So, what do the August 2017 presidential elections, the near-collapse of Kenya Airways (KQ), the circus of the hoods at KRA in July 2019, the infamous IFMIS scandals at the National Youth Service (NYS), the CBK and Kamlesh Pattni Goldenberg scandals of the 1990s, the Sh50 billion possible loss at the National Hospital Insurance Fund (NHIF), the Britam versus Cytton legal wrangles, the alleged executive grand theft of the Kamwarer and Arror dams funds, the structural collapse of private and public schools in the country have in common?
They exemplify operational risk events that have affected just about every sector of Kenya’s economic life in the recent and not so recent past. These are not tail events, but frequent and impactful occurrences whose consequences linger on for generations.
The list of operational risk events in this country is endless. Most if not all of the events are tragic, and represent some element of moral failure, some flaw in character, nevertheless, they are serious operational risk failures.
Many people have a difficult time understanding operational risk, while an even larger majority of stakeholders have never heard of the term – even though a great number of risk managers and finance specialists continually affirm that extraordinarily poor management of operational risk (not other categories of risk, such as market, liquidity or credit) is exactly what led to the collapse of global financial markets starting in 2007/2008.
In Kenya at the centre of most losses, collapsed organisations and institutions, collapsed buildings and even electoral malpractices occur due to failure of operational risk management. Successful management of risk is underpinned on behaviour and conduct.
In this country, there is the misplaced perception that credit risk, the possibility of a loss resulting from a borrower’s failure to repay a loan or meet their contractual obligations, is the most important of the core risks. It simply is not and pales in comparison with operational risk.
Market risk, which is caused by changes in commodities, asset prices, changes in interest rate, and foreign exchange, remain largely insignificant in the risk taxonomy and in the economic life of this country. The beast lies in operational risk, and its impact is larger than the combined force of both credit and market risks.
What matters most, and boards, C-suite and CRO ought to be closely watching over are failures in operational risk management. But, more damaging and still unclear to many is the present convergence of operational and cyber risks; that should trigger a renewed sense of urgency toward managing operational risk.
And should anyone think that the call for a renewed effort toward identifying and managing Op risk is a red herring consider this; in 2017 Kenya lost approximately Sh18 billion to cybercriminals. In 2018 cybercrime losses jumped to Sh30 billion!
Conservative estimates have it that Kenya’s organisations will lose through cyber and operational risk over Sh38 billion ($3.8B) in 2019. A majority of these losses will come from financial institutions, and will not include those at parastatal organisations and the KRA!
The concept of operational risk is truly simple, but the impact is devastating; so why do so many people, including boards, CEOs, CROs, shareholders, and stakeholders of all stripes, have such a hard time getting their heads around the phrase “operational risk” or “Op Risk” – the risk of loss from any operational failure at a company or organisation?
And even less understood and practiced is the Risk Control Self-Assessment (RCSA) – an empowering method/process by which management and staff of all levels collectively identify and evaluate risks and associated controls.
That is exactly why professionals, practitioners, investors, and other stakeholders need to get up to speed to the required standard on operational risk management. If they don’t, there’s every reason to expect other financial implosions, incomplete projects, misjudgments, and collapsed buildings and bridges will follow.
Just what is operational risk?
How do we accurately define operational risk? On its face, it sounds extremely simple: it is the risk of financial loss from any operational failure.
However, “operational failure” encompasses a dizzying array of possible events, actions, and inactions – everything from unintended execution errors, system failures and acts of nature to conscious violations of policy, law and regulation.
Of course, it includes different type of events and, a significant and embarrassing array of errors or mistakes, blunders, especially, socially awkward or improper acts or remarks or direct and indirect deeds of excessive risk-taking.
The depth and breadth of issues and “cross-silo” concerns that has led to ongoing confusion about exactly what is and isn’t an operational risk – and continuing doubts about how to identify and manage it.
To illustrate, too often operational risk has been misdiagnosed as other, relatively newer areas of recognized exposures such as those involving IT security, supply chain, collapsed buildings, pure neglect of projects and business interruptions.
Essentially, there are four factors that constitute the definition of Operational risk; internal processes, people, systems or external events that are exceptionally wide-ranging and cover virtually every element of the operations of banks and financial institutions and generally other organisations, but do not include credit, market or liquidity risks. Operational risk management methods differ from those of credit and market risk management.
The writer is founder Fincap Risk Advisors.