FACULTY OF SOCIAL SCIENCES

ESH 136 QUALITY MANAGEMENT SYSTEMS

GROUP FOUR PRESENTATION ESH 136
QUALITY MANAGEMENT SYSTEMS

 NAME AND SURNAME REGISTRATION NUMBER

 MCDONALD PAGUWA A R232146Q
 MUTSAWASHE MWANDIAMBIRA R232185V
 BRIAN NCUBE R229491N
 TENDAISHE CHIMEDZA R233634X
 SHARON MACHIVA R R233483M
 ANITA CHIMALA R235187R
 GARIKAYI MAWERE M R231350Y
 RACHEL MAMHUTE R233918T
 SHAMISO MAKANDE R234700M
 MELINDA CHAGURIKA R233162A
QUESTION

 1.Operational Risk Management and 5 Pillars of

Operational Risks
Introduction

 What is Operational Risk?

 Risk is “the effect of uncertainty on objectives” as defined by the International Organization for
Standardization (ISO 31000). It is typically expresses as an estimate of the probability and
severity of consequence of uncertain future events.
 Operational Risk refers to the potential for loss or harm resulting from inadequate or failed
internal processes, systems, or external events in the workplace.

 It is a type of business that arises from the day to day activities and operations of the business
 According to Basel Committee on Banking Supervision (2011) It is one of the key components
of business management and can pose a significant threat to organization’s financial stability
and ability to achieve their objectives.
Introduction
Introduction

 Risk is characterized by different types. These are

 Identified risk- Risk that has been determined to exist. Simply stated,
identified risk is the risk that we recognize as existing that could reduce the
likelihood of achieving our objective.
 Unidentified risk- Risk that has not been identified but has some effect on
the likelihood of achieving our objective. Some risks are not identifiable or
measurable but they are no less important.
 Total risk- Total risk is the combination of both identified and unidentified
risk. Ideally, identified risk will comprise much larger proportion.
Introduction

 Residual risk- The portion of the total risk that remains after mitigation
measures have been employed. Residual risk comprises acceptable and
unidentified risk.
 Acceptable risk- These are the risks that are acceptable in order to meet
objectives. Acceptable risk include the residual and unidentified risks
determined to be acceptable based on the importance of meeting the
organization’s objectives.
 Unacceptable risk- The portion of identified risk that cannot be tolerated
which is viewed as seriously detrimental to the attaining of the
organization’s objectives and must be either controlled or avoided.
Introduction

 Probability- The likelihood of the chance of an event

occurring.
 Severity-The magnitude of impacts or consequences
stemming from an event.
 Consequence- Both terms are used interchangeably.
Both refer to the impact that a hazard could have on
the objective.
Operational Risks

 Pictures showing examples of day to day business

activities that pose operational risks

Operational risks

 Operational risks is one of the major risk categories that organizations face,
alongside credit risk, market risk, and liquidity risk.
 They occur in any organization, including financial institutions, health care
providers, and manufacturing companies like Delta Beverages Company.
 Operational risks arise from internal and external factors that can cause
disruptions or disturbances to the smooth flow of an organization’s processes
resulting in significant losses.
 Operational risks excludes risks which result in losses from poor business
decisions. They will generally stem from weak management, from outsourcing
non strategic activities, or from external factors.
Operational risks

 There are a few different categories of operational risks that are commonly
used to help organizations identify and manage their risks.
 The first category is internal operations, which include factors such as
employee errors, process failures, and business management mistakes that
occur within the business entity itself.
 The second category are external factors that are induced by external
parties that pose a serious risk to the business organization such as natural
disasters, cyber attacks, and political events.
 The third category are strategic risks, which are related to the
organization’s strategy and vision.
Operational risks

 1st Internal Operations

 This category includes all the risks that are related to an organization’s day to day activities.
One common risk in this category is human error, which is the risk of unintended human
mistakes made by employees. This can include things like data entry errors, communication
errors, and decision- making errors. Another common risk is process failure, which is the
risk of a process breaking down or not working as intended. And finally, management
mistakes is the risk of poor leadership or decision- making by management.
 Major construction projects- digging tunnels, mineral extraction, raising bridges, building
skyscrapers- all need careful planning not just to support efficient operations but to
minimize avoidable delays from operational risk events. Large companies involved with
manufacturing, technology, telecommunications, and media services will all have
operational risk management departments.
Operational risks

