operational risk management case study

Operational Risk Management: A Complete Guide to a Successful Operational Risk Framework by Philippa X. Girling

Get full access to Operational Risk Management: A Complete Guide to a Successful Operational Risk Framework and 60K+ other titles, with a free 10-day trial of O'Reilly.

There are also live events, courses curated by job role, and more.

Case Studies

In this chapter, we dig deeper into four case studies: JPMorgan Whale, UBS Unauthorized Trading, Knight Capital Technology Glitch, and Standard Chartered Anti–Money Laundering Scandal.

JPMORGAN WHALE: RISKY OR FRISKY?

Are large losses at banks always a sign of poor governance, or are they sometimes merely the realization of losses that were expected, and even planned for, in the well-governed risk management of the firm? In May 2012, JPMorgan announced that it had lost $2 billion (possibly much more), on a hedging strategy that was being driven by Bruno Michel Iksil, aka “The London Whale” in its chief investment office. Was this poor governance, or were these losses predictable under JPMorgan's risk management practices? Was this acceptable risky behavior, or was it frisky misbehavior?

You can't win the game all of the time, and for every winner, there is a loser somewhere in the financial system. For each loss event that happens, we should ask the same question: Were these losses within the boundaries of the bank's known risk, or were they out of control?

We have all heard the worn out caveats “investments may go down as well as up,” and we all know that the banking industry sometimes makes money on its risk-taking activities and sometimes loses it on those same activities. So why all the noise in the press about these JPMorgan losses?

• “London Whale Harpooned” 1
• “JPMorgan's ‘Whale' Causes a Splash” 2
• “Beached London Whale” 3

Anything over a billion dollars ...

Get Operational Risk Management: A Complete Guide to a Successful Operational Risk Framework now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Don’t leave empty-handed

Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact.

It’s yours, free.

Check it out now on O’Reilly

Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day.

The future of operational-risk management in financial services

New forces are creating new demands for operational-risk management in financial services. Breakthrough technology, increased data availability, and new business models and value chains are transforming the ways banks serve customers, interact with third parties, and operate internally. Operational risk must keep up with this dynamic environment, including the evolving risk landscape.

Legacy processes and controls have to be updated to begin with, but banks can also look upon the imperative to change as an improvement opportunity. The adoption of new technologies and the use of new data can improve operational-risk management itself. Within reach is more targeted risk management, undertaken with greater efficiency, and truly integrated with business decision making.

The advantages for financial-services firms that manage to do this are significant. Already, efforts to address the new challenges are bringing measurable bottom-line impact. For example, one global bank tackled unacceptable false-positive rates in anti–money laundering (AML) detection—which were as high as 96 percent. Using machine learning to identify crucial data flaws, the bank made necessary data-quality improvements and thereby quickly eliminated an estimated 35,000 investigative hours. A North American bank assessed conduct-risk exposures in its retail sales force. Using advanced-analytics models to monitor behavioral patterns among 20,000 employees, the bank identified unwanted anomalies before they became serious problems. The cases for change are in fact diverse and compelling, but transformations can present formidable challenges for functions and their institutions.

The current state

Operational risk is a relatively young field: it became an independent discipline only in the past 20 years. While banks have been aware of risks associated with operations or employee activities for a long while, the Basel Committee on Banking Supervision (BCBS), in a series of papers published between 1999 and 2001, elevated operational risk to a distinct and controllable risk category requiring its own tools and organization. 1 The standard Basel Committee on Banking Supervision definition of operational (or nonfinancial) risk is “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. See Basel Committee on Banking Supervision: Working paper on the regulatory treatment of operational risk , Bank for International Settlements, September 2001, bis.org. In the first decade of building operational-risk-management capabilities, banks focused on governance, putting in place foundational elements such as loss-event reporting and risk-control self-assessments (RCSAs) and developing operational-risk capital models. The financial crisis precipitated a wave of regulatory fines and enforcement actions on misselling, questionable mortgage-foreclosure practices, financial crimes, London Inter-bank Offered Rate (LIBOR) fixing, and foreign-exchange misconduct. As these events worked their way through the banking system, they highlighted weaknesses of earlier risk practices. Institutions responded by making significant investments in operational-risk capabilities. They developed risk taxonomies beyond the BCBS categories, put in place new risk-identification and risk-assessment processes, and created extensive controls and control-testing processes. While the industry succeeded in reducing industry-wide regulatory fines, losses from operational risk  have remained elevated (Exhibit 1).

Intrinsic difficulties

While banks have made good progress, managing operational risk remains intrinsically difficult, for a number of reasons. Compared with financial risk such as credit or market risk, operational risk is more complex, involving dozens of diverse risk types. Second, operational-risk management requires oversight and transparency of almost all organizational processes and business activities. Third, the distinguishing definitions of the roles of the operational-risk function and other oversight groups—especially compliance, financial crime, cyberrisk, and IT risk—have been fluid. Finally, until recently, operational risk was less easily measured and managed through data and recognized limits than financial risk.

This last constraint has been lifted in recent years: granular data and measurement on operational processes, employee activity, customer feedback, and other sources of insight are now widely available. Measurement remains difficult, and risk teams still face challenges in bringing together diverse sources of data. Nonetheless, data availability and the potential applications of analytics have created an opportunity to transform operational-risk detection, moving from qualitative, manual controls to data-driven, real-time monitoring.

As for the other challenges, they have, if anything, steepened. Operational complexity has increased. The number and diversity of operational-risk types have enlarged, as important specialized-risk categories become more defined, including unauthorized trading, third-party risk, fraud, questionable sales practices, misconduct, new-product risk, cyberrisk, and operational resilience.

At the same time, digitization and automation have been changing the nature of work, reducing traditional human errors but creating new change-management risks; fintech partnerships create cyberrisks and produce new single points of failure; the application of machine learning and artificial intelligence (AI) raises issues of decision bias and ethical use of customer data. Finally, the lines between the operational-risk-management function and other second-line groups, such as compliance, continue to shift. Banks have invested in harmonizing risk taxonomies and assessments, but most recognize that significant overlap remains. This creates frustration among business units and frontline partners.

Taken together, these factors explain why operational-risk management remains intrinsically difficult and why the effectiveness of the discipline —as measured by consumer complaints, for example—has been disappointing (Exhibit 2).

Looking ahead

Against these challenges, risk practitioners are seeking to develop better tools, frameworks, and talent. Leading companies are discarding the “rearview mirror” approach, defined by thousands of qualitative controls. For effective operational-risk management, suitable to the new environment, these organizations are refocusing the front line on business resiliency and critical vulnerabilities. They are adopting data-driven risk measurement and shifting detection tools from subjective control assessments to real-time monitoring.

The objective is for operational-risk management to become a valuable partner to the business. Banks need to take specific actions to move the function from reporting and aggregation of first-line controls to providing expertise and thought partnership. The areas where the function will help execute business strategy include operational strengths and vulnerabilities, new-product design, and infrastructure enhancements, as well as other areas that allow the enterprise to operate effectively and prevent undue large-scale risk issues.

Defining next-generation operational-risk management

The operational-risk discipline needs to evolve in four areas: 1) the mandate needs to expand to include second-line oversight, to support operational excellence and business-process resiliency; 2) analytics-driven issue detection and real-time risk reporting have to replace manual risk assessments; 3) talent needs to be realigned as digitization progresses and data and analytics are rolled out: banks will need specialists to manage specific risk types such as cyberrisk, fraud, and conduct risk; and 4) human-factor risks will have to be monitored and assessed—including those that relate to misconduct (such as sexual harassment) and to diversity and inclusion.

The evolution includes the shift to real-time detection and action. This will involve the adoption of more agile ways of working, with greater use of cross-disciplinary teams that can respond quickly to arising issues, near misses, and emerging risks or threats to resilience.

1. Develop second-line oversight to ensure operational excellence and business-process resiliency

The original role of operational-risk management was focused on detecting and reporting nonfinancial risks, such as regulatory, third-party, and process risk. We believe that this mandate should expand so that the second line is an effective partner to the first line, playing a challenge role to support the fundamental resiliency of the operating model and processes. A breakdown in processes is at the core of many nonfinancial risks today, including negative regulatory outcomes, such as missing disclosures, customer and client disruption, and revenue and reputational costs. The operational-risk-management function should help chief risk officers and other senior managers answer several key questions, such as: Have we designed business processes in each area to provide consistent, positive customer outcomes? Do these processes operate well in both normal and stress conditions? Is our change-management process robust enough to prevent disruptions? Is the operating model designed to limit risk from bad actors?

Untransformed operational-risk-management functions have limited insight into the strength of operational processes or they rely on an extensive inventory of controls to ensure quality. Controls, however, are not effective in monitoring process resilience. A transaction-processing system, for example, may have reconciliation controls (such as a line of checkers) that perform well under normal conditions but cannot operate under stress. This is because the controls are fundamentally reliant on manual activities. Similarly, controls on IT infrastructure may not prevent a poorly executed platform transition from leading to large customer disruptions and reputational losses.

New frameworks and tools are therefore needed to properly evaluate the resiliency of business processes, challenge business management as appropriate, and prioritize interventions. These frameworks should support the following types of actions:

• Map processes, risks, and controls. Map the processes, along with associated risks and controls, including overall complexity, number of handoffs involved, and automation versus reliance on manual activities (particularly when the danger is high for negative customer outcomes or regulatory mistakes). This work will ideally be done in conjunction with systemic controls embedded in the process; end-to-end process ownership minimizes handoffs and maximizes collaboration.
• Identify supporting technology. Identify and understand the points where processes rely on technology.
• Monitor risks and controls. Create mechanisms and metrics (such as higher-than-normal volumes) to enable the monitoring of risk levels and control effectiveness, in real time wherever possible.
• Link resource planning to processes. Link resource planning to the emergent understanding of processes and associated needs. Be ready to scale capacity up or down according to the results of process monitoring.
• Reinforce needed behavior. Ensure reinforcement mechanisms for personal conduct, using communications, training, performance management, and incentives.
• Enable feedback. Establish feedback mechanisms for flagging potential issues, undertaking root-cause analysis, and updating or revising processes as needed to address the causes.
• Establish change management. Establish systematic, ongoing change management to ensure the right talent is in place, test processes and capacity, and provide guidance, particularly for technology.

2. Transform risk detection with data and real-time analytics

In response to regulatory concerns over sales practices, most banks comprehensively assessed their sales-operating models, including sales processes, product features, incentives, frontline-management routines, and customer-complaint processes. Many of these assessments went beyond the traditional responsibilities of operational-risk management, yet they highlight the type of discipline that will become standard practice. While making advances in some areas, banks still rely on many highly subjective operational-risk detection tools, centered on self-assessment and control reviews. Such tools have been ineffective in detecting cyberrisk, fraud, aspects of conduct risk, and other critical operational-risk categories. Additionally, they miss low-frequency, high-severity events, such as misconduct among a small group of frontline employees. Finally, some traditional detection techniques, such as rules-based cyberrisk and trading alerts, have false-positive rates of more than 90 percent. Many self-assessments in the first and second line consequently require enormous amounts of manual work but still miss major issues.

