Main Risk TypesOperational risk assessmentOperational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events, thus operational risk. Operational risk also effectively includes anything that can impact on the overall performance of the organisation and on the ability of the organisation to create value. Operational risk therefore includes events such as mistakes or missed opportunities.Operational risks are all unexpected losses which have their origin in internal errors or staff related deficiencies, in processes and systems and in external events. Evaluation of the risk of loss (including risks to financial performance and condition) resulting from inadequate or failed internal processes, people, and systems, or from external events. In certain industries, regulators have imposed the requirement that companies regularly identify and their exposure to such risks. While responsibility for managing the risk lies with the business, an independent function often acts in an advisory capacity to help assess these risks. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Similarly, operational risk can arise due to internal events such as the potential for failures or inadequacies in any of the banks processes and systems (e.g. its IT, risk management or human resources management processes and systems), or those of its outsourced service providers.

Operational risk arising from human resources management may refer to a range of issues such as mismanaged or poorly trained employees; the potential of employees for negligence, wrongful misconduct; conflict of interests; fraud; rogue trading; and so on. Therefore the emergence of mistrust, failure to communicate, low morale and cynicism among staff members, as well as increased turnover of staff, should be regarded as indicative for potential increase in operational risk.There are four main causes of operational risk that are identified in standard operational risk definitions. Operational risk events can occur when there are inadequacies or failures due to:People (human factors), processes, systems, and external eventsA successful operational risk program combines qualitative and quantitative approaches to ensure operational risk is both appropriately measured and effectively managed.Operational risk assessment should cover risks appetite and tolerance for operational risk, as specified through the policies for managing this risk, including the extent and it should also include policies outlining the organisations approach to identifying, assessing, monitoring and controlling/mitigating the risk.

Main Factors Generating Operational Risk The events mentioned above may occur due to both internal and external factors in the following areas:

Internal factors People

The management of human resources and employees behaviour can become a major source of operational risk. Poorly trained or overworked employees may inadvertently expose the organisation to operational risk (for example, via processing errors). Understanding of the mandate, confidence in and respect for the institution as well as adherence to the organisations policies and strategies are key for effective use of human resources. In addition, the continuous availability of its employees, or the organisations ability to replace them, can influence its ability to recover from interruptions to the continuity of its operations. Therefore, the organisation can realize significant improvements in its control of operational risk and reduce exposure if it would invests time and money in creating an appropriate risk culture, in which employees are aware of operational risks and are encouraged to learn from their mistakes.

Processes and systems Organisations operations are supported by many different systems and processes, such as IT systems, human resource management systems, credit, market, insurance and liquidity risk management systems and even operational risk management systems. These systems may have many different components, each of which requires the operation of various processes. For example, the credit risk management system for the organisation should and does include processes for the identification, measurement, monitoring and control of credit risk. Complex or poorly designed systems and processes can give rise to operational losses, either because they are unfit for purpose, or because they malfunction. As a result, the organisation may experience a wide range of problems, including settlement-processing errors, fraud and information security failures. In addition, the increasing automation of systems and our reliance on IT has the potential to transform risks from minor manual processing errors to major systematic failures.

External factorsExternal events can have a major impact on a firm. The organisation should be aware that both expected and unexpected changes to its operations can be major sources of operational risk. The organisation should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.

Disruptive events Such events include fire, flooding, earthquakes, terrorist actions, vandalism, power failures, etc. The organisation should assess the potential risk for such events to happen, design and put in place disaster recovery systems and procedures, with a view to ensuring continuity of activity. Against the monetary loss derived from such events the organisation should evaluate potential cost and acquire proper insurance. Use of Consultants and Outsourcing of Services Outsourcing arrangements require careful management if they are to yield benefits, and where they are not managed adequately the degree of operational risk faced by the organisation may increase, as is also the case of excessive use and dependency upon the use of consultants for activities that may be more effectively developed internally. In particular, an issue for concern is the loss of control over processes. This could create a serious threat to the continuity of its operations if these providers were to fail.

Principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated Clear strategies adopted by the Board of Directors and oversight exercised by Senior Management. Strong internal operational risk culture (Internal operational risk culture is taken to mean the combined set of individual and corporate values, attitudes, competencies and behaviour that determine a firms commitment to and style of operational risk management) and internal control culture, emphasizing on dual controls, Effective monitoring and internal reporting, Contingency and business continuity plans, High standards of ethics and integrity, and Commitment to effective IT governance, including, among others, segregation of duties, avoidance of conflicts of interest, and clear lines of management responsibility, accountability and reporting, as reflected in the organisations IT governance documents. All levels of staff shall understand their responsibilities with respect to operational risk management.

Management of operational risk:The scope of operational risks is measured by the probability and impact of the unexpected losses stemming from the deficiency or failure of internal processes, persons and systems, orexternal occurrences. A quantitative assessment requires such losses to be quantified as expected costs and assumes that probabilities and actual losses can be measured. At the theoretical level, complete quantification is impossible. In practice, any analysis of probability and size of operational risks is also defeated by the lack of relevant data. Operational risks and the losses they generate should be captured systematically and completely at the level of the individual transaction in a database or risk ledger. They should then be analysed and where appropriate quantified and aggregated.In summary the main elements of operational risk management are: APIP&C: avoid, prevent, insure, provide and collect data. Generally, managements are adopting the bottom-up method for operational risk rather than the top-down approach (Hans Geiger, 2001).

Risk = (event, hazard, control).Operational risk relates to the production processTechnical risk assessment: Evaluation of potential for technology system failures and the organizations return on information technology investments. This assessment would consider such factors as processing capacity, access control, data protection, and cyber-crime. This is typically performed by an organizations information technology risk and governance specialists. The scope of risk assessment that management chooses to perform depends upon priorities and objectives.

Technical risk is perhaps the most important area of risk management because technical risk, and the degree to which technical processes can be controlled, is a significant driver of all other program risks. Technical risk relies on expected behaviours of installation components, that can fail or not when fulfilling their function

Technical risk uses decomposition (analytical methods). Technical risk concerns closed technical installations, which are not recursive, not reflexive, not evolving, not sensitive and not opened to their environment as self-organised complex systems. Technical risk relies on cause and effect relationships that are determined through the use of general laws. Technical risk can use data on the reliability of equipment when available and combine them for the purpose of QRA (Quantitative Risk Assessment) or SIL (Safety Integrity Level) estimation, and can therefore be quantitative (use of probabilities). Technical risk relies on representation of reality through the use of plans. A high level of shared representation about the technical installation is reached at the risk assessment stage.

Risk can therefore be measured or classified in terms of likelihood and consequence. In terms of classifying risk there is a functional relationship between likelihood and consequence. This relationship is sometimes referred to as the first-level equation for risk: Technical Risk =(event,likelihood,impact)

Technical risk refers to the set of technical problems associated with a new or emerging technology. The characterization of technical risk in physical systems (as opposed to software) has been discussed elsewhere; we summarize it here.75 With a new or emerging technology, many types of technology problems will be encountered. Technology problems can arise from application of a new process, material, or subsystem before fully understanding the parameters that control performance, cost, safe operating latitudes, or failure modes. Technical risk is often among the most profound of risks, because technical failure is a show-stopper. It is impossible to sell a new product, or to implement a new manufacturing process, if key technical components fail.

They can occur if a previously commercialized technology is extended outside the known domains of the pertinent design rules. They can also occur from unexpected interactions arising from a new or unique combination of subsystems or components. An example is the requirement for much more precise motion quality when digital imaging subsystems are substituted into hardware that was previously based on analogue technology. Periodically during the technology development process, technology reviews should be conducted in which technology champions and a peer group of subject-matter experts participate. These reviews enable a list of anticipated or known technology problems to be generated and tracked over time. Each technology problem can be rated using a uniform method, such as the technical risk algorithm shown in Figure 4. This information can be aggregated to create a risk profile for the new technology that can be followed over time, and to position the new technology on the scale in Table 1.