 2nd External Operations

 This category includes all the risks that are related to events outside of an
organization’s control. One common risk is natural disasters, which can
include natural occurrences such as floods, earthquakes, and hurricanes.
These events can damage property and disrupt operations, leading to
financial losses to an organization.
 Another risk is cyber attacks, which are attacks on computer systems that
can use data breaches and other security problems.
 And finally there is political risk, which is the risk of political events such
as demonstrations disrupting normal business operations.
Operational risks

 3rd Strategic risk

 This includes all the risks that are related to an organization’s long term
strategy and vision.
 One example of this is industry disruptions, which is the risk of newly
emerging technologies or market changes disrupting an organization’s
business model. Another example is competitive risk, which is the risk
of losing market share to competitors.
 Finally, there is regulatory risk, which is the risk of new regulations or
changes in the legal environment affecting an organization’s operations.
Operational Risks

 As companies grow, innovate and embrace digitalization over time, they must set up
agile practices in the management of their operational risk.
 This includes the effectiveness and efficiency of their control environment to facilitate
informed decision making, achieve strategic goals and meet the rising expectations of
both internal and external stakeholders, such as regulators, investors and consumers.
 The Operational Risk Process is articulated over five pillars;
 Risk appetite
 Risk identification
 Risk mitigation
 Risk monitoring
Operational Risks

 To assess operational risks in an organization, the following points can be considered;

 1st Risk Management Framework: Evaluate the effectiveness of the organization’s risk management framework,
including its policies, procedures, and practices for identifying, assessing, and mitigating operational risks.
 2nd Business Processes: Assess the organization’s key operational processes and identify potential weaknesses or
vulnerabilities that could lead to operational disruptions or financial loss.
 3rd Internal Controls: Evaluate the adequacy and effectiveness of the organization’s internal controls, including
segregation of duties, authorization processes, and monitoring mechanisms to prevent and detect operational
risks.
 4th Human Resources: Review the organization’s human resource management practices, including employee
training, competence assessments, and performance management, to ensure employees are equipped to manage
operational risks.
 5th Information systems: Assess the organization’s information systems and technology infrastructure, including
data security measures, backup and recovery processes, and business continuity plans, to identify potential
operational risks related to system failures, cyber threats, or data breaches.
Operational Risks

 6th Outsourcing and Vendor Management: Evaluate the organization’s outsourcing practices and vendor
management processes to identify operational risks arising from reliance on third party providers.
 7th Legal and Regulatory Compliance: Assess the organization’s compliance with applicable laws,
regulations, and industry standards to identify potential operational risks associated with non compliance or
legal disputes.
 8th Incident Management: Review the organization’s incident management processes, including reporting,
investigation, and corrective action procedures, to ensure that operational risks are promptly identified and
addressed.
 9th Monitoring and Reporting: Evaluate the organization’s monitoring and reporting mechanisms for
operational risks, including key risk indicators, risk appetite frameworks, and regular reporting to senior
management and the board of directors.
 10th Continuous Improvement: Assess the organization’s practices for learning from past operational
incidents and near-misses, including post incident reviews, lessons learned and continuous improvement
initiatives.
Operational Risks Pillars
Operational Risks Pillars

 The pillars of operational risks refer to the key areas that

organizations consider when managing operational risks.
 Each pillar plays a crucial role in establishing an effective operational
risk management framework within an organization. These pillars are;
 1. Risk Identification
 2. Risk Assessment
 3. Risk Mitigation
 4. Risk Monitoring
Operational Risks Pillars

 1. Risk Identification
Operational Risks Pillars

 Risk Identification- Risk identification is a key pillar in managing operational

risks. It involves identifying potential risks that can impact an organization’s
operations, processes, systems, and objectives. The purpose of risk
identification is to proactively identify and anticipate risks before they occur,
allowing organizations to develop strategies for prevention, mitigation or
response.
 The process of risk identification typically involves several steps. First its
important to gather information about the organization’s operations, processes,
and systems. This can be done through conducting interviews, reviewing
documentation, and analyzing data. By understanding the organization’s
activities, it becomes easier to identify risks that may arise.
Operational Risks Pillars

 Risk identification- Once the information is gathered, the next step is

to identify potential risks. This can be done thorough various
techniques such as brainstorming, conducting risk assessments, and
using historical data or industry benchmarks. Its important to consider
both internal and external factors that can contribute to risks.
 During the risk identification process. Its crucial to consider various
categories of risks that can affect operational activities. These can
include human related risks eg human behavior, process related risks,
technological risks and external risks.
Operational Risks Pillars