Targeted analytics tools

Advanced analytics has applications in all, or nearly all, areas of operational risk. It is creating significant improvements in detecting operational risks, revealing risks more quickly, and reducing false positives. Whether in information security, data, compliance, technology and systems, process failure, or even personal security and other human-factor risks, the advanced-analytics advantage is becoming increasingly evident. Some applications are described below:

• Anti–money laundering. Replacing rules-driven alerts with machine-learning models can reduce false positives and focus resources on cases that actually require investigation.
• Conduct. Analytics engines can identify suspicious sales patterns, connecting the dots across sales, product usage, incentives, and customer complaints (for example, increases in nonactivated deposits, accounts sold by a retail banker, or trades triggered by a wealth-management adviser as they approach compensation breakpoints). Trade-monitoring analytics can mine trading and communication patterns for potential markers of conduct risk.
• Cyberrisk. Machine learning can analyze sources of signals, identify emerging threats, replace existing rules-based triggers, and reduce false-positive alerts.
• Fraud. Machine learning, including unsupervised techniques, can identify fraudulent transactions and reduce false positives; synthetic-ID-fraud analytics use external, third-party data, in accordance with all local regulation, to analyze the depth and consistency in the identity profiles of new customers.
• Process quality and regulatory risks. Automated call surveillance using natural-language processing can monitor adherence to disclosure requirements. Systemic quality-control touchpoints can check the accuracy of decisions, disclosures, and filings against customer-provided information and regulatory rules (for example, the accuracy of a bankruptcy filing against the system of record information).
• Third-party risk. Models can be developed that quantify the reliance on key third parties (including hidden fourth-party exposures) to drive better business-continuity planning and bring a risk-based perspective to vendor assessment and selection.

Operational-risk managers must therefore rethink their approaches to issue detection. Advances in data and analytics can help. Banks can now tap into large repositories of structured and unstructured data to identify risk issues across operational-risk categories, moving beyond reliance on self-assessments and subjective controls. These emerging detection tools might best be described in two broad categories:

• Real-time risk indicators include real-time testing of operational processes and controls and risk metrics that identify areas operating under stress, spikes in transaction volumes, and other determinants of risk levels.
• Targeted analytics tools can connect the data dots to detect potential risk issues (see sidebar “Targeted analytics tools”). By mining sales and customer data, banks can detect potentially unauthorized sales. Machine-learning models can detect cyberrisk levels, fraud, and potential money laundering . As long as all privacy measures are respected, institutions can use natural-language processing to analyze calls, emails, surveys, and social-media posts to identify spikes in risk topics raised by customers in real time.

Exhibit 3 shows how a risk manager using natural-language processing can identify a spike in customer complaints related to the promotion of new accounts. Looking into the underlying complaints and call records, the manager would be able to identify issues in how offers are made to customers.

A number of banks are investing in objective, real-time risk indicators to supplement or replace subjective assessments. These indicators help risk managers track general operational health, such as staffing sufficiency, processing times, and inventories. They also provide early warnings of process risks, such as inaccurate decisions or disclosures, and the results of automated exception reporting and control testing.

Together, analytics and real-time reporting can transform operational-risk detection, enabling banks to move away from qualitative self-assessments to automated real-time risk detection and transparency. The journey is difficult—it requires that institutions overcome challenges in data aggregation and building risk analytics at scale—yet it will result in more effective and efficient risk detection.

3. Develop talent and the tools to manage specialized risk types

Examples of specialized expertise.

Risk category: Cyberrisk

Expertise needed for challenge and oversight

• Pathways to vulnerability (such as the impact of a threat like NotPetya)
• The bank’s most valuable assets (the “crown jewels”)
• Sources of exposure for a given organization

Talent profiles

• Cybersecurity background
• Senior status to engage the business and technology organizations

Risk category: Fraud

• Fraud patterns (for instance, through the dark web)
• Technology and cybersecurity
• Interdependencies across fraud, cybersecurity, IT, and business-product decisions
• Former senior technology managers
• Cybersecurity professionals, ideally with an analytics background

Risk category: Conduct

• Ways employees can game the system in each business unit (for instance, retail, wealth, and capital markets)
• Specific behavioral patterns, such as how traders could harm client interests for their own gain
• Former branch managers and frontline supervisors
• Former traders and back-office managers
• First-line risk managers with experience in investigating conduct issues

A range of emerging risks, all of which fall under the operational-risk umbrella, present new challenges for banks. To manage these risks—in areas such as technology, data, and financial crime—banks need specialized knowledge and tools. For example, managing fraud risk requires a deep understanding of fraud typologies, new and emerging vulnerabilities, and the effectiveness of first-line processes and controls. Similarly, oversight of conduct risks requires up-to-date knowledge about how systems can be “gamed” in each business line. In capital markets, for instance, some products are more susceptible than others to nontransparent communication, misselling, misconduct in products, and manipulation by unscrupulous employees. Operational-risk officers will need to rethink their risk organization and recruit talent to support process-centric risk management and advanced analytics. These changes in talent composition are significant and different from what most banks currently have in place (see sidebar “Examples of specialized expertise”).

Bank employees drive corporate performance but are also a potential source of operational risk.

With specialized talent in place, banks will then need to integrate the people and work of the operational-risk function as never before. To meet the challenge, organizations have to prepare leaders, business staff, and specialist teams to think and work in new ways. They must help them adapt to process-driven risk management and understand the potential applications of advanced analytics. The overall objective is to create an operational-risk function that embraces agile development, data exploration, and interdisciplinary teamwork.

4. Manage human-factor risks

Bank employees drive corporate performance but are also a potential source of operational risk. In recent years, conduct issues in sales and instances of LIBOR and foreign-exchange manipulation have elevated the human factor in the nonfinancial-risk universe. In the past, HR was mainly responsible for addressing conduct risk, as part of its oversight role in hiring and investigating conduct issues. As the potential for human-factor risks to inflict serious damage has become more apparent, however, banks are recognizing that this oversight must be included in the operational-risk-management function.

Developing effective risk-oversight frameworks for human-factor risks is not an easy task, as these risks are diverse and differ from many other operational-risk types. Some involve behavioral transgressions among employees; others involve the abuse of insider organizational knowledge  and finding ways around static controls. These risks have more to do with culture, personal motives, and incentives, that is, than with operational processes and infrastructure. And they are hard to quantify and prioritize in organizations with many thousands of employees in dozens or even hundreds of functions.

To prioritize areas of oversight and intervention, leading operational-risk executives are taking the following steps. They first determine which groups within the organization present disproportionate human-factor risks, including misconduct, mistakes with heavy regulatory or business consequences, and internal fraud. Analyzing functions within each business unit, operational-risk leaders can then identify those that present the greatest inherent risk exposure. The next step is to prioritize the “failure modes” behind the risks, including malicious intent (traditional conduct risk), inadequate respect for rules, lack of competence or capacity, and the attrition of critical employees. The prioritized framework can be visualized in a heat map (Exhibit 4).

The heat map provides risk managers with the basis for partnering with the first line to develop a set of intervention programs tailored to each high-risk group. The effort includes monitoring, oversight, role modeling, and tone setting from the top. Additionally, training, consequence management, a modified incentive structure, and contingency planning for critical employees are indispensable tools for targeting the sources of exposure and appropriate first-line interventions.

A brighter future

Through the four-part transformation we have described, operational-risk functions can proceed to deepen their partnership with the business, joining with executives to derisk underlying processes and infrastructure. Historically, operational-risk management has focused on reporting risk issues, often in specialized forums removed from day-to-day assessment. Many organizations have thus viewed operational-risk activities as a regulatory necessity and of little business value. The function is accustomed to react to business priorities rather than involve itself in business decision making.

To be effective, operational-risk management needs to change these assumptions. When equipped with objective data and measurement, the function well understands the true level of risk. It is therefore in a unique position to see nonfinancial risks and vulnerabilities across the organization, and it can best prioritize areas for intervention. Together with the business lines, operational-risk management can identify and shape needed investments and initiatives. This would include efforts to digitize operations to remove manual errors, changes in the technology infrastructure, and decisions on product design and business practices. By helping the business meet its objectives while reducing risks of large-scale exposure, operational-risk management will become a creator of tangible value.

The relationship between operational-risk management and the business can also integrate operational-risk reporting and executive and board reporting—including straight-through processing rates, incidents detected, key risk indicators, and insights from complaints and customer calls.

Progress will require time, investment, and management attention, but the transformation of operational-risk management offers institutions compelling opportunities to reduce operational risk while enhancing business value, security, and resilience.

Joseba Eceiza is a partner in McKinsey’s Madrid office; Ida Kristensen and Dmitry Krivin are both partners in the New York office, where Hamid Samandari is a senior partner; and Olivia White is a partner in the San Francisco office.

Explore a career with us

Related articles.

Transforming risk efficiency and effectiveness

Financial crime and fraud in the age of cybersecurity

Insider threat: The human element of cyberrisk

Boeing 737 MAX: An Operational Risk Case Study

• Rex Chatterjee
• October 12, 2019
• Type: Case Study
• Tags: aviation , internal comms , manufacturing , operational risk , regulation

In August 2011, Boeing Commercial Airplanes, a subsidiary of Boeing, announced the launched of its new 737 MAX aircraft as the fourth generation of the 737 line. Initial deliveries of the aircraft took place in May of 2017, and the plane entered commercial service shortly thereafter. Among the first passenger carriers to run the 737 MAX commercially were Lion Air, of Indonesia, and Norwegian Air, of Norway. Within a year of its launch, 130 737 MAX aircraft were delivered to 28 Boeing customers, and in total 387 aircraft were eventually delivered.

On 29 October, 2018, a Boeing 737 MAX aircraft operated by Lion Air crashed thirteen minutes after takeoff, killing all 189 aboard. The incident was  widely reported  by  various media outlets  at the time. Initial reports targeted a malfunctioning flight-control system which had to be disabled in order for the aircraft to function properly. Responding to the incident, Boeing issued guidance on its operational manual to advise airline pilots regarding procedures for handling so-called erroneous cockpit readings.

On 10 March 2019, a Boeing 737 MAX aircraft operated by Ethiopian Airlines crashed six minutes after takeoff, killing all 157 aboard. Like the Lion Air incident from the year prior, the Ethiopian Airlines crash was  widely reported . Coverage reported that the incident was  similar to the Lion Air incident .

Though initial investigations into the incidents could draw no official conclusions regarding Boeing’s aircraft or systems, findings pointed to Boeing’s Maneuvering Characteristics Augmentation System (“MCAS”) as the likely culprit. The system, which Boeing did not disclose its 737 MAX pilot manual or in its supplementary directive after the Lion Air crash, was allegedly commanding the plane’s flight systems to repeatedly dive, based on erroneous systems data.

Between 11 and 16 March 2019, aviation regulators in countries across the world–including the US, Canada, China, Brazil, India, and others–issued grounding orders for all Boeing 737 MAX aircraft.

Since the grounding of the 737 MAX, investigations into the two crashes and issues with the aircraft have increasingly focused on Boeing’s deployment of MCAS as the primary culprit. Assessments and testing from a variety of sources within multiple investigations have raised issues with the way in which Boeing designed, developed and deployed MCAS, as well as its lack of training and education of pilots and crews on the system’s existence within aircraft, when it would engage, and what to do in case of its malfunction.

On 4 April 2019, Boeing  publicly acknowledged  that MCAS played a role in both the Lion Air and Ethiopian Airlines crashes of the 737 MAX.

