Operational Risk exists
in every organization.
ta
rep
u
fines tio
na int
ern
a
m l pro
ce
e
s
sse
ity
ag f credibil
o
a
s
l d los
r
loss of evenue
Even yours.
How much are you willing to accept?
Everybody has operational
risk.
If you have operations, then you have
operational risk. Any of the people,
processes and technologies that make up
the moving parts of a business can fail.
When it comes to operational risk, the
questions truly are how much you have and
how much you want to allow. Some large
banking institutions have even begun
quantifying and disclosing their operational
risk along with their other kinds of risk.
How much
risk can I
accept?
Operational Risk
At NEOS, we define operational risk as the
risk of loss that results from inadequate or
failed internal processes, people or
technology, including the risk of failure to
comply with externally imposed
requirements.
1
Operational Risk exists in every organization, even yours.
www.neosllc.com
Factors that should make you question
your operational risk
•
•
•
•
•
•
New products
Product sophistication
New distribution channels
New markets
New technology
Complexity (IT-interdependencies, data
structures)
• E-Commerce
• Processing speed
• Business volume
• New legislation
• Capital Markets
2
Operational Risk exists in every organization, even yours.
• Role of non-government organizations
• Globalization
• Shareholder and other stakeholder
pressure
• Mergers and Acquisitions
• Reorganizations
• Staff turnover
• Cultural diversity of staff and clients
• Faster aging of know-how
• Rating agencies
• Insurance Companies
www.neosllc.com
Organization
Operational risk may be
found in the form of
business disruptions,
control failures, errors,
misdeeds or external
events.
Policy and Process
Technology
We capture these forms in
Risk
Categories
Human
External
3
Operational Risk exists in every organization, even yours.
www.neosllc.com
Policy and Process: risks arising from weakness-
es in processes such as settlement and payment, non-compliance with
internal policies or external regulations, failures in products or client
dealings in IT security.
A former employee of a well-known bank stole federal tax refund checks totaling
$95,000 and deposited the money in a dormant checking account. They admitted
that they used their position at the bank to access a dormant checking account to
deposit Treasury checks and then withdraw the funds using an ATM card made out
to the person whose name appeared on the account. - Policy and Process
Organization: risks arising from such issues as change
management, project management, corporate culture and communication,
responsibilities, allocation and business continuity planning.
Technology: risks arising from defective
hard- or software, failures in other technology such as
networks or telecommunications, as well as breaches in IT
security.
A large international apparel company experienced a data breach that exposed the
personal information and credit / debit card numbers of their customers. A group
of hackers took advantage of a weak data encryption system and stole credit card
data during a wireless transfer between two department stores. - Technology
External: risks arising from fraud or litigation by parties
external to the firm, as well as lack of physical security for the
institution and its representatives.
Human: risks arising from failure of employees,
employer, and conflict of interest or from other internal
fraudulent behavior.
4
A well-known audit and accounting service provider had an individual employee
who “placed their own interests ahead of that of the public and compromised their
own objectivity,” by intentionally giving inaccurate advice to a client. Leading to
fines and a tarnished reputation. - Human
Operational Risk exists in every organization, even yours.
www.neosllc.com
So, how much risk are you
willing to accept?
We can’t give you that answer, but we can provide
you with the information to make a decision.
There is no single level of acceptable risk that
applies across the board. The levels of acceptable
risk vary drastically based on industry, department,
company size, and profit as they all play a large role
in the amount of risk and the severity of the
consequences. Each individual organization needs
to clearly define the level of risk they are willing to
accept.
Knowing the level of risk your
company holds allows you to make
informed decisions on how to
mitigate which areas to address or
accept. However, some operational
risks come with less quantifiable
factors such as potential harm to
your reputation or ethical standards.
So the question of how much risk you are willing to accept
falls on management. The choice should be made with as
much information as possible so consequences can be
measured against cost.
5
Operational Risk exists in every organization, even yours.
www.neosllc.com
Let us help. It’s in our DNA.
We approach your operational risk solution by
looking at your organization’s people, processes,
and technologies. Operational risk assessments
leverage our proven Rationalize-Orchestrate-Evolve
model, incorporating elements of process and
organization analysis, project evaluation, and
technology scoring.
This blending of NEOS thought leadership presents
a unique, client-centric, approach to identifying
areas of operational risk and recommending
specific, achievable actions for mediating it.
“Each link of your organization needs to be
strong and working cohesively.”
6
Operational Risk exists in every organization, even yours.
www.neosllc.com
Rationalize
Receive request
for Fund Switch
Received via
phone?
Yes
Security
check
Process
Fund
Switch
No
Working with your organizations subject
matter experts, NEOS will utilize its
Discovery, Current State Analysis, Gap
Analysis (DCG) to review existing business
processes (either documented process flows
or other materials), organization and controls
to identifying the risks, controls, and
observations for recommendations.
7-9
weeks to
assess the
current state
By taking a magnifying glass through all
aspects of an organization we are able to
provide multiple sets of recommendations
from quick hit opportunities to long term
projects.
7
Operational Risk exists in every organization, even yours.
www.neosllc.com
Orchestrate
A deeper dive into the processes, organization,
compliance, controls, technologies, and
governance will aid in the diagnosis of risk
areas. This is where we are able to define root
causes and recommend longer-term solutions.
The findings from this process are socialized with
a core team which includes client and NEOS
members in order to help further define the solution path.
Action items to address the opportunities that
were identified as weakness and/or gaps are developed in this phase including:
Outlines of potential initiatives that can be
addressed over a period of time.
Quick hits outlined and defined. These are
intended to allow rapid realization of positive
progress.
8
Operational Risk exists in every organization, even yours.
8-12
weeks to
orchestrate
recommendations
www.neosllc.com
Evolve
By now outstanding risks have been identified,
and their resolution has been planned in detail.
The Evolve phase is an accelerated delivery of
those resolutions. Because risks hide in so many
places and take so many forms, NEOS’
solutions will take different forms as well. We
find that or solutions typically include these
project types:
• Training
• Technology
enhancements
• Procedures
• Role and responsibility • Changes in process
adjustments
• Organizational changes
We evolve each of these solutions and adopt a
standard methodology of Design-DevelopPilot-Roll Out. This methodology repeats for each
solution and can occur concurrently or in
sequence, depending on available resources and
interdependencies.
Why NEOS?
NEOS’ expertise on operational risk is
rooted in deep business and process
analysis experience. NEOS has completed
process analysis and design work for
clients in industries ranging from our home
turf of insurance and financial services, all
the way to the logistics and transportation
industries.
Having experience working on the business
processes of a variety of clients allows us to
offer insight into how and when operational
risks are threatening to break those
processes down.
Our
Approach
Industry
Experience
Practical
Solutions
We see business processes as assets. When
operational risk threatens them, we understand which
mitigation strategies to employ.
10
Operational Risk exists in every organization, even yours.
www.neosllc.com
About NEOS
NEOS is a management consulting and
technology services firm specializing in
financial services, insurance and information
media industries. Our employees come from
these industries; they understand the problem
space allowing them to provide practical
solutions.
For more information, please visit us at
www.neosllc.com
Copyright 2013 NEOS LLC. All rights reserved.