So, what do the August 2017 presidential elections, the near-collapse of Kenya Airways (KQ), the circus of the hoods at Kenya Revenue Authority in July 2019, the infamous IFMIS scandals the structural collapse of private and public schools, among other mega scandals have in common?
They exemplify operational risk events that have affected just about every sector of Kenya’s economic life.
These are not tail events, but frequent and impactful occurrences whose consequences linger on for generations. The list of operational risk events is endless. Most of the events if not all are tragic, and represent some element of moral failure, a flaw in character, nevertheless, they are serious operational risk failures.
Many people have a difficult time understanding operational risk, while an even the majority of stakeholders have never heard of the term — even though a great number of risk managers and finance specialists continually affirm that extraordinarily poor management of operational risk (not other categories of risk, such as market, liquidity or credit) is exactly what led to the collapse of global financial markets in 2007-2008. In Kenya, at the centre of most losses, collapsed organisations and institutions, collapsed buildings and even electoral malpractices occur due to failure of operational risk management.
There is the misplaced perception that credit risk the possibility of a loss resulting from a borrower’s failure to repay a loan or meet their contractual obligations is the most important of the core risks. It simply is not and pales in comparison with operational risk.
Market risk, which is caused by changes in commodities, asset prices, changes in interest rate, and foreign exchange, remain largely insignificant in the risk taxonomy and economic life.
The beast lies in operational risk, and its impact is larger than the combined force of credit and market risks.
What matters most, boards, C-suite ought to be closely watching over are failures in operational risk management. But, more damaging and still unclear to many is the present convergence of operational and cyber risks that should trigger a renewed sense of urgency in managing operational risk.
And should anyone think that the call for a renewed effort to identify and manage the risk is a red herring consider this: In 2017, Kenya lost about Sh18 billion to cybercriminals. In 2018, cybercrime losses jumped to Sh30 billion!
Conservative estimates have it that Kenya’s organisations will lose through cyber and operational risk more than Sh38 billion ($3.8 billion) in 2019. A majority of these losses will come from financial institutions, and will not include those at parastatals and the KRA.
The concept is simple but the impact is devastating. So why do so many people, including boards, CEOs and shareholders have such a hard time getting their heads around operational risk — the risk of loss from any operational failure at a company or organisation? And even less understood and practised is the risk control self-assessment— an empowering method or process by which management and staff collectively identify and evaluate risks and associated controls.
That is exactly why professionals, practitioners, investors and other stakeholders need to get up to speed to the required standard on operational risk management. If they don’t, there’s every reason to expect other financial implosions, incomplete projects, misjudgments, and collapsed buildings and bridges will follow.
Just what is an operational risk?
Hence, how do we accurately define operational risk? On its face, it sounds simple: it is the risk of financial loss from any operational failure.
However, operational failure is a dizzying array of possible events, actions, and inactions — everything from unintended execution errors, system failures and acts of nature to conscious violations of policy, law and regulation.
The depth and breadth of issues and “cross-silo” concerns that have led to ongoing confusion about exactly what is and isn’t an operational risk — and continuing doubts about how to identify and manage it.
To illustrate, too often operational risk has been misdiagnosed as other, relatively newer areas of recognised exposures such as those involving IT security, supply chain, collapsed buildings, pure neglect of projects and business interruptions.
There are four factors that constitute operational risk — internal processes, people, systems or external events, which are exceptionally wide-ranging and cover virtually every element of the operations of banks and financial institutions and generally other organisations but do not include credit, market or liquidity risks.
Typically, executives at non-financial organisations advance these views — pointing out, for instance, that they don’t run complex trading operations or have the related balance sheet concerns faced daily by the world’s banking, energy and commodity firms.
The core message in their arguments is that operational risk is not a risk, but the cost of doing business which can be controlled and budgeted for. If this were true, then the collapse of Trust, Chase, Dubai and Delphis banks, or such international banks as Barings would never have happened. Operational risk can result in catastrophic losses that cannot necessarily be absorbed by operating earnings and general resources – hence the need for a buffer in the form of capital.
What matters is that regulators, mostly in the financial services sector, have formally recognised operational risk as a legitimate issue, which has helped encourage its active recognition or its management.
Non-financial firms have now equally conceded the catastrophic of unaddressed cases of operational risk. We have plenty of them in this country.
Next week we look at what is at stake in terms of operational risk and how to manage it.
The writer is founder Fincap Risk Advisors.