As technologies move from the research bench to product development, there is an inherent tension between the technology champions and the product chief engineer. The technologist creates new concepts, new surprises, and new risks. He or she is optimistic, is successful if his or her ideas are adopted, and may overstate the merits. The chief engineer, on the other hand, tries to solve problems, avoid surprises, and minimize risk; he or she is successful if the product meets the specification on schedule, irrespective of the technology used. The technical risk approach outlined here is intended to provide a framework for managing this inherent tension, to help identify the risk as soon as possible so that appropriate measures can be taken. As Richard Feynman said during the investigation of the Challenger disaster, for a successful technology, reality must take precedence over public relations, for Nature cannot be fooled, technical risk depends on how much you really know about the total enterprise, not just the technical aspects of the initial invention. The more truly knowledgeable you are about the technical market requirements and other downstream issues, the better you can assess and deal with the technical risks that occur in later phases. Technical risk does not exist in isolation, but rather in a close partnership with other aspects of the total project enterprise, and is highly influenced by in-house capability and experience to understand and deal with changes in those areas. There is no question that the ability to estimate and manage technical risk in the later phases (market requirements and robust commercialization) is highly dependent upon a correct and detailed understanding of the specific technical market requirements that will govern the final phases of commercialization.

Frits Tazelaara, Chris Snijders, 2013 Operational risk assessments by supply chain professionals: Process and performance, Eindhoven University of Technology The Netherlands Elsevier B.V.Milan Rippel, Petr Tepl, 2011 Operational Risk Scenario Analysis Prague Economic Papers, 1,Levine, M. and Hoffmann, D. G. (2000) Enriching the Universe of Operational Risk Data: Getting Started on Risk Profiling, Operational Risk, 25 39.Hans Geiger, 2001 Regulating and Supervising Operational Risk for Banks Guldimann, T. 2000, Operational Risk: Divide and Conquer, Risk, April, 54.Jean-christophe Le Coze, 2005 Are organisations too complex to be integrated in technical risk assessment and current safety auditing? Verneuil-en-Halatte, France Elsevier Ltd.

Strategic risk assessment: Evaluation of risks relating to the organizations mission and strategic objectives, typically performed by senior management teams in strategic planning meetings, with varying degrees of formality.Strategic risk relates to risk at the corporate level, and it affects the development and implementation of an organisation's strategy. In developing a strategy, an organisation makes an assessment of market conditions today. It then goes on to forecast the various changes that will occur in the market over a period of time.Strategic risk includes risk relating to the long-term performance of the organisation. This includes a range of variables such as the market, corporate governance and stakeholders.Strategic risks also tend to be more complex and difficult to model and assess than operational. Strategic risk management is concerned with the identification and management of these risks in order to ensure that the organisation finishes up within an acceptable distance of the original goal.Strategic Risk = (event, uncertainty, consequences)

When we develop a strategy we think about the risks associated with it, thus strategic risk relates to risk at the corporate level and affects the development and implementation of an organisation's strategyStrategic Risk Management is a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organizations ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder and stakeholder value.

Strategic Risk process involves; Identifying, assessing, and managing both internal and external events and risks that could impede the achievement of strategy and strategic objectives. The ultimate goal is creating and protecting shareholder and stakeholder value. Its a primary component and necessary foundation of the organizations overall enterprise risk management process. As a component of ERM, it is by definition effected by boards of directors, management, and others. It requires a strategic view of risk and consideration of how external and internal events or scenarios will affect the ability of the organization to achieve its objectives. Its a continual process that should be embedded in strategy setting, strategy execution, and strategy management. Organizations can adapt the definition and principles of SRM in developing their action plans for strengthening ERM and focusing it on strategic risks.

Deloitte, 2014 Exploring Strategic Risk: A global survey; risk@deloitte.com.Alexander Roberts et.al, 2012 Strategic Risk Management, Edinburgh Business School Heriot-Watt University Edinburgh EH14 4AS United KingdomMark L. Frigo and Richard J. Anderson, 2011 What Is Strategic Risk Management? Strategic Management.

Effective decision makingEffective decision making is the most important part of a senior managers job. However, it is also the most challenging task they face in their managerial responsibilities. A number of scholars have contributed to the field of understanding the nature and the process of decision making, One of the most notable is Simons (1977) work on the new science of management decisions. Simon (1977) proposed a generic decision making process which follows intelligence-design-choice phases. In his theory, he states that decision makers spend a large fraction of their time surveying the organisational environment to identify new varieties that call for new actions in the intelligence phase. In the design phase they individually, or with their subordinates, design and develop possible courses of action for handling situations where a decision is needed. In the choice phase, they select from thoseavailable courses of actions to meet and solve an identified problem. The intelligence phase entails scanning the environment, either intermittently or continuously (Turban & Aronson, 1998). It is argued that the support for the intelligence phase is of particular