MJN - RISK MANAGEMENT - INTERNATIONAL CLASS - GANJIL 2021/2022

Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. Employee errors, criminal activity such as fraud, and physical events are among the factors that can trigger operational risk. There are seven categories of operational risk laid out in Basel II:

1. Internal fraud. Misappropriation of assets, tax evasion, intentional mismarking of positions and bribery.
2. External fraud. Theft of information, hacking damage, third-party theft and forgery.
3. Employment practices and workplace safety. Discrimination, workers' compensation, employee health and safety.
4. Clients, products and business practice. Market manipulation, antitrust, improper trade, product defects, fiduciary breaches and account churning.
5. Damage to physical assets. Natural disasters, terrorism and vandalism.
6. Business disruption and systems failures. Utility disruptions, software failures and hardware failures.
7. Execution, delivery and process management. Data entry errors, accounting errors, failed mandatory reporting and negligent loss of client assets.

Two things are generally required to measure operational risk: key risk indicators (KRIs) and data. Measurement, however, can be especially challenging when organizations are unable to integrate all the diverse types of data required to understand the organization's operational risk. 

Some organizations have a formal operational risk management function, while others don't. Those that have them tend to be at different stages of maturity. However, these are the steps companies follow:

1. Define operational risk management, its scope, purpose and function. Keep in mind that operational risk definitions vary from industry to industry.
2. Define roles that will be necessary for the function to succeed, which may involve -- but does not necessarily require -- a chief operational risk officer.
3. Define operational risk management's relationship to other risk management functions cooperatively with those other functions.
4. Decide the ways in which operational risk will be monitored and measured.
5. Decide which tools will be necessary to enable a successful operational risk function, and determine whether those tools already exist in the organization or if additional tools are required. Procure what's necessary with the help of IT and security to avoid introducing unnecessary risk into the tech stack or unknowingly creating security gaps.
6. Identify the necessary data sources and their owners; secure access to the data needed for operational risk management.
7. Work with other risk functions and the business to identify process-related risks and their respective causes.
8. Identify risks related to processes, such as whether they can scale as necessary or whether the processes are adequate within the context in which they run.
9. Define risk categories.
10. Map processes in detail, along with their risks and controls.
11. Define key risk indicators.
12. Ensure that each part of the organization involved in a process has been identified.
13. Understand what resources are required for a process. Monitor for changes, such as the need to scale up or down.
14. Understand the company's risk appetite in detail.
15. Implement control measures.
16. Educate the workforce about operational risks and what's expected of them as individuals. Include contact information so employees know whom to contact about a potential issue.
17. Assess the impact of the operational risk management function on the business, and to the degree it involves change, ensure sound change management practices.
18. Continuously measure and monitor operational risks. Use the historical data to understand trends, weak spots, etc.

Legal risks refer to damage or any loss incurred to a business due to negligence in compliance with laws related to the business. It can be encountered at any stage of business proceedings. There may be mistakes due to a misunderstanding of laws and due to some documents which need to be deposited to the authority regulating that particular business. Types of risks such as compliance risk, regulatory risk, operational risk etc. may contribute to the term ‘legal risk’. The whole reputation of an organization depends upon these risks as they may result in an immense loss. It may result in the failure of a business too.
Some types of legal risk that a business can face includes regulatory risks, compliance risks, contractual risks, non-contractual risks, dispute risks, and reputational risks.