On 18 October 2019, multiple news outlets  reported  that in 2016, prior to the safety certification and release of the 737 MAX, Boeing’s chief technical pilot for the 737 program had warned a colleague about MCAS, specifically pointing to issues unearthed in post-crash investigations. While, in the wake of the crashes, Boeing officials had maintained that MCAS was not designed to activate within the “normal flight envelope” of the 737 MAX and therefore its exclusion from the standard operating manual for the aircraft was warranted, the 2016 internal messages specifically highlighted that MCAS was erroneously engaging itself. The messages go on to indicate that, in 2016 or prior, the US Federal Aviation Administration (FAA) may have been supplied with inaccurate information regarding MCAS. Nevertheless, in 2017, the very same Boeing pilot, again communicating the FAA, requested that all mentions of MCAS be removed from the plane’s operating manual because its operation was outside of the plane’s normal envelope. Going further, the Boeing pilot proceeded to engage in inappropriate discourse with the FAA regulator on the subject of obtaining regulatory clearances from other regulators for the 737 MAX.

Boeing turned over documents related to these communications to regulators and to Congress on 17 and 18 October 2019, allegedly months after first discovering them.

Upon receipt and review of the documents, members of Congress made public statements about what they deemed to be a pattern of troubling conduct by Boeing.

Gaps In Risk Management

Independent Escalation Channels  – Boeing’s development team for the 737 MAX had knowledge of the issues with the MCAS. However, it is unclear whether any reporting mechanism existed for members of the team (e.g., engineers, test pilots, etc.) to report such issues to oversight resources outside of the 737 MAX’s direct value chain (i.e., officials and / or at Boeing whose success was not tied directly and exclusively to the marketing and sale of 737 MAX aircraft). While knowledge of the ultimately disastrous MCAS failures was present within Boeing long before the first 737 MAX was delivered to a customer, it was contained in isolated pockets, hidden from the view of senior management at the corporate level whose success is tied to the overall health of Boeing as a company. While some concerned members of the 737 MAX development staff may have wanted to communicate their concerns upwards, and while senior management may have wished to hear their concerns, the communication channels simply did not exist. Instead of reporting concerns to a unit or personnel with proper oversight authority, engineers at Boeing were instructed to take their concerns to business unit managers,  as reported by the New York Times . However, with their success tied directly to sales of the 737 MAX, business unit managers had strong incentive suppress the identification of safety risks and prevent escalation of same to members of senior management. In the wake of the 737 MAX situation, Boeing has indicated that it has adopted clearer escalation channels from engineers to neutral oversight personnel, including the company’s senior management.

Independent Safety Oversight  – Boeing lacked an independent internal organization charged with ensuring product safety. At a firm of the size of Boeing, producing products (i.e., aircraft) which have the potential to be deadly in the event of failure, an independent unit should exist as a check on commercial business units such as development, manufacturing, marketing and sales. The success of such a unit should not depend at all on sales of products, but rather on the safety of those products at time of sale and beyond. In the wake of the 737 MAX situation, Boeing has announced the creation of such a group within the company.

Employee Communications Monitoring  – It is unclear whether Boeing had a function in place to monitor employee communications. As with all public companies, however, it should. Monitoring of employee communications over company-provided systems (such as e-mail, instant messenger, SMS on company-provided phones, etc.), coupled with a general policy and enforcement program that all company business be conducted solely over those company-provided, and not personal, communication systems, is a crucial arm of risk management in an era in which employee communications are a major driver of risk. Near real-time monitoring of employee communications by a unit of Boeing’s compliance group would have alerted senior management to ground-level issues with MCAS in parallel to–and as a backstop to–internal reporting and escalation of the issue from engineering or other staff.

Regulatory Affairs Oversight  – While a debate rages on as to whether the FAA has fallen victim to so-called “regulatory capture” by firms such as Boeing, it is nonetheless crucial for the successful, comprehensive management of risk that all communications by a company’s personnel with regulators be not only monitored, but centralized and streamlined through a single source, such as an internal unit overseeing regulatory affairs. In instances such as this, where the specter of impropriety looms large over conduct by Boeing employees and, possibly, the FAA, it is essential that companies are able to manage their official positions on issues facing regulators and are furthermore able to deliver consistent messaging from all personnel involved. While Boeing, in this case, may be able to blame one or more rogue actors for the impropriety with respect to certain FAA-related issues, the company would do itself no favors in the eyes of its regulators, world governments, its customers, its investors and the general public by claiming to have little power to govern the conduct of its employees. Additionally, the FAA’s approval of the 737 MAX has not served as a significant line of defense against Boeing’s liability for its aircraft’s failures, owing partly to the relationship its staff (such as the chief technical pilot) enjoyed with members of regulatory staff. The surfacing of inappropriate communications between members of Boeing and regulator staff has only stoked the fire of governmental concern over Boeing and the regulatory framework meant to govern its conduct.

Costs & Impacts

Financial  – Boeing has experienced catastrophic financial losses in the wake of the evolving 737 MAX situation, having posted a company record loss of $2.9 billion USD for Q2 2019. Its market capitalization, as of August 2019, has fallen by $62 billion USD, on the back of a 25% erosion in share price. Overall, the halt of sales and impending cancellation of orders may cost Boeing roughly  $600 billion USD .

Business Position  – Boeing has seen fit to postpone development of at least one critical project (the Boeing New Midsize Airplane) and is reportedly considering staff reductions as of Q3 2019. Following the grounding of the 737 MAX, Boeing has suspended all deliveries of the aircraft to customers and slowed its production schedule (financial impacts of which are noted above).

Brand Equity – While multiple crashes and a global grounding of the 737 MAX fleet may have been sufficient to critically damage the public’s trust in Boeing, later evidence pointing out that the company knew of the issues giving rise to the crashes and buried them only further stokes the fire. Numerous polls have indicated that the public has lost its trust in the 737 MAX, and with recent evidence coming to light about Boeing’s practices, the same may well be said of public trust in Boeing itself as well. Serving the needs of the general public, airline customers of Boeing will face increased scrutiny and pressure on their dealings with the company, impacting Boeing’s ability to sell its products across the board.

Criminal Investigation  – At the time of this writing, Boeing and certain individual employees may face criminal prosecution in connection with the 737 MAX crash incidents.

Civil Litigation  – Boeing now finds itself the target of civil litigation from a variety of sources, including pilot groups seeking compensation for lost wages, crash victims’ families seeking compensation for wrongful deaths (potentially including punitive damages), and others. At the time of this writing, the total outcome of the global 737 MAX litigation is yet to be known.

Regulatory Pressure  – Boeing will likely face significantly increased regulatory scrutiny across the globe as trust in the company and its practices has been eroded by the 737 MAX crashes and their aftermath.

Key Takeaways

1.   Companies must designate certain personnel or units as managers and overseers of risk, with their success directly tied to safety and effective risk mitigation instead of sales and other commercial metrics. Companies cannot rely on commercial units (e.g., sales, marketing, etc.) to manage risk. With the success or failure of these units being tied directly to the sales performance of their managed products, these units are inherently disincentivized from reporting issues which may imperil sales and are not likely to serve as effective mitigants of risk.

2.   Companies must ensure clear and independent lines of communication between ground level staff and those personnel and / or units designed to manage risk. Staff members in product development, sales, marketing and a variety of other functional groups must be able to communicate clearly and confidentially with risk managers in order to effectively relay concerns without fear of reprisals or dismissal.

3.   Companies must institute policies, procedures and technological capabilities in order to be able to effectively monitor employee communications in real-time or near-real-time. Failure to monitor employee communications robs companies of their opportunities to manage risks borne out of the behavior of rogue actors. Assigning blame for corporate malfeasance to rogue internal actors ex post facto  is not an effective strategy. Instead, companies must own the risk that their personnel may act against the best interests of the firm and effectively manage incidents as they are occurring.

4.   Companies with regulatory exposure must institute policies, procedures and top-down governance over corporate communications with regulators. While in most cases, a regulatory communications function serves to manage regulatory relations and minimize the risk of incurring penalties or enforcement actions, in some cases, its purpose may be to detect regulatory capture and therefore ineffective regulation. While ineffective regulation may not seem, at first, to be a risk for regulated businesses, for businesses without strong regulatory affairs units, it may present itself as an invitation for corporate misconduct, as evidenced above.

Companies should be proactive about risk management and conduct broad risk assessments on a regular basis. Such assessments should monitor for threats across strategic and tactical vectors. From broad-based standpoints such as ensuring clear and independent reporting lines, to granular measures such as monitoring high-risk employee communications, risk management efforts must be comprehensive. Finally, it is vital that key stakeholders up and down a company’s chain of command “buy in” to the importance of risk management and participate in the process in a transparent and cooperative manner. It is incumbent upon company leadership to ensure that a “culture of risk awareness and management” is present at all levels of the organization.

Titan Grey stands ready to assist on business risk management matters of the nature discussed in this Titan Grey Thought Leadership piece. Please inquire via e-mail to  [email protected] .

Titan Grey Thought Leadership is presented subject to certain disclaimers, accessible here .

Share With Your Network

Other Thought Leadership Of Interest

The FTX Files: A Primer On The Chapter 11 Case

The FTX Files: A primer on the chapter 11 case prepared & updated by Titan Grey. Click through for more & follow our socials for the latest.

Recent Thought Leadership

Omicron Variant: Practical Risk Management Approaches

Employee Physical Security And Crime Prevention

COVID-19 Risk Management For Business

Let's Connect.

Global risk & crisis management.

• +1 800 551 9323
• [email protected]
• titangrey.com

Thought Leadership

Copyright Ⓒ 2024 Titan Grey, LLC.  All Rights Reserved.

The Latest In Business Risk Management

If you're reading business headlines and asking yourself "how could this possibly happen?," our Thought Leadership is for you. Through short case studies and longer-form deep dives, we break down current issues in business risk and offer responsive strategies for the future.

• Business & Money

Enjoy fast, free delivery, exclusive deals, and award-winning movies & TV shows with Prime Try Prime and start saving today with fast, free delivery

Amazon Prime includes:

Fast, FREE Delivery is available to Prime members. To join, select "Try Amazon Prime and start saving today with Fast, FREE Delivery" below the Add to Cart button.

• Cardmembers earn 5% Back at Amazon.com with a Prime Credit Card.
• Unlimited Free Two-Day Delivery
• Streaming of thousands of movies and TV shows with limited ads on Prime Video.
• A Kindle book to borrow for free each month - with no due dates
• Listen to over 2 million songs and hundreds of playlists
• Unlimited photo storage with anywhere access

Important:  Your credit card will NOT be charged when you start your free trial or if you cancel during the trial period. If you're happy with Amazon Prime, do nothing. At the end of the free trial, your membership will automatically upgrade to a monthly membership.

Buy new: .savingPriceOverride { color:#CC0C39!important; font-weight: 300!important; } .reinventMobileHeaderPrice { font-weight: 400; } #apex_offerDisplay_mobile_feature_div .reinventPriceSavingsPercentageMargin, #apex_offerDisplay_mobile_feature_div .reinventPricePriceToPayMargin { margin-right: 4px; } -37% $46.09 $ 46 . 09 FREE delivery Tuesday, May 28 Ships from: Amazon Sold by: RAINBOW TRADE

Return this item for free.

Free returns are available for the shipping address you chose. You can return the item for any reason in new and unused condition: no shipping charges

• Go to your orders and start the return
• Select the return method

Save with Used - Acceptable .savingPriceOverride { color:#CC0C39!important; font-weight: 300!important; } .reinventMobileHeaderPrice { font-weight: 400; } #apex_offerDisplay_mobile_feature_div .reinventPriceSavingsPercentageMargin, #apex_offerDisplay_mobile_feature_div .reinventPricePriceToPayMargin { margin-right: 4px; } $16.75 $ 16 . 75 $3.99 delivery May 28 - 29 Ships from: sfbay_books Sold by: sfbay_books

Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required .

