| Booklet:
Management Section: Risk Overview Subsection: |
|||||||||||||||||||||||||||
| |
|||||||||||||||||||||||||||
OPERATIONAL
/ TRANSACTION RISK
Although management needs to be aware of all potential risks, operational
risk is the primary risk associated with information technology. Operational
risk (also referred to as transaction risk) is the risk of loss resulting
from inadequate or failed processes, people, or systems. The root cause
can be either internal or external events. Operational risk is present
across all business lines.
Operational risk may arise from fraud or error. Management’s inability
to maintain a competitive position, to manage information, or to deliver
products and services can also create and compound operational risk. Weak
operational risk management can result in substantial losses from a number
of IT threats including business disruptions or improper business practices.
An institution should properly identify, measure, monitor, and control
operational risk. Management should distinguish the operational risk component
from other risks to enable a stronger focus on operational risk mitigation.
The board should ensure a program exists to manage and monitor this risk.
The program should address the institution’s tolerance for risk,
the effectiveness of internal controls, management’s accountability
in regards to risk mitigation, and the processes needed to manage IT effectively.
Operational risk includes not only back office operations and transaction
processing, but also areas such as customer service, systems development
and support, internal controls and processes, and capacity planning. Operational
risk from IT also affects credit, compliance, strategic, reputation, and
market risks. Management should be aware of the implications of operational
risk including:
|
|
Liquidity, interest, and price risks – Credit and market risks can materialize from external changes in markets, industries, or specific customers. Internal controls that rely heavily on the availability and performance of technology create additional operational risk exposure. For example, a failure to properly implement changes to underwriting, account management, or collection systems can lead to significant losses, and higher loan servicing and collection costs. |
|
|
Reputation risk – Reputation risk stems from errors, delays, or omissions in information technology that become public knowledge or directly affect business partners, customers and consumers resulting in a loss of confidential information and potential customer withdrawal of funds. Two activities that can lead to reputation risk are the unauthorized disclosure of confidential customer information and the hacking/modifying of an institution’s website. |
|
|
Strategic risk – Strategic risk can stem from inaccurate information or analysis that causes management to make poor strategic decisions. For example, IT management could decide to save money by delaying an infrastructure upgrade to increase network bandwidth, which could result in a business line losing market share due to an inability to compete. |
|
|
Compliance (legal) risk – Compliance risk results from the institution’s inability to meet the regulatory and legal requirements associated with its IT products and services. Legal risk may lead to civil or criminal liability if, for example, an institution discloses confidential information or provides inaccurate or untimely consumer compliance disclosures. |
IT
management should have a corporate-wide view of technology. It should
maintain an active role in corporate strategic planning to align technology
with established business goals and strategies. It also should ensure
effective technology controls exist throughout the organization either
through direct oversight or by holding business lines accountable for
IT-related controls. From a control standpoint, management should assess
risks and determine how to control and mitigate the risks. Management
should continually compare its risk exposure to the value of its business
activities to determine acceptable risk levels.