The world has become increasingly complex with events such as the global financial crisis, the Covid-19 pandemic and the war in Ukraine exposing the far-reaching impact of operational risk and the consequences of failing to address it. The need for effective operational risk management has never been more acute. If there ever was a time for organisations to improve their operational risk management, this is it. And Professor Simon Ashby has written a book that helps them do just that. In Fundamentals of Operational Risk Management he offers a fresh perspective.
The Institute of Risk Management (IRM) defines operational risk as the effect, positive or negative, of unpredictable outcomes on the efficiency and effectiveness of operations. The term first emerged in financial services and particularly in the Basel II Accord in 1999. Over time, more and more organisations in other industries started to incorporate operational risk into their overall management, bringing in learnings from other areas such as engineering, supply chain management and operations management. As the discipline matured, the Institute of Operational Risk (IOR), of which Simon was the Chair, compiled a set of sound practice guidelines. When the IOR and the IRM merged in 2018, Simon was asked to update these guidelines to reflect the continued development of the field. “They were very well received,” he remembers. “So much so that the publisher suggested to turn them into a book, so people would have all the information available in one resource.”
Fundamentals of Operational Risk Management was launched last April, which was timely, says Simon: “We’re in a world of more extreme risks. For example, pandemics aren’t anything new, but the global response by governments, what with lockdowns and travel restrictions, is something we’ve never seen before. The same goes for the Ukraine crisis. Again, war is timeless, but the impact this conflict has on energy prices and weak supply chains is very different. We’re living in a globalised, more complex world. So events like these have a bigger impact on organisations and there’s no reason to believe this will change. If anything, things will get more extreme and unpredictable.” However, this doesn’t mean we can’t do anything about it. “This book is full of success stories of organisations that managed their operational risk effectively.”
The book addresses the issue of complexity, i.e. how to effectively manage risk in a complex environment. To this end, it explores the key components of effective operational risk management, while outlining how to implement a sound and robust operational risk management framework embedded in an organisation’s day-to-day activities. It covers the main operational risk management tools, such as categorisation, risk and control self-assessments, operational risk indicators, scenario analysis and stress testing, to name just a few. Finally, it highlights the importance of risk culture and how it can be assessed, monitored and influenced.
Talking about risk culture, Simon recalls visiting several organisations to study their implementation of operational risk management: “Some had really sophisticated systems, but the organisation that proved to be the most effective in its operational risk management had one of the simplest setups, just a few spreadsheets, and they weren’t assessing many different risks either. But their risk management function had built this incredible social network with effective communication and relationships with the rest of the organisation. It really struck me at the time that it’s about people and about how good they are. This organisation had a true risk culture, and risk management had become part of their core business.” He pauses, then adds: “You know, I’ve noticed that sometimes, especially when organisations have these complicated systems, there is a danger that risk management becomes separated from the business, that it ends up being a box-ticking exercise. Nothing of the sort in this organisation. With them, risk management was very much embedded.”
Every concept discussed in the book is illustrated by compelling and topical case studies from all sorts of industries, showing examples of both successes and failures.
“One of the success case studies from recent times I really like is the case of H-E-B Supermarket in Texas. Back in January 2020, H-E-B, unlike its competitors, was already preparing for the impact of Covid-19. They were investing in PPE, in the safety and welfare of their staff, and they took preventive measures to minimise the effect of supply chain breakdowns. They responded very quickly and effectively to the threat, which has had a positive effect on their reputation and on their bottom line. Operational risk management at H-E-B is in stark contrast to the way in which Volkswagen dealt with their emission scandal, which is a textbook example of how not to manage reputational risk.
Asked what he wants readers to take away from this book, Simon answers:
Who should read this book? “It’s not an introductory book,” Simon says. “And while it’s definitely suited for students studying risk management if they’ve already had a basic course, it’s specifically aimed at practitioners looking to improve their practice. Now, they shouldn’t try and read it in one go. It’s not designed to be read from cover to cover, but rather as a reference resource to dip in and out of as needed. Say, you want to start using risk and control self-assessments, or you want to improve your key risk indicator reporting, then you can have a look at those sections.”
What makes this book stand out is the fact that it builds on the entire body of knowledge and expertise within the profession, explains Simon: “A lot of people provided input for the original sound practice guidelines. Granted, I wrote the book, and I’ve further developed existing work, adding cases, examples and insights based on my own experience and research. But it’s very much a reflection of the development of our profession as a whole.”