Read instantly on your browser with Kindle for Web.

Using your mobile phone camera - scan the code below and download the Kindle app.

Follow the author

Image Unavailable

• To view this video download Flash Player

Operational Risk Management: A Case Study Approach to Effective Planning and Response 1st Edition

Purchase options and add-ons.

• ISBN-10 9780470256985
• ISBN-13 978-0470256985
• Edition 1st
• Publisher Wiley
• Publication date April 4, 2008
• Language English
• Dimensions 6.3 x 1.14 x 9.43 inches
• Print length 288 pages
• See all details

Frequently bought together

Customers who viewed this item also viewed

Editorial Reviews

From the inside flap.

In the world we live in today, disasters occur on a daily basis. Could they have been prevented from occurring? If emergency response had been more effective, how much less destruction might they have caused? Will similar disasters happen again? Operational Risk Management: A Case Study Approach to Effective Planning and Response examines the safety and security of an organization's people, facilities, and assets, as well as the communities in which they are located, from exposure to natural disasters, man-made accidents, and terrorist acts that have occurred worldwide, revealing the underlying causes of these catastrophic events.

Through the use of carefully selected case studies in a variety of scenarios across many different industries and environments, both in the United States and abroad, author and industry expert Mark Abkowitz uses historical events to demonstrate how operational risk management practices―or the lack of them―influence event likelihood and outcomes across all hazard domains. Each case contains a narrative, followed by a discussion that draws conclusions as to why things went wrong, as well as what, if anything, has been done to prevent such an occurrence from happening again. These include:

Hyatt Regency Walkway Collapse

Nightmare in Bhopal

Meltdown at Chernobyl

Attack on the USS Cole

September 11 – The World Trade Center

London Transit Bombings

Eruption of Mount St. Helens

Hurricane Katrina

In reviewing painful experiences of the past, it is clear that protecting our future cannot be left to chance. Operational Risk Management: A Case Study Approach to Effective Planning and Response not only looks at the risk factors present in previous disasters but also at the valuable lessons learned. These factors and lessons are used to forge a path forward that risk managers can use to ensure that their organizations have strong safety and security plans in place–and are ready to respond when necessary.

From the Back Cover

Operational Risk Management offers peace of mind to business and government leaders who want their organizations to be ready for any contingency, no matter how extreme. This invaluable book is designed to be used as both a preparatory resource for when times are good and an emergency reference when times are bad. Author Mark Abkowitz gets managers up to speed on what they should be prepared to deal with and offers real solutions for putting those business continuity plans in place. From natural and man-made disasters to terrorist attacks, Operational Risk Management is destined to become every risk manager's ultimate weapon to help their organization survive ― no matter what.

Praise for Operational Risk Management

"Mark Abkowitz has produced an excellent and wide-ranging collection of case studies that illustrate the role that risk factors play in determining the success or failure of anything designed. In Operational Risk Management, he not only analyzes the causes of failure but also indicates how proactive risk management can lead to success. This is a very well-written and instructive book." ―Henry Petroski, Aleksandar S. Vesic Professor of Civil Engineering and Professor of History, Duke University

"As one of the nation's largest domestic marine transport companies, moving hazardous cargo daily on our nation's waterways, we relentlessly pursue risk reduction through the lessons provided by real-world experiences. Mark Abkowitz's insightful analysis of recent disasters and his identification of risk factors common to them will help anyone concerned with incident prevention and consequence mitigation." ―Dr. Craig E. Philip, President and Chief Executive Officer, Ingram Barge Company

"A wise man once said, 'The mistakes we make are a result of the history we haven't read.' History is the treasure of evidence, whether it is about the risks we face as human beings or the mysteries of the universe. This book adds to the treasure of evidence and succinctly articulates, with distinction and clarity, the factors and actions most important to managing the risks we humans face." ―B. John Garrick, PhD, PE

"Dr. Abkowitz's masterful blend of great storytelling with astute professional risk assessment provides a fabulous tool for Joe Q. Public, public policy experts, and industrial risk managers to use together to make real headway on more intelligent risk management for all of us." ―Jim Vines, Environmental, Health & Safety Specialist, King & Spalding

"Through his case studies and analysis, Mark Abkowitz identifies key factors critical to understanding how we move towards more resilient communities. His focus on a more inclusive, all-hazards approach begins to point the way. A very useful collection indeed." ―Michael T. Lesnick, PhD, cofounder and Senior Partner, Meridian Institute

About the Author

Excerpt. © reprinted by permission. all rights reserved., operational risk management, john wiley & sons, chapter one.

Excerpted from Operational Risk Management by Mark D. Abkowitz Copyright © 2008 by Mark D. Abkowitz . Excerpted by permission. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher. Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Product details

• ASIN ‏ : ‎ 0470256982
• Publisher ‏ : ‎ Wiley; 1st edition (April 4, 2008)
• Language ‏ : ‎ English
• Hardcover ‏ : ‎ 288 pages
• ISBN-10 ‏ : ‎ 9780470256985
• ISBN-13 ‏ : ‎ 978-0470256985
• Item Weight ‏ : ‎ 1.14 pounds
• Dimensions ‏ : ‎ 6.3 x 1.14 x 9.43 inches
• #244 in Risk Management (Books)
• #477 in Atmospheric Sciences (Books)
• #608 in Disaster Relief (Books)

About the author

Mark david abkowitz.

Discover more of the author’s books, see similar authors, read author blogs and more

Customer reviews

Customer Reviews, including Product Star Ratings help customers to learn more about the product and decide whether it is the right product for them.

To calculate the overall star rating and percentage breakdown by star, we don’t use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzed reviews to verify trustworthiness.

• Sort reviews by Top reviews Most recent Top reviews

Top reviews from the United States

There was a problem filtering reviews right now. please try again later..

• Amazon Newsletter
• About Amazon
• Accessibility
• Sustainability
• Press Center
• Investor Relations
• Amazon Devices
• Amazon Science
• Sell on Amazon
• Sell apps on Amazon
• Supply to Amazon
• Protect & Build Your Brand
• Become an Affiliate
• Become a Delivery Driver
• Start a Package Delivery Business
• Advertise Your Products
• Self-Publish with Us
• Become an Amazon Hub Partner
• › See More Ways to Make Money
• Amazon Visa
• Amazon Store Card
• Amazon Secured Card
• Amazon Business Card
• Shop with Points
• Credit Card Marketplace
• Reload Your Balance
• Amazon Currency Converter
• Your Account
• Your Orders
• Shipping Rates & Policies
• Amazon Prime
• Returns & Replacements
• Manage Your Content and Devices
• Recalls and Product Safety Alerts
• Conditions of Use
• Privacy Notice
• Consumer Health Data Privacy Disclosure
• Your Ads Privacy Choices

• Important Notices
• GBI Secure Login

• Program and Exams
• Fees and Payments
• Our FRM Certified Professionals
• Study Materials
• Exam Logistics
• Exam Policies
• Risk Career Blog
• Register for FRM Exam
• Path to Certificate
• Climate Resource Center
• Register for SCR Exam
• Foundations of Financial Risk (FFR)
• Financial Risk and Regulation (FRR)
• About Membership
• Exclusive Offers
• Risk Intelligence
• Board of Trustees
• GARP Benchmarking Initiative (GBI)
• GARP Risk Institute (GRI)
• Buy Side Risk Managers Forum
• Academic Partners
• Careers at GARP
• Culture & Governance
• Sustainability & Climate
• Operational
• Comment Letters
• White Papers
• Islamic Finance Book

The Best Tool for Operational Risk Management

Properly-executed case studies can help financial institutions ward off operational risk disasters. what should a good operational risk case study look like, and what lessons can we learn from the samsung securities "fat finger" incident.

Friday, February 22, 2019

By Marco Folpmers

If you want to learn from the operational risk mistakes of others and prevent incidents that could severely impact your firm's reputation and bottom line, then case studies are your best bet. An effective operational risk case study asks the right questions, details the consequences of the incident and offers suggestions for what could have been done to avert it.

When we think of operational risk, fraud and information technology failures are likely among the first things that come to mind. But simple human errors are also part of the equation. Last year's “ Fat Finger” incident at Samsung Securities offers an excellent example of what a case study can teach us about human errors, poor oversight and system deficiencies.

On April 6, 2018, Samsung Securities, one of the largest brokerages in South Korea, accidentally issued $105 billion worth of shares to its employees. Under the company's stock ownership plan, it was supposed to pay dividends worth 2.8 billion won ($2.6 million) to about 2,000 employees. But a Samsung Securities employee mistakenly entered “shares” instead of “won” (South Korea's currency) into the computer system, resulting in the issuance of 2.8 billion shares - more than 30 times the company's number of outstanding shares.

Although Samsung Securities discovered the incident 37 minutes after it occurred and notified the employees affected that the shares had been erroneously granted, some of them sold the stock , despite warnings from the company.

What went wrong at Samsung Securities? Plenty. Let's examine a case study model to break down the incident, its consequences and the lessons learned.

The Bow-Tie Model

Good case studies can either be outsourced or written internally, based on public resources. One of the most popular and effective approaches to operational risk case studies is the bow-tie model, which (1) explains the underlying causes, motives, opportunities and means that are at the basis of the incident; (2) thoroughly describes the incident itself; and (3) breaks down the consequences, including direct and indirect loss amounts.

The bow-tie model can certainly help us understand what happened at Samsung Securities, and can also yield ideas on preventing similar incidents from unfolding in the future. The "fat finger" incident happened in just a fraction of a second - an errant keystroke resulting in the issuance of an extremely costly and grossly erroneous dividend. The underlying causes include poor supervision, ineffective internal controls and inadequate regulatory monitoring.

The model also yields a series of probing questions about the incident: Why was one person allowed to initiate and authorize this transaction? Why did there appear to be no segregation of duties? Why didn't the IT system block the issuance and distribution of an extraordinary number of shares? And why wasn't the naked short-selling immediately prevented?

The consequences of this blunder were manifold. Analysts criticized the firm for having neither a filtering system for preventing human errors nor a warning system that could have stopped the issuance of more shares than actually existed.

The Financial Supervisory Service, South Korea's financial watchdog, found that 21 employees of Samsung Securities had either sold or attempted to sell the mistakenly-issued shares. All 21 lost their jobs, and several are facing criminal charges .

The National Pension Service, South Korea's biggest pension fund, stopped using Samsung Securities to trade stock almost immediately after the incident. Roughly seven weeks later, South Korean prosecutors raided the broker's head office, which precipitated the partial suspension of its brokerage services and the resignation of its CEO .

Unique Challenges

Operational risk is different from - and I think more difficult to manage than - credit risk and market risk. One reason is that it can arise anywhere in the organization - from commercial units, to brick-and-mortar bank shops, to support functions and IT systems.

Its impact, moreover, is difficult to quantify. Keep in mind that the advanced modeling approach to measuring operational risk has been eliminated, while the new benchmark - the standardized measurement approach - has drawbacks of its own.

While banks use databases to collect and store data on operational risk incidents, it is difficult, in practice, to extrapolate from these past occurrences - particularly with respect to quantifying losses.

