Date posted: 07/09/2022

Doing the right things and doing things right

As operational environments increase in complexity, so do the risks of major operational disruptions.

In brief

  • Operational disruptions can have wide-reaching financial and non-financial effects
  • KPMG share their top 8 tips for understanding and managing operational risks
  • Risk assessments are fundamental to supporting business strategic objectives

As operational environments increase in complexity, so do the risks of major operational disruptions. We spoke to KPMG New Zealand about how organisations can effectively understand and manage operational risks.

Over the past decade, organisations have experienced a surge in the complexity of their operating environments. They’re using far more advanced technology, outsourcing business processes that were previously internal, and mitigating complicated risks such as the impact of climate change. While these advancements have many positive aspects, they are also exposing organisations to higher risks of operational disruptions than we’ve ever seen before.

Operational disruptions can be as minor as a short-term system outage, or as major as an international cyber attack compromising the data of millions of customers. 

Earlier in 2022, a large multinational software company experienced a major operational disruption after a failed software update caused a half-day outage for tens of thousands of users around the globe. Banks have faced crises where internet banking and ATMs were unavailable for millions of customers.

No organisation can afford to overlook or underestimate operational risks. But how do you know if you’re leaving yourself vulnerable? We asked the risk experts at KPMG New Zealand.

Legacy systems and a lack of accountability

Stephen McDaid, Director of Risk Consulting at KPMG New Zealand, sees many organisations using legacy technology systems that are increasing their risk of operational disruptions.

"We see systems that are disparate rather than integrated, often multiple versions behind the latest vendor supported version," he said. "And increasingly, fewer and fewer people within organisations who understand the system configuration. The systems become very difficult to fix as new regulations come in and processes need to change."

Stephen McDaid and Alex Economou standing side by side. Stephen has short brown hair and beard, and is wearing brown rimmed glasses, a grey sports coat and blue and white checked shirt. Alex has dark hair pulled back and is wearing a tan coat and black blouse.

Stephen McDaid, Director of Risk Consulting, and Alex Economou, Associate Director of Risk Consulting, KPMG New Zealand

This lack of understanding has become more obvious over recent years as organisations adopt new technology, such as straight-through processing, to meet customer expectations.

"Complexity within the operating environment has outstripped institutional understanding in some situations," Stephen said. "That complexity, in the absence of a really strong end-to-end understanding about how products and services are delivered, can also lead to operational disruption."

Alex Economou, Associate Director of Risk Consulting at KPMG New Zealand, added that accountability within organisations is often not well understood or documented. 

"This makes the decision-making process far more difficult," she said. "When you have disruptions, or people need to rely on manual processes, and people have to react quickly, it becomes a lot harder to understand who's accountable for what and who changes what." 

"Take responsibility for risks at a business unit level rather than assigning all the responsibility to risk teams. Assigning accountability to the people who are operating the processes greatly increases risk awareness and promotes good risk behaviour."
Alex Economou, Associate Director of Risk Consulting at KPMG New Zealand

Effects of operational disruptions

Operational disruptions are far more than an inconvenience, and the impact on customers can be significant. They can also have wide-reaching financial effects, such as substantial remediation costs for customers. However, it’s often the non-financial effects that are the most damaging. We saw this recently with the Australian Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, which caused considerable reputational damage to the industry.

Reputational damage can be isolated to single organisations as well. 

"Fines can impact an organisation both financially and reputationally," Alex said. "Being named and shamed can have a massive effect on how an organisation does business and the cost of business going forward."

Understanding and managing key risks

While operational risk may seem daunting to some, Alex stressed that it’s largely common sense. It’s about doing the right things, and doing things right. 

She shared her top eight tips for understanding and managing operational risks:

  1. Have a thorough understanding of your products, services and environment from end to end. This will provide you with much greater insight and oversight of your key risks.
  2. Keep up to date with your risk peers so you can stay across what’s happening in different areas and different industries. Risk forums such as the RMA Australia Interbank Risk Forum are a great way to do this.
  3. Pay attention to what regulators are focusing on and what they expect from organisations.
  4. Take responsibility for risks at a business unit level rather than assigning all the responsibility to risk teams. Assigning accountability to the people who are operating the processes greatly increases risk awareness and promotes good risk behaviour.
  5. Clearly document roles and responsibilities. For example, operators vs owners vs testers. This ensures that nothing is overlooked.
  6. Bring risk-related management insights and data-driven reporting to the right business unit forums so they can be used to inform strategic and operational decisions.
  7. Build good relationships with your stakeholders so it’s easier to communicate and challenge operational risks that aren’t being managed effectively.
  8. Stand your ground if you think something is wrong. Sometimes you have to call things out when they don't feel right.

The future of risk

Stephen and Alex feel there has been an evolution and maturing in the attitudes towards operational risk over the last five years. Part of the reason behind this is a strong push by regulators to improve organisations’ operational resilience. For example, APRA's current consultation process for a new operational risk and resilience standard (CPS 230).

Stephen explained that risk is starting to become more ingrained in organisations’ culture and behaviour.

"It's now certainly a much more valued part of the business," he said. "Five years ago, a key risk assessment may have been thought of as a tick box exercise. Now, business leaders see it as fundamental to supporting their strategic objectives."

Become a CA Risk Specialist

Enrolments for our 8-week program are now open. Becoming a CA Specialist in your field can enhance your personal brand and credibility, gain formal recognition for your skills which can strengthen your reputation, and help to capitalise on opportunities of referrals.

Find out more