6 steps to better operational risk management

‘Business risk’ can arise out of the plans you develop and the strategicdecisions you make for your business. ‘Operational risk’ is linked to how thoseplans are put into practice and the events that can occur that may prevent youfrom meeting your objectives.

So in simple terms, operational risk covers anything that hinders yourbusiness from operating in the way it should. When important equipment breaksdown, when your staff make mistakes, when your IT infrastructure is breached,when third parties fail to deliver what they promise: each of these areexamples of operational risks.

Here are six steps to managing and minimising these risks with a view tokeeping your business running smoothly…

Identification and assessment: get key members of staff involved

Operational risk management is heavily concerned with what’s happeningon the ground in your business. Let’s say you are considering offering a newservice to clients. Your operational risk assessment concerning this proposednew move should help tell you whether it’s feasible to deliver this new servicein a way that meets your business objectives. Is it going to leave your staffsnowed under? Are they still going to be able to meet their commitments to existingclients? Will your IT system be able to cope?

Effective operational risk assessment should prevent you from makingfalse assumptions about what’s possible - and what needs to be done to make itpossible. For this, it’s essential to liaise closely with line managers for aclear picture on what’s happening in ‘real life’.

Invest in reliable infrastructure and equipment

Many operational risks are linked to business continuity: i.e.preventing and making sure steps are in place to deal with possible interruptionsto important business functions.

Business continuity should be at the forefront of your mind when makingbuying decisions. In areas such as business critical software platforms, datastorage, as well as more basic services such as electricity and telecomsproviders, focus closely on uptime records when researching possible suppliers.

Draw up robust office policies and a comprehensive office manual

The Business Continuity Institute’s 2016‘Horizons Scan’ Report demonstrates that the possibility of cyber attack and data breach arethe two most significant perceived risks to business. In each of these areas(and many others), human error is often a significant component.

Operational risks can be minimised by making sure that staff are fullyaware of what’s expected of them. On data security, for instance, your officemanual should include a clear IT usage policy, including matters such as whatcan and cannot be downloaded onto office IT equipment, what constitutes a‘suspicious’ communication and what to do if one arrives.

A clear disciplinary procedure should set out the consequences of rulesbreaches.  

Take staff inductions and continuing professional development seriously

Do you expect new starters to ‘hit the ground running’ and automaticallyslot into your organisation? It’s worth investing time at the beginning toprovide new staff with a thorough induction to minimise the risk of a series oferrors further down the line. Remember that even for a new starter with plentyof experience, it may take some adjustment to get used to your way of doingthings.

For professionals, keeping up with your CPD requirements (e.g. regularupdate courses on best practice) is a useful way of ensuring the way youoperate does not fall foul of any changes to the law that you might otherwisemiss.

Working with third parties: exercise due diligence

You may pride yourself on running a tight ship from an operational pointof view. But if you outsource part of your work, are third parties followingthe same level of standards? When you consider potential third parties tooutsource work to, it’s natural to focus squarely how whether they will be ableto deliver on brief and on time. At the same time, it’s important to scrutinisehow the work will be conducted - including, for instance, adherence to datasecurity standards.

Put contingency plans in place

Operational risks cannot be eliminated completely. Your contingencyplans are a reflection of this, and the preparation that goes into them candetermine your organisation’s ability to ‘bounce back’ from a risk becoming areality.

In simple terms it involves asking, “If X happens, what is ourresponse?”. In areas that touch upon health and safety and security, forinstance, it involves following a clear protocol that all members of staffshould be familiar with. Where business has been interrupted, it could meanusing a pre-identified temporary fix (such as a backup server for IT) untilsuch time as the problem has been addressed.

Are you adequately protected against the risks associated with humanerror? To operate with confidence and with the right level of protection behindyou, speak to Bluefin’sprofessional indemnity insurance team.  


Any views or opinions expressed in this briefing are for guidance only and are not intended as a substitute for appropriate professional guidance. We have taken all reasonable steps to ensure the information contained herein is accurate at the time of writing but it should not be regarded as a complete or authoritative statement of law.