Indeed, a bank's own incident database provides only a very limited view of its current operational risk exposure. The incident data that is collected is typically the result of a stochastic process, and therefore not necessarily commensurate with a firm's operational risk exposure to specific event types.

The operational risk case study is the go-to methodology for overcoming this randomness bias. It expands the experience from learning from one's own errors to learning from errors made by others. While reading detailed accounts of incidents that happened elsewhere, operational risk managers may very well ask themselves questions that will help them avoid similar mistakes: Could this happen at our firm? If it does, what would I do? And what specific steps can our organization take to prevent this from happening?

Parting Thoughts

Case studies are among the biggest assets in the operational risk manager's toolkit. When we analyze the case study of the Samsung Securities “fat finger” incident, important questions are triggered. Why, for example, weren't checks and balances in place to prevent this stock pay-out from happening? Why wasn't the employee alerted that a payout of 1,000 shares per share is extraordinary? And why didn't IT controls prevent the illegal naked short-selling?

A more fundamental question relates to the irresponsible behavior of the 21 employees who attempted, illegally, to benefit from the “fat finger” blunder.

How would your employees behave under a similar scenario? Case studies provide the answers every firm needs to avoid being the next poster child for operational risk disaster.

Marco Folpmers (FRM) is a professor of financial risk management at Tilburg University. He is also a managing director at Accenture Finance and Risk.

Risk Management Specialist vs. Generalist: Which Is Right for You? Jun 9, 2023

5 Ways to Improve Model Risk Management Nov 17, 2023

The Unconventional Skills Chief Risk Officers are Now Seeking Jul 17, 2020

Operational Risk Capital Proposal: Time to Hit the Pause Button Nov 17, 2023

The Road to Better Model Risk Management Oct 27, 2023

Advertisement

• Financial Risk Manager
• Sustainability and Climate Risk

We are a not-for-profit organization and the leading globally recognized membership association for risk managers.

• Bylaws • Code of Conduct • Privacy Notice • Terms of Use © 2024 Global Association of Risk Professionals

ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

BusinessGRC

Power Business Performance and Resilience

• Enterprise Risk
• Operational Risk
• Operational Resilience
• Business Continuity
• Observation
• Regulatory Change
• Regulatory Engagement
• Case and Incident
• Compliance Advisory
• Internal Audit
• SOX Compliance
• Third-Party Risk

Manage IT and Cyber Risk Proactively

• IT & Cyber Risk
• IT & Cyber Compliance
• IT & Cyber Policy
• IT Vendor Risk

Enable Growth with Purpose

AI-based Knowledge Centric GRC

• Integration
• Marketplace
• Developer Portal

Latest Release

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

• Enterprise GRC
• Integrated Risk Management
• CyberSecurity
• Corporate Compliance
• Supplier Risk and Performance
• Digital Risk
• IT and Security Compliance, Policy and Risk
• UK SOX Compliance
• Privacy Compliance
• IDW PS 340 n.F.
• Banking and Financial Services
• Life Sciences

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Explore What Makes MetricStream the Right Choice for Our Customers

Customer Stories

• GRC Journey
• Training & Certification
• Compliance Online

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Discover How Our Collaborative Partnerships Drive Innovation and Success

• Our Partners
• Want to become a Partner?

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Featured Resources

• Analyst Reports
• Case Studies
• Infographics
• Product Overviews
• Solution Briefs
• Whitepapers

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Implementing a Federated Approach to Operational Risk Management

The Client: A multi-billion dollar financial services provider with operations across the world with millions of customers.

Being a complex organization with multiple business units and operations spread across geographies, the company found it increasingly complex to measure and monitor risks. Although risk assessments were being performed regularly in every business unit, complexities arose when it came to consolidating the results. Each business unit used different risk terminologies and languages, which made it challenging to get a holistic picture of risk at the enterprise level. After analyzing the situation, the company chose to implement a federated approach to Operational Risk Management (ORM), supported and enabled by a workflow-based ORM solution. The approach was designed such that each business unit would be able to conduct their own independent operational risk assessments, while at the same time, the results would be automatically aggregated and rolled up so that the board and top management would gain a single, comprehensive view of risk across the enterprise

Towards a New ORM Strategy

The company's federated ORM project was kick-started in early 2012. Stakeholders from different groups such as Compliance, Audit, Vendor Governance, and Risk Management came together to discuss what to do, how best to go about it, and what technology solution to implement. Eventually, the company developed a comprehensive ORM strategy, and implemented a solution that focused on strengthening existing ORM processes, standardizing the risk language, and gaining an integrated risk view. Below are the key elements of the company's enhanced ORM program:

Risk-Control Self-Assessments (RCSAs)

At a broad level, the company's operational risk assessment process begins with the risk administrator preparing an RCSA plan and schedule, based on which the operational risk managers assess their business unit's risks and controls. Each business unit has the flexibility to implement their own approach to RCSAs such that it is relevant to the risks they face. This kind of flexibility is important because a risk such as credit risk which is critical to one business unit may not be relevant to the other. But whatever the approach to RCSAs, all business units use the same risk language and nomenclature to describe operational risk drivers, correlation bundles 1 , controls, control objectives, and reliance maturity 2 . All these risk terms are clearly defined and stored in a centralized risk data dictionary that can be accessed by operational risk managers across the globe while preparing their risk reports.

Risk Control Self Assessment - High Level Flow

Given that risk events can be unpredictable as well as subject to constant change, the company enables continuous and recurring risk assessments. They also conduct process RCSAs which focus on ad hoc but granular evaluations of a specific risfunction

Business Environment Analysis (BEA)

Several internal and external factors such as a change in policy, or a restructuring of the management team have a direct impact on risk management at various levels of the organization. Every time such a change occurs, a BEA event workflow is triggered. This allows risk administrators to route the BEA to concerned risk managers in their team who, in turn, can either accept or reject the BEA depending on how it impacts their organization or their risk management processes.

Risk profile tracking

Each operational risk manager has access to powerful graphical dashboards which provide real-time insights into all risks, issues, losses, KRIs, BEAs, and other critical information in the business unit. Users can view risks by category and organizational tier, and identify if there needs to be a re-assessment of a risk driver, a loss scenario, inherent risk, controls, or any other elements. This top-level risk view helps risk managers focus their attention on the most critical risk areas. Advanced drill-down capabilities help the risk managers view the data at any level of granularity, and proactively identify and analyze risk triggers (e.g. new issues, losses, BEA change events, breach of KRI thresholds). At regular intervals, an informal risk snapshot is taken of all RCSAs in a business unit. The result is a “freeze-frame” picture of risks which enables operational risk managers to identify and analyze risk trends effectively. A more formal risk snapshot is taken every quarter.

Risk landing page

Similar to the ORM dashboard is a landing page in the ORM solution which provides operational risk managers with a complete overview of their business unit's risk profile. Any risk manager who logs into the system can quickly and easily understand the risk profile without having to click on several different links and tabs. At a broad level, the landing page contains top-level risk categories, events, number of controls, number of issues, number of KRIs, number of loss events, and other such critical data that can be quickly navigated through. If there is a change made to the data (e.g. a new issue registered in the system), it is automatically mapped to the relevant risk categories (e.g. credit risk issue, market risk issue). Since risk managers are located in different geographies, and may therefore speak different languages, the landing page provides multi-lingual support, in addition to being intuitive and easy-to-use.

Risk measurement

Most organizations measure their inherent risk in terms of impact and likelihood, expressed as a 2x2 framework. But since the company deals specifically with finance, they opted to express risk impact in terms of other dimensions such as currency i.e. USD, Euro, etc. A specific group in the organization uploads the risk data based on changing currency rates. So when the risk report is shown to the Board, they can view the currency conversion rate. The currency is also defined based on the user profile. For instance, a user in Europe will see the risk impact expressed in terms of Euros while his or her counterpart in the U.S. will see it in USD. Risk can also be measured in terms of probability i.e. the likelihood that a risk scenario paired with the defined inherent risk, will occur within a year. Users even have the ability to determine the inverse actuarial risk probability. Another unique way of measuring risk is in terms of velocity. Risk velocity adds a third dimension to the traditional model of risk impact and likelihood, and refers to the speed of occurrence of a particular risk impacting the organization. In other words, it introduces the “time” factor to risk management. So, by measuring risk velocity, the company can determine how quickly a risk might occur, how fast they will be impacted by it, and how much time they will have to prepare and react.

Control objectives and ratings

In its risk data dictionary, the company maintains a comprehensive list of control objectives i.e. a description of the types of controls for a specific risk. There are also control objective ratings which tell the organization whether or not all the required controls are in place, and how important they are to the overall risk category. A strong control objective rating indicates that the needed controls are in place, while a bad control objective rating indicates that some controls are missing for a particular risk category. Control ratings, on the other hand, indicate the effectiveness of an individual control. By combining these control ratings with overall control objective ratings, the organization gets a complete picture of the adequacy of the control environment for a particular risk category.

Issue management

All RCSA, loss management, and BEA processes eventually link to issue management in a closed-loop approach. In fact, there are many other processes and functions such as Compliance and Audits which also integrate with issue management. If each function uses different terminologies for these issues and the associated risks, then reporting becomes complicated. To avoid this challenge, all functions refer to the same risk data dictionary for enterprise-wide issue reporting. And if any of the issues pose an operational risk, the ORM group gets notified immediately.

The Enabling Role of Technology

The company implemented MetricStream ORM Solution to support and enable their risk management strategy. The solution provides the following core capabilities:

• A single, centralized system for managing and assessing risks across the enterprise
• Integration with multiple enterprise systems to automatically gather and aggregate a variety of risk data, including KRIs, KPIs, issues, BEAs, and internal and external losses
• Powerful dashboards and reports to help risk managers gain better risk visibility and thereby better risk control.
• A centralized data dictionary/ risk library with common definitions of risk categories, risk drivers, correlation bundles, controls, control objectives, and other risk terms
• Multi-lingual support so that operational risk managers have the freedom to select their choice of language for various field values in a form, rating guides, and reporting
• Flexibility to seamlessly adapt to organizational changes such as the introduction of new risk policies or regulations

Lessons Learned

• ​Look at ORM as an opportunity to strengthen the business, not just as a function that has to be fulfilled
• Track your risk profile consistently to ensure that all risks stay within the defined risk appetite
• When standardizing your risk language, make sure that it is reflected and integrated in all risk systems
• Have an honest dialogue about what your ORM technology can and cannot do – push the limits but be clear about them
• If you are using an ORM platform, upgrade it regularly to enhance its capabilities, and ensure holistic bug fixes
• Single view of enterprise risk    Tools such as executive risk dashboards and a centralized risk landing page offer a quick, high-level overview of risk and control data which can then be drilled down to analyze details. This comprehensive picture of risk enables operational risk managers to proactively identify and address opportunities, as well as areas of concern.
• Standardization of risk language     The risk data dictionary has helped the company implement a common risk language across business units. Thus when the management team at the company headquarters looks at the consolidated RCSA results, they get a clear and comprehensive understanding of the enterprise risk profile. This, in turn, helps them make better risk-informed strategic decisions.
• Greater understanding of risk    The company can measure and analyze their risk not only in terms of impact and likelihood, but also parameters such as currency and velocity. This helps them understand and prioritize their risks better, and determine which ones need to be mitigated immediately, and which ones can be transformed into opportunities.
• More systematic and closed-loop risk processes    The company has been able to streamline end-to-end risk processes, right from risk assessment, to risk tracking, risk reporting, control assessments, loss management, KRI monitoring, and issue management. This structured approach helps minimize redundancies and duplicate effort, and improves the cost-efficiency of risk management .

