With operational risk management, organisations aim for an imperforate ambit, exactitude of the numbers and providence to emblematize the contingent. Numbers often grab centre stage, manifesting as milestones, unsurpassable or financial dominance, resounding. With financial disciplines, this couldn't be more veracious; risk management is no exception.
In its quest for precision, every organisation, inevitably, commits the cardinal sins of - delimiting the unbounded, quantifying the abstruse and postulating the unknown.
For a discipline forced to cope with imperfection emanating from a source, disembodied, yet simultaneously braided within a majority of other event types, aka 'the people factor'; this can often be a tough ask.
In many ways, the 'people' facet of ORM is like directly stumbling onto the end of a book, only to find it abominable. Let's face it, there can nothing complete, accurate or predictable about people risk. The real question is how many organisations care to flip through the book, ending notwithstanding. It's like proposing a travel back in time, with a future, un-impacted by any change to the past. But, why wouldn't you just enjoy the ride?
Of those people risks internal to the organisation, quite a few (frauds, rogue trading), albeit not all (who are we kidding here), can be negated through an appropriate combo of system and process controls, properly implemented. Such incidents having surfaced even in the recent past, is a knock-out punch for the 'compliance' paradigm of risk
On the causes of people risk itself - Churn, though afflictive, is a lesser cause of concern for organisations, as against an apathetic workforce. Holding onto that thought, let's ponder the below...
Risk culture can shape risk awareness of the employees and resultantly, the risk profile of the organisation. While, risk culture and awareness are all permeating, arguably the former flows top-down, while the latter is bottom-heavy; either which way, agreeably people-driven, people-communicated, people-actioned structures in any facet of risk management.
Whilst every organisation might have an ethically sounding and perceivably fair set of policies, whether actualized or adopted, its adherence to, and every day actions set the management's tone towards risk culture. And when I say, management, I also mean the senior and middle management, as they often communicate the tone at the top.
Given the heavy reliance of risk management on decentralisation in identifying, tackling and reporting risk, or at bare minimum being cognizant of them in course of daily business, the contribution of risk culture to risk awareness cannot be emphasised enough.
Now, back to my point on the 'apathetic' workforce - This is precisely where organisations may shoot themselves in the foot by hopelessly holding on to the policies, rather than using them as guidelines. If legislations drafted by experts aren't fool proof, neither can an organisation's policies - Employees may start to drag their heels, stick to the job, and much less contribute to managing risks, whilst still being within the 'policy-defined terms of employment'.
In the current world of complexly muddled financial engineering, two remedial calls are growing louder, one for more regulatory impositions (which understandably, is going to be reactive - like Batman solving Riddler-Puzzles albeit, without the forewarnings), and the other is for organisations to be 'risk-smart' i.e. own up risk management. With the latter, agreeably, it's not like the entire organisation is contriving to profit by dodgy means. Au contraire, more often than not, it's a single employee or a team. But, hang on, accountable doesn't mean the employee concerned has a moral epiphany, infact far from it; it means the other employees are sufficiently motivated to 'rat out' (excuse the phrase) the wrongdoers!
Employees are much like a financial instrument, risk and return, all packaged in one, and as long as the organisation's handling of the living organism deters risk or enables its identification, it's all good!