 Risk Identification- Once the risks are identified, organizations can

prioritize them based on their potential impact and likelihood of
occurrence. This allows them to allocate resources effectively and
implement risk management strategies. Its important to regularly
review and update the risk identification process to ensure it remains
relevant and up to date with evolving risks.
 Overall, risk identification is a critical step in managing operational
risks as it helps organizations understand the potential risks they
face and take proactive measures to prevent or mitigate them.
Operational Risks Pillars

 2. Risk Assessment and Measurement

Operational Risks Pillars

 2. Risk Assessment and Measurement- Risk and assessment is another crucial pillar in
managing operational risks. It involves evaluating the identified risks in terms of their
potential impact and likelihood, as well as assessing effectiveness of existing controls and
mitigation strategies.
 The process of risk assessment begins by assigning a level of severity or potential impact
to each identified risk. This can be done by considering factors such as financial loss,
reputation damage, regulatory non- compliance, and operational disruptions. The
likelihood of each risk occurring is also assessed, taking into account historical data,
industry trends, and expert judgment.
 To measure and quantify the risks, various techniques can be used such as numerical
scales, risk matrices or qualitative assessments. By assigning values or scores to risks,
organizations can prioritize and compare them based on their level of significance.
Operational Risks Pillars

 2. Risk Assessment and Measurement- Once risks are assessed and

measured, organizations can determine the appropriate risk response
strategies. These strategies may include risk avoidance, risk mitigation, risk
transfer, or risk acceptance. The goal is to select the most effective and
efficient approach to manage each identified risk.
 Risk assessment and measurement also involves evaluating the
effectiveness of existing controls and mitigation measures. This entails
reviewing the adequacy and efficiency of current risk management
practices in mitigating or preventing risks. This cane be done through
control testing, internal audits, or third party assessments.
Operational Risks Pillars

 2. Risk Assessment and Measurement- Regular monitoring and reassessment

of risks are essential in the risk assessment and measurement process.
Operational risks are dynamic, and new risks may emerge or evolve over time.
Therefore, organizations need to continuously review and update their risk
assessments to ensure they remain relevant and aligned with changing
circumstances.
 Ultimately, risk assessment and measurement enable organizations to make
informed decisions regarding the allocation of resources, the implementation of
control measures, and development of risk mitigation strategies. By thoroughly
evaluating and measuring risks, organizations can improve their ability to
anticipate, prevent, and respond to operational risks effectively.
Operational Risks Pillars

 3. Risk Mitigation and Control

Operational Risks Pillars

 3. Risk Mitigation- Risk management is a critical pillar of managing operational risks. It

involves taking proactive measures to reduce the likelihood or impact of identified risks. The
goal of risk mitigation is to minimize the potential harm and financial losses associated with
operational risks.
 There are several approaches to risk mitigation that organizations can employ:
1st Risk avoidance: This strategy involves eliminating or avoiding activities that pose significant
risks. For example, if a particular process or business activity has a high potential for negative
consequences, the organizations may choose to discontinue or reduce its involvement in that activity.
2nd Risk Reduction : Risk reduction focuses on implementing measures to decrease the likelihood or
severity of risks. This can include implementing controls, procedures, or safeguards to minimize
vulnerabilities and enhance security. For instance implementing fire safety protocols, IT security
measures, or backup systems in case of equipment failure.
Operational Risks Pillars

 3rd Risk Transfer- Risk transfer involves shifting the responsibility for
managing risks to another party. This can be done thorough insurance policies,
contracts, or outsourcing arrangements. By transferring risks to external
entities, organizations can alleviate some of the financial burden and increase
their ability to respond to incidents.
 4th Risk Acceptance- In certain cases, organizations may choose to accept the
risks associated with certain activities or situations. This strategy is often
employed when the cost of mitigation measures exceeds the potential losses or
when the risks are deemed acceptable within predefined risk tolerance levels.
Risk acceptance does not mean negligence but rather a conscious decision
based on informed analysis.
Operational Risks Pillars