Subscribe for Latest Updates

Ready to get started?

Academia.edu no longer supports Internet Explorer.

To browse Academia.edu and the wider internet faster and more securely, please take a few seconds to  upgrade your browser .

Enter the email address you signed up with and we'll email you a reset link.

• We're Hiring!
• Help Center

Operational Risk Management: A Case Study Of An Indian Commercial Bank

Related Papers

N'Guessan Arnaud Tozan Bi

Carlos José Urzola

Journal Of Archaeology and archaeometry

Michael Imhof

Krankheiten können in systemtheoretischer Betrachtungsweise als emergent entstandene selbstorganisatorische Systeme verstanden werden. Sie stehen in vielfältigen rekursiven Beziehungsgefügen mit den physiologischen Systemen des Organismus und generieren typische selbstorganisatorische Netzwerkprozesse von Informationen bzw. Signalen auf allen Ebenen des Körpers. Auch das Zentralnervensystem ist als System hierarchisch gegliederter Selbstorganisationsprozesse zu verstehen, die, wie gezeigt werden soll, in rekursiven Schleifen auf die Prozesse der Krankheitsperipherie rückwirken. Die Dynamik dieser Systeme ist nichtlinear, sie ist nur teilweise stetig und differenzierbar, sie wird andererseits sprunghaft und nicht differenzierbar vorangetrieben und findet in der Nähe zu Chaos und Turbulenz statt. Diese Systeme sind informationsgenerierende, entropiesenkende Systeme. Mit ihren fraktalen Dimensionen, ihrem unendlichen Detailreichtum sind sie somit aus prinzipiellen Gründen nicht vollständig differenzierbar. Sie sind hochkreativ und zukunftsoffen Die menschliche Gedankenwelt ist nicht damit nicht determinierbar. Daraus leitet sich die Freiheit des Menschen ab. So wie auch in den Naturwissenschaften von Physik und Chemie so steht im Zentrum der physiologischen und pathophysiologischen Prozesse des Menschen der moderne Fundamentalbegriff der Information. In der medizinphilosophischen Reflexion der Fülle dieser selbstorganisatorischen Prozesse im Zustand von Gesundheit und Krankheit geht es schließlich um die großen Fragen nach semantischen Perspektiven vor dem Hintergrund der lebensgeschichtlichen Ebene der betroffenen Individuen und nicht zuletzt auch vor dem Hintergrund der Evolution der lebenden Systeme insgesamt. Das Verstehen des Menschen im Zustand von Krankheit und Gesundheit ist als ein sich in unendlichen Schleifen fortsetzender rekursiver Prozess zu verstehen, der kein Ende haben kann: Das Verstehen kommt niemals zu einem Ende. Krankheiten sind mehr als pathologische Befunde, die zwar erfolgreich mechanisch-operational behandelt werden können. Immer ist jedoch auch die gesamte lebensgeschichtliche Individualität in das "Verstehen" der Krankheiten in einer hermeneutischen Zugangsweise mit einzubeziehen. Nach dem griechischen Wortstamm des "hermeneuin" oder lateinisch dem Begriff "interpretari" ist Hermeneutik als die Kunst des Übersetzens, aber auch des Interpretierens und Auslegens zu verstehen. Diese Kunst ist grundlegend für das Verstehen des Menschen im Zustand einer Krankheit. Die Geschichte hermeneutischer Praxis kann bis in die Antike zurückverfolgt werden und taucht erstmals bei Aristoteles in seiner Schrift "peri hermeneias" ("De interpretatione") auf. Die Medizinphilosophie sollte in ihrer Betrachtung des Menschen im Zustand einer Erkrankung auf einer naturwissenschaftlichen Basis operieren und gleichzeitig in ihre Betrachtungen auch die seelisch-geistigen Dimensionen mit einbeziehen. Sie sollte aus diesen Gründen Naturwissenschaft und Hermeneutik vereinigen. Hierbei ist dem Philosophen Dilthey beizupflichten: " Der psychische Lebensprozess ist ursprünglich und überall von seinen elementaren bis zu seinen höchsten Formen eine Einheit. Das Seelenleben wächst nicht aus Teilen zusammen; es bildet sich nicht aus Elementen; es ist nicht ein Kompositum, nicht ein Ergebnis zusammenwirkender

Benjamin Strahm

Ronald Otten

a Department of Polymer Chemistry, Technische Universiteit Eindhoven, P.O.Box 513, 5600 MB Eindhoven, The Netherlands. b Laboratory of Materials and Interface Chemistry, Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, The Netherlands. c Theory of Polymers and Soft Matter and Eindhoven Polymer Laboratories, Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, The Netherlands. d School of Physics, Centre for Research on Adaptive Nanostructures & Nanodevices (CRANN), Trinity College Dublin, Dublin 2, Ireland.

Joel Saavedra

Literary and Linguistic Computing

Magdalena Heydel

Geologica Carpathica

cristina emanuela casellato

This paper discusses the results of a study of the Le Chouet section, its lithologies, facies, magnetic properties and fossil record (ammonites, calcareous nannofossils, calpionellids and calcareous dinoflagellates). Data obtained have been applied to give a precise biostratigraphy for this carbonate sequence as well as a paleoenvironmental reconstruction. Its relationship to magnetostratigraphy, based on a modern study of a French site, is important. Investigation of the micro- and macrofossils shows that the site comprises a sedimentary sequence in the Microcanthum to Jacobi ammonite Zones, and the Chitinoidella, Crassicollaria and Calpionella Zones. Several calpionellid and nannofossil bioevents have been recorded on the basis of the distribution of stratigraphically important planktonic organisms. The site allows us to calibrate the levels of various biomarkers and biozonal boundaries, and correlate them with the magnetozones M20n, M19r and M19n.

International Ophthalmology

Rene Chapot

RELATED PAPERS

Médiations et médiatisations

Isabelle sacré

Resource-Efficient Technologies

Dr. (Mrs.) Borkha Mech Das

NURLINA ARIANI

Acta Pintériana

Piusz Berhidai

Andrea Minardi

International Journal of Tuberculosis and Lung Disease

Laurel D Sprague

Zenodo (CERN European Organization for Nuclear Research)

fuyong jiao

Radical Americas

Alexander Scott , Susan Luévano

IEEE Transactions on Power Electronics

Thiago Sidney Valentim Pereira

David J . Malan

hjhjgfg freghrf

Geographical Analysis

Wayne Street

RELATED TOPICS

•   We're Hiring!
•   Help Center
• Find new research papers in:
• Health Sciences
• Earth Sciences
• Cognitive Science
• Mathematics
• Computer Science
• Academia ©2024

Sustainable risk management practice in the organization: a Malaysian case study

• Research Article
• Published: 08 November 2022
• Volume 30 , pages 24708–24717, ( 2023 )

Cite this article

• Siti Afiqah Zainuddin 1 , 2 ,
• Borhan Abdullah 3 ,
• Noorul Azwin Md Nasir 2 ,
• Tahirah Abdullah 2 ,
• Noorshella Che Nawi 1 , 2 ,
• Ataul Karim Patwary 4 &
• Nik Alif Amri Nik Hashim‬ 4  

4226 Accesses

7 Citations

Explore all metrics

Businesses are becoming more conscious of operational risk management practices due to the COVID-19 pandemic. However, some firms practice risk management without fully comprehending how it might help them and their needs. As a result, companies that practice risk management without realizing it are being controlled by the discipline itself. The goal of this study is to look into the epistemic process of risk management practice in the workplace. This phenomenological study interviewed 39 risk management officers, executives, and employees. Data are thematically analyzed. This study discovered five epistemic processes of risk mapping using Foucault’s governmentality paradigm. This phenomenological study, interestingly, revealed the black box of risk management practices, as well as the behavior of risk management officers, executives, and risk owners who preferred to monitor the compliance aspects of risk management practices rather than comprehend the capabilities of risk management that could be used within their strategic planning process. Unaware of this black box, organizational actors were blanketed by the organization’s culture of fear, which created the impression that the authority was always watching every word said and every action taken. Practically, this study contributes an improved understanding of the real function of risk management that helps them justify the practice and reduce unnecessary fear. The paper concludes with limitations and research recommendations.

Similar content being viewed by others

Corporate Social Responsibility (CSR) Implementation: A Review and a Research Agenda Towards an Integrative Framework

Carroll’s pyramid of csr: taking another look.

A Stakeholder Theory Perspective on Business Models: Value Creation for Sustainability

Avoid common mistakes on your manuscript.

Introduction

Risk management becomes an act or proof of strong corporate governance in a more focused setting such as a business organization, which enhances organizational practices, reputation, accountability, and responsibility toward its stakeholders (Zainuddin et al. 2020a , 2020b ). As a result of being too obsessed with this rationale, organizational actors such as employees and executives who are assigned as risk owners, management control owners, and risk champions in the risk management structure are more likely to comply with risk management practices without having the intention or interest to inquire about their implications on them (Koval 2021 ). Many previous studies focus on the benefits of adopting an operational risk management system (Kwak et al. 2018 ; Callahan and Soileau 2017 ; Munir et al. 2020 ; Hopkin 2018 ). However, no study gives attention to the real reason for the implementation and compliance of risk management adoption, which welcomes an organization’s emergence of a risk management system. Hence, this study aims to reveal the process of risk management practice in the organization, which may uncover the black box of the epistemic process of risk management discipline in the organization and implications toward organizational actors.

The operational risk management system has become a hot topic among corporations, particularly those that manage public money, such as pension institutions and aid employees with substantial holdings. This organization is also affected by the capitalist economy and industrialization, since it has been corporatized to become a more mature and efficient organization in handling the funds it holds. As in Malaysia, numerous institutions hold substantial funds such as EPF, KWAP, and Tabung Haji. These companies must maintain their image, responsibility, and legitimacy because they will always be scrutinized by the public and government stakeholders. Companies of this nature cannot avoid the burden of demonstrating their ability to manage public monies. One technique is implementing an effective operational risk management system capable of lowering risks that could harm the organization. The operational risk management system implementation receives a great deal of attention, and the country’s senior management frequently underlines the advantages of implementing it. During national management-related debates in parliament and the people’s house, for instance, questions regarding the adoption of risk management systems for government projects involving firms that handle government funds are frequently raised by representatives of the people. Everyone is persuaded that operational risk management implementation can provide a high level of assurance for the success of projects and corporate management.

However, some businesses deploy an operational risk management system due to external pressure and not because of the system’s utility and benefits to the businesses. These businesses cannot determine the optimal function and benefits an operational risk management system can provide for their operations because they feel pressed and compelled. Instead of utilizing a risk management system that was adopted with a specific level of investment, they just use it to portray a positive image to stakeholders. Even though many researchers from various fields and backgrounds have conducted numerous studies on risk management systems (see American Diabetes Association 2018 ; Wang et al. 2020 ; Szymański 2017 ; Burtonshaw-Gunn 2017 ; Leo et al. 2019 ; Greuning and Brajovic-Bratanovic 2022 ), the question of why many companies that implement operational risk management systems that require an investment of money, time, and energy are still not successful and some fail to manage risk in their operations, so why some business fail and cannot face the risk of continuing to survive, especially when a global economic crisis strikes the world, remains unanswered.

