could represent compliance risk in a number of ways.
- A company could be held accountable if partnership with a supplier requires it to disclose sensitive client data and those details are compromised
- Before entering into any third-party relationship, it is critical that the company conduct thorough due diligence
- Not keeping abreast of changes in legislation and standards affecting your company increases compliance risk. To mitigate this, a company needs to ensure it follows defined protocols. This could include engaging with compliance subject-matter experts, attending conferences and meetings, reading industry-specific literature and using specialised compliance software.
Conclusion
Operational risk management and compliance are closely linked. Undefined processes, process interruptions and poor operational decision-making increase the likelihood of a company breaching regulations and having to face high penalties, a negative financial impact and reputational damage. These challenges are exacerbated for companies operating in highly regulated sectors, such as financial institutions, which face a larger compliance burden.
Compliance with established rules and regulations would shield companies from a wide range of risks. Operational risk management with a focus on compliance would help companies ensure integrity and stability of their operations and mitigate threats that could lead to non-compliance.
How Acuity Knowledge Partners can help
We are proficient in providing global compliance services to various segments of the market. In terms of operational risk management, we provide expertise in e-communication surveillance, where we monitor internal and external exchange of e-communication on platforms such as email, Microsoft Teams, Skype, Bloomberg and terminal messages. We review activities relating to operational risk and escalate potential issues for review and resolution and help clients assess the risk a business line generates.
To achieve this, we include processes such as the following:
- Risk identification
- Risk assessment
- Risk monitoring
- Risk reporting
These processes are based on rules and regulations set by regulatory bodies. Our flexible engagement model enables clients to work with us in a temporary or ongoing capacity specifically tailored to their needs.