 Risk mitigation strategies should be tailored to the specific risks identified in

the organization’s risk assessment process. It is important to regularly review
and update these strategies as new risks emerge or existing risks evolve.
 Additionally, risk mitigation should be a collaborative effort involving
stakeholders at all levels of the organization. By fostering a risk- aware
culture and promoting proactive risk management practices, organizations
can enhance their ability to mitigate operational risks effectively.
 Overall, risk mitigation is an essential component of operational risk
management, enabling organizations to minimize the negative impact of
risks and enhance their resilience in the face of potential disruptions.
Operational Risks Pillars

 4. Risk Monitoring
Operational Risks Pillars

 4. Risk Monitoring- Risk monitoring is an essential pillar of operational risk management. It involves
the continuous and systematic tracking, analyzing of operational risks within the organization. This
proactive approach helps identify potential risks, assess their likelihood and impact, and determine the
appropriate risk mitigation measures. The process of risk monitoring includes several key steps;
 1st Identification and categorization of risks: The first step is to identify and categorize all potential
operational risks that may impact an organization’s objectives. These risks can vary from internal factors
like process failures, technology glitches, or employee conduct to external factors such as regulatory
changes or natural disasters.
 2nd Risk measurement and Assessment
 3rd Monitoring and early warning systems- Monitoring the identified risks is crucial to detect any
changes or emerging trends that require attention and action. By setting up monitoring systems,
organizations can continuously gather and analyze data related to operational risks. This helps identify
early warning signs and triggers that indicate a potential risk event or a deviation from established risk
tolerance levels.
Operational Risks Pillars

 4. Risk Monitoring- It also involves implementing appropriate risk response and

mitigation strategies. This can include measures such as implementing controls,
improving processes, enhancing staff training, or transferring the risk through
insurance policies. Continuously monitoring and reviewing the effectiveness of
these risk mitigation measures is essential to ensure their ongoing adequacy.
 By establishing an effective risk monitoring system, organizations can proactively
identify and address operational risks, minimizing their potential impact on
business operations, reputation, and financial results. Through regular monitoring
and reporting, organizations can adapt and adjust their risk management strategies
to changing circumstances and emerging risks, fostering a culture of continuous
improvement and resilience.
Operational Risks Pillars

 5. Risk Reporting and Communication

Operational Risks Pillars

 5. Risk Reporting and Communication- Risk reporting and communication is a critical pillar of
operational risk management. It involves the effective dissemination of risk- related information to key
stakeholders within an organization to enable informed decision making and proactive risk management.
The goal of risk reporting and communication is to ensure transparency, accountability, and a shared
understanding of the organization’s risk profile. The process of risk reporting and communication
includes the following key elements;
 1st Risk identification and assessment: Before effective risk reporting can take place, it is essential to
identify and assess the various operational risks faced by the organization, This involves evaluating the
likelihood and potential impact of each risk. Risk assessments can be conducted through quantitative
models, qualitative analysis, or a combination of both.
 2nd Risk reporting framework- Organizations need to establish a risk reporting framework that outlines
the structure, format, and frequency of risk reporting . This framework should define the roles and
responsibilities of the individuals involved in the reporting process, as well as the channels through
which risk information should be communicated.
Operational Risks Pillars

 3rd Risk dashboards and metrics: Risk reporting often involves the use of risk dashboards and key
risk indicators (KRIs) to provide an easily understandable snapshot of the organization’s risk profile.
These visual representations can include charts, graphs, and other visual elements that highlight the
most critical risks and their current status.
 4th Timely Reporting- Risk reporting should be timely, providing relevant and up to date information
to stakeholders. Regular reporting intervals, such as monthly, quarterly, or annual reports, should be
established to ensure consistency and to monitor changes in risk levels over time. In addition to
regular reporting, ad- hoc reports may be necessary for significant risk events or emerging risks.
 5th Stakeholder Communication- Effective communication of risk information is crucial to ensure
that it is understood and acted upon. Both formal and informal communication channels should be
utilized to reach different stakeholders, such as senior management, board members, department
heads, and operational staff. Clear and concise language should be used to convey complex risk
concepts.
Operational Risks Pillars

 6th Risk culture and awareness: Risk reporting and communication also
contribute to building a strong culture within the organization. By consistently
communication risk- related information, organizations can raise awareness of
operational risks and promote a risk aware mindset among employees . This can
lead to more effective risk management practices throughout the entire
organization.
 By prioritizing risk reporting and communication, organizations can enhance
their ability to identify, assess, and respond to operational risks. It facilitates the
involvement of key stakeholders in risk management, promotes accountability,
and empowers decision makers with the necessary information to make
informed choices.