Although organizations must adopt risk management as strategic planning, there is a lack of studies that focus on the side effect of the adoption on employees. This creates an unfair treatment of the employees (Rachidi et al. 2022 ). In addition, there is a lack of studies focusing on the phenomenon that causes unnecessary fear among employees. Lack of knowledge and understanding about the real function of risk management is a cause of chaos (Patwary et al. 2022a ; Rodrigues et al. 2020 ; Sharif et al. 2022 ; Wang et al. 2022 ; Wu et al. 2022 ). This phenomenology-based study aims to determine how the company’s risk management system is deemed an effective and valuable strategy for managing the company’s operational risk. The main contributions produced by this study are i) in practice, employees, and risk management officers get a better understanding of the main function of risk management that helps to reduce their feeling of fear; ii) from a theoretical perspective, the governmentality framework demonstrates the elements of the epistemic process of risk management discipline in the case company; iii) empirically, this study highlights how the macro and micro-organizational elements connected to assist the evolution of risk management in the case company.

In the subsequent sections, this paper presents a literature review section that mentions a relevant study from the past related to risk management and governmentality that contributed to the development of this study. Next, the methodology of this paper is presented. Then, the case study findings and discussions are presented. Lastly, the paper ends with a conclusion section.

Literature review

Risk management.

In an organizational context, risks are classified according to the nature of the firm. Risk management studies within an organizational context have discovered various risk categories such as operational risk (Alvarez-Alvarado and Jayaweera 2020 ), financial risk (Yagli 2020 ; Hashim et al. 2022 ; Patwary 2022 ), strategic risk (Zadeh et al. 2021 ), supply risk (Iqbal et al. 2020 ), regulatory risk (Weatherburn et al. 2020 ), etc. In managing these risks, every employee in the company is held accountable, particularly in recognizing, identifying, reporting, and controlling the risks. These employees are assigned risk management roles, jobs, and designations whose descriptions can be found in risk management guidelines or standards (see ISO 2009a , 2009b , 2018 , 2019 ). To maintain consistent and successful risk management practices, the company must be fully aware of its internal and external environments (Hopkin 2018 ). Getting a good understanding of the surrounding environment may quickly address some risks, which improves the firm’s control and monitoring mechanism (Poteat et al. 2020 ).

Various organizational characteristics influence organizational actors' attitudes toward risk management practice (Fadzil et al. 2017 ), which is also known as risk attitude. The nature of the firm (Brunsson and Olsen 2018 ), top management influence (Wijethilake and Lama 2019 ), government impact (Patwary et al. 2022b ; York et al. 2018 ), organizational actors’ knowledge and competence (Zhou et al. 2018 ), and cost of risk management implementation are all factors to consider. In other words, the pressure from the abovementioned elements influences the conduct of organizational actors such as employees responsible for implementing risk management systems. On the other hand, the organization looks at risk management as a way of persuading organizational actors, such as employees, to behave in a certain way as approved by the risk management practice (Hillson and Murray-Webster 2017 ).

• Governmentality

In 1979, Foucault developed the term governmentality. The concept of government, according to Foucault, is the conduct of conduct. In applying Foucault’s concept of government and governmentality, it can be seen not only in the administration of the state and citizens but also in the government that signifies issues of self-control, management of a family, management of children, management of males and females, and management of souls. Thus, Foucault’s meaning of government is wide ranging, from governing the self to governing others. In brief, the government means to conduct others and oneself, and governmentality is about how to govern.

Moreover, the concept of government involves strategies, agendas, plans, aspirations, dreams, missions, visions, tactics, techniques, programs, and blueprints of authorities that shape the beliefs, confidence, trust, and conduct of the population (Nettleton 1991 , p. 99). Hence, the government is an activity that aims to shape or affect the conduct to conduct people (Gordon 1991 ; Holmes and Gastaldo 2002 ).

Nowadays, governmentality can be achieved through applying knowledge as technology in an institution.

Accordingly, this study adopts Maran et al.’s ( 2016 ) governmentality framework, as shown in Fig.  1 . The framework suggests that application of governmentality is divided into two dimensions with a reciprocal connection. The first dimension represents the macro-organizational level. At the macro-level, the discursive dimension of governmentality is highlighted. In this dimension, discourse, rhetoric, and language are used to promote the government’s ideology in political discourses. Here, the political discourses are divided into high and operational. In high political discourse, all the political rationalities will discuss the specific ideology/agenda. In operational political discourse, the ideology/agenda have been operationalized into government programs. The second dimension represents the micro-organizational level. At the micro level, the organization uses government technology to operationalize the agenda promoted at the macro-organizational level. Here, the knowledge and government apparatus that has been institutionalized provides and receives support for/from the first dimension. Figure  1 depicts that both the macro- and micro-levels (in both dimensions) are learning from each other. Finally, the two-way arrows show that each part is communicating with each other (Maran et al. 2016 ; Patwary et al. 2022c ; Aziz et al. 2019 ).

Source: adapted from Maran et al. ( 2016 )

Governmentality framework.

The governmentality framework adapted and used in this study explains the forces that contribute to the epistemic process of risk management emergence in organizations. Both governmentality dimensions (discursive dimension of governmentality and technologies of government) provide context that generates five epistemic processes that support the adoption and development of a risk management system within an organization.

Methodology

Research design.

This research uses a post-positivistic accounting paradigm in which a positivistic accounting approach is unable to explain dynamic phenomena in an organization. Under the post-positivistic accounting paradigm, a qualitative method is the most appropriate option. To solve the research challenges mentioned in the previous quotation by Burawoy ( 1998 ), this study’s technique and methodologies must assist researchers in identifying and explaining the connections between the macro-political and micro-organizational components of risk management practice. As a result, an extended case study was used. An extended case study provides a more in-depth examination of a company’s risk management practices.

Within the field, a primary organization has been chosen. The selected company is then called the case company. To achieve the research objective, the case company’s employees and risk management officers were selected as the unit of analysis. They are subjected to an interview. It is because based on risk management standards, all the case company’s employees and risk management officers are responsible for identifying, managing, treating, and reporting risk through a structured process to the designated committee. The case company was chosen as it is the largest Malaysian organization and one of the world’s oldest organizations of sort that is mandated to manage public funds. After going through some security checks and proper procedures, the researcher was given 3 months of access as an employee to enter the company and conduct the study within the company’s business hours. All related employees found during the study period were interviewed and asked relevant questions to answer the research questions. The researcher has been given a few opportunities to attend the case company’s meetings and workshops. During the meetings and workshops, the researcher took the opportunity to meet the employees and risk management officers as much as possible to be interviewed.

Sampling and data collection

During the fieldwork, 39 risk officers, executives, and employees from various departments, including risk management, operation, investment department, and top management appointed for managing risk, were successfully interviewed. During the 3 months of field work, several employees were questioned twice or three times. Because the employees can be met every day during working hours, the researcher can conduct many interviews. A total of 42 interviews were completed. The interview data is acquired and transcribed during and after the field activity.

Following the transcribing process, each data point is double-checked against the interviews to ensure correct information. Thematic analysis is used to evaluate the transcribed data, allowing the researcher to categorize and frame the major theme related to the phenomena using the governmentality framework. Patterns can be identified, analyzed, and interpreted through thematic analysis, especially those that are derived from qualitative data. For a qualitative data study, thematic analysis is a very valuable tool. Researchers employ this technique to gain a deeper knowledge of the data. It is utilized to comprehend people’s experiences, opinions, and behaviors. In doing qualitative research, researchers employ thematic analysis extensively. In the context of this study, thematic analysis is used to obtain a deeper knowledge of the experience and viewpoint of employees and risk management officers pertaining to risk management practice.

Subsequently, an extended case study method developed by Burawoy ( 1998 ) is used for data analysis to explain the relationship of each theme found during the thematic analysis.

Data analysis and coding

In the data analysis process, the interview material is grouped and coded depending on the researcher’s observations and interviews. A notebook is utilized during the fieldwork to document every action and occurrence within the organization linked to the project. The written note and interview data are combined for the thematic analysis.

Reliability and validity

Analysis of qualitative research is no less distinct than quantitative research analysis in terms of reliability and validity. When conducting quantitative research, instrument components and constructs are examined to determine their degree of reliability and validity (Hashim et al. 2020a ). When conducting qualitative research, the correctness of the findings depends on the researcher’s description of the data and the verification carried out by the unit of analysis.

Because qualitative investigation is inherently subjective, qualitative research aims to achieve high levels of internal reliability. The study’s ability to deliver consistent and trustworthy results depends on the level of internal dependability achieved during the data coding step. In qualitative research, one method that may be used to evaluate the validity of the findings is called respondent validation. Using this approach, initial results are evaluated with participants to establish whether or not they are still accurate. After the researcher has gathered all of the data, it is time to deliver them to the unit of analysis so that they may be verified.

Study limitations

Ten requests for qualitative research are sent out to the ten most prominent organizations in Malaysia. For this qualitative inquiry, subjective semi-structured interviews were used. However, because of worries about maintaining participants’ anonymity, just one individual decided to participate in the study. In subsequent research, it is feasible that it will be possible to use alternate methodologies such as quantitative approaches or case studies with smaller organizations. These are the kinds of studies that have been done.

Regarding the mentioned internal and external elements of the organization, other factors are more closely tied to the employees who execute risk management practices. These factors include attitude, subjective norms, and perceived behavioral control (Nik Hashim et al. 2019 ; Said et al. 2020 ). Because of these considerations, an action is taken to comply or not comply with regulations that control risk management practices. These regulations govern risk management practices. As a consequence of this, the theory that was used as a guide to generate the study findings also contributes to the achievement of research outcomes that are both clearer and broader.

Case study findings and discussion

Figure  2 shows the detailed explanation and relationship within the case company’s epistemic process of risk management. Epistemic process refers to the construction process of knowledge (i.e., risk management) in the organization (Roos and Von Krogh 2016 ; Choo 2016 ). Specifically, Fig.  2 shows how risk management knowledge is adopted from the macro-organizational level (through the discursive dimension of governmentality) and then constructed into an organizational discipline at the micro-organizational level by undergoing an epistemic process. Based on this governmentality framework, the study found the case company has adopted risk management as one of the technologies of the government in the organization to govern the mentality and behavior of organizational actors such as the case company’s employees. A certain factor in the organization shapes employees’ mentality and behavior such as risk management implementation (Ashena et al. 2019 and Shanker et al. 2017 ), which parallels what has been found in this study.

Research framework

The extended case study has revealed how risk management has evolved and transformed into an organizational discipline through five main elements, which are structural, processual, relational, cultural, and historical. These five processes demonstrate that macro- and micro-organizational factors may affect how an organization’s operational risk management discipline develops. This conclusion is similar to the one made by Shah et al. ( 2018 ). They discovered micro- and macro-organizational components that helped a firm better understand how stakeholders perceived the company’s flood risk management. The management of the organization can better manage risk and meet stakeholder expectations because of this greater understanding.

Organizational actors (micro-level) and society at the political and economic levels (macro-level) both learn from one another through the epistemic process. Society and actors at all levels are adapting and learning new ways of thinking, acting, and making decisions based on a certain method presented as the best practice for greater performance and improvement. The learning loop between the two dimensions is depicted in Fig.  2 . Furthermore, at the macro-level, governmentality emphasizes how government technology facilitates the acceptance of knowledge as a best practice, resulting in organizational actors being disciplined to implement and apply knowledge as an organizational discipline. The two-way arrow in Fig.  2 shows the distribution of tasks and powers and the risk management system communication. The thematic analysis results are used to describe the research framework better. The following are the five themes that have been developed.

Theme 1: the structural element

The organizational structure is the backbone of an organization’s epistemic process of risk management discipline (Braumann et al. 2020 ; Wijethilake and Lama 2019 ). The structural element explains the structure, hierarchy, bureaucracy, and accountability within risk management practice in the organization. This is because the influence of people with specific positions and their hegemonic power can enhance risk management implementation in the case company with less resistance or rejection from the people who work on the implementation. The clarity in the position a person holds will also clarify his/her motivation, along with the objectives that he/she wishes to achieve for the organization. The senior risk management officer mentioned:

“…we have a very good structure in risk management implementation. At the top level, we have a risk management board committee; at the bottom level, every head of department and spokes are appointed as risk champions, followed by the management team who then appointed as risk owners and management control owners...”

Structural elements are not only in terms of their position in the organizational hierarchy but also in terms of whether or not they are formal or informal (Osman 2017 ; Diefenbach and Sillince 2011 ). The official hierarchy may be laid out in black and white in the company’s handbooks, policies, procedures, and informal frameworks, including the mutual understanding of risk officers, executives, and employees in regard to conveying any risk-related problems to one another.

Theme 2: the processual element

A consistent and well-managed process is necessary for risk management practice (Willumsen et al. 2019 ). The processual element refers to the formal organizational processes employed by the case company in order to manage risk. The processual element is another way the case company may distribute powers and tasks among organizational actors. Examples of formal organizational processes are scheduled meetings, prompt meetings, site inspections and paper presentations. The scheduled and prompt meetings are conducted in order to discuss issues related to risk management practice. Senior operational risk management officers1, 4, and 6 mentioned:

“…in our scheduled meetings, the top management level attends together; for example, our CEO, as part of his task to monitor the progress and issues regarding risk management practice in every business unit…”

From the meeting, discussion, and presentation, they will undergo more specific processes in risk management, such as risk identification, analysis, evaluation, treatment, monitoring, and review.

Theme 3: the relational element

The relational element explains the relationships of the risk management system (RMS) and practices with other systems, departments and branches, and employees, also called an integrated system. The integrated system involves integration in governance and operating activities (Gordon et al. 2009 ; Anam et al. 2022 ). Moreover, the integration of the RMS with other systems and business units is a fundamental principle in establishing good communication and support (Florio and Leoni 2017 ; Farrell and Gallagher 2015 ). Beyond merely working together with other units, for the RMS to function effectively, it needs to be embedded into the other systems, departments, and branches, and attached to employees’ tasks. Senior analytic risk management officers 1 and 2 mentioned:

“…RMD is regarded as the second line of defence. The front offices, such as branches and departments, are regarded as the first line of defence, while an internal audit is the third line of defence in facing risks and uncertainty. The three lines of defence demonstrate the strong relationship between the RMS and the rest of the business units….”

RMS is not a system that can function independently. It is integrated into the systems already in place and links the performance of workers, departments, and organizations with risk management practices. Each report created is entered into a system that links the performance of employees in complying with responsibilities. This is done to ensure that the risks associated with their responsibilities are well managed, and it is also done to guarantee that other systems, including performance management systems, are not impacted.

Theme 4: the cultural element

The researcher observation on the case company’s culture is that the cultural element explains that risk management implementation is not only seen as a part of the employees’ task. It is nurtured as organizational culture (Chen et al. 2019 ; Wressell et al. 2018 ), constructed, and developed from risk thinking and risk action. For instance, risk thinking and risk action refer to the way employees behave in dealing with a risky situation (i.e., confidential information); they become more alert with their surrounding in order not to mistakenly leak the information. The employees are talking about risk merely in every space. For example, during lunch hour and company events, the employees always discuss how they should and should not behave to avoid risky actions.

The risk management culture is one of the main strategies employed in strengthening the implementation of pervasive risk management practices in the organization. EPF boards, line managers, and all employees in the organization have endeavored to nurture a risk management culture in performing their daily work. Operational risk management officer 8, in charge of staff risk management training, said:

“…each of us talking about risk in many spaces. I mean, space here refers not to the location but more to occasions. We believe discussing and talking about risk will help us understand risk. It also helps form a culture that is alert to risk. I think that is how risk management can be easily understood and practised….”

When a topic is brought up in any setting, regardless of time or location, it will eventually develop into a routine discourse, which will develop into a habit for employees, which will eventually develop into a culture inside an organization (Hashim et al. 2020b ; Wales et al. 2020 ). When new employees join an organization, their first task is to familiarize themselves with the company’s traditions by observing how such traditions are practiced (Hashim et al. 2019 ; Lyon 2018 ). As a result, the organization’s risk management culture is becoming more robust and contributes to forming a new identity for the company.

Theme 5: the historical element

The historical element explains how risk management’s history helps secure positive perceptions of risk management implementation among organizational actors. In some studies, historical elements refer to the level of risk management maturity in an organization (Alashwal et al. 2017 ; Chen et al. 2022 ; Omer 2019 ; Rahman et al. 2022 ). The history of risk management in the case company is proof that people believe in what is already established. Senior investment risk officer 3 said that the risk management structure was already there when she entered the department in 2009. She added by saying:

“At the time that I entered the department, the credit risk section was not yet created and was a subset of the investment risk section. When the current head of the department entered the office in 2008, he thought he needed to grow the credit risk section because he thought that the credit function was more like an independent assessment. The head of the department emphasized that it is the best practice and how it is practiced in a bank, [and it should be] noted that the head of the department was from a banking background.”

Risk management has been altered and given disciplinary authority to govern the thinking and behavior of organization actors thanks to these five fundamental parts of the epistemic process. As a result, organizational actors can only act in certain ways as defined by organizational discipline.

Limitations and future research directions

The study only focuses on one primary organization, the case company, which can be expanded in future research to focus on multiple case studies using other prominent organizations. In terms of methodology, this study adopts a qualitative approach. However, more interesting findings can be obtained by using a mixed-method approach.

At the micro-organizational level, the study discovered that all the five elements, structural, processual, relational, cultural, and historical, occur in both dimensions of governmentality (the discursive dimension and the technology of government dimension). Some features, however, are regarded as critical in a specific dimension of governmentality. The most prominent factors in the discursive dimension are historical and cultural. Both parts serve as a conduit for developing a risk management strategy. The influence of local culture, which is what Malaysian employees want, in creating a conducive and safe working environment, for example, justified the adoption and implementation of risk management methods in the first place inside the case organization.

Later, in the second dimension of governmentality, the discipline manages many elements of organizational players’ behavior by assigning roles and tasks. Processual, relational, and structural components are significant in the case company’s risk management establishment in this second level.

These five elements illustrate how risk management becomes an organizational discipline through an epistemic process. It is true that it is not a simple process that requires all levels of management to work together and go in the same direction. Furthermore, this steady and consistent growth is the outcome of great staff committed to the task at hand. This is not the case if it appears at first glance that the employees just obey the instructions. Employee compliance is not a result of fear but a necessary component of the process that requires total commitment and participation. Moreover, effective top-down and bottom-up communication is another relationship feature that aids the implementation process.

From the internal aspect, each of the five elements is critical in forming a robust risk management strategy for a business. If one of these components is missing, the risk management process may fail to be implemented. From the external aspect, despite the many negative consequences of the Covid-19 outbreak, it positively impacts the process. It puts pressure on organizational actors, for example, to change for better management and to accept and grasp the importance of having a risk management system to sustain and improve organizational performance. Therefore, the study accepts the assumption that elements from the macro- and micro-organization levels influence and cases change the risk management practice of the case company. This is because the case company, one of many organizations that implement and adopt risk management, now realizes there is a need for balance and deep understanding of the consequence of risk management adoption to the organizational actors and the organization itself.

This study’s main contribution is that risk management officers and employees gain a better understanding of the primary purpose of risk management, which helps to lessen their fear, while from a theoretical perspective the governmentality framework illustrates the elements of the epistemic process of risk management discipline in the case company. Empirically, this study emphasizes how the macro- and micro-organizational elements interact to produce risk management discipline.

Data availability

The data that support the findings of this study are openly available upon request.

Alashwal AM, Abdul-Rahman H, Asef A (2017) Influence of organizational learning and firm size on risk management maturity. J Manag Eng 33(6):04017034

Article   Google Scholar  

Alvarez-Alvarado MS, Jayaweera D (2020) Operational risk assessment with smart maintenance of power generators. Int J Electr Power Energy Syst 117:105671

American Diabetes Association (2018) 9. Cardiovascular disease and risk management: standards of medical care in diabetes—2018. Diabetes care 41(Supplement_1):S86–S104

Anam M, Setiawan R, Chinnappan SK, Nik Hashim NAA, Mehbodniya A, Bhargava C, Sharma PK, Phasinam K, Subramaniyaswamy V, Sengan S (2022) Analyzing the impact of lockdown in controlling COVID-19 spread and future prediction. Int J Uncertain Fuzziness Knowledge-Based Syst 30:83–109

Ashena M, Abaspour A, Dehghanan H, HaghighKafash M (2019) Detection of organizational deviant behaviors of employees and their reduction mechanisms in supervisory organizations: appling of the Q sort method. Public Adm Perspaective 10(1):39–58

Google Scholar  

Aziz RC, Hashim NAAN, Omar RNR, Yusoff AM, Muhammad NH, Simpong DB, Abdullah T, Zainuddin SA, Safri FHM (2019) Teaching and learning in higher education: e-learning as a tool. Int J Innov Technol Explor Eng (IJITEE) 9(1):458–463

Braumann EC, Grabner I, Posch A (2020) Tone from the top in risk management: a complementarity perspective on how control systems influence risk awareness. Acc Organ Soc 84:101128

Brunsson N, Olsen JP (2018) The reforming organization. Routledge, London

Burawoy M (1998) The Extended Case Method. Socioll Theory 16(1):4–33

Burtonshaw-Gunn SA (2017) Risk and financial management in construction. Routledge, London

Callahan C, Soileau J (2017) Does enterprise risk management enhance operating performance? Adv Account 37:122–139

Chen J, Jiao L, Harrison G (2019) Organisational culture and enterprise risk management: the Australian not-for-profit context. Aust J Public Adm 78(3):432–448

Chen X, Rahman MK, Rana MS, Gazi MAI, Rahaman MA, Nawi NC (2022) Predicting consumer green product purchase attitudes and behavioral intention during COVID-19 pandemic. Front Psychol 12:1–10

Choo CW (2016) The inquiring organization: how organizations acquire knowledge and seek information. Oxford University Press, Oxford

Diefenbach T, Sillince JA (2011) Formal and informal hierarchy in different types of organization. Organ Stud 32(11):1515–1537

Fadzil NS, Noor NM, Rahman IA (2017) Need of risk management practice amongst Bumiputera contractors in Malaysia construction industries . IOP Conference Series: Materials Science and Engineering. IOP Publishing, 271(1). IOP Publishing. Wuhan

Farrell M, Gallagher R (2015) The valuation implications of enterprise risk management maturity. J Risk Insur 82(3):625–657

Florio C, Leoni G (2017) Enterprise risk management and firm performance: The Italian case. Br Account Rev 49(1):56–74

Gordon C (1991) Governmental rationality: an introduction. Foucault Eff: Stud Govern 1:52

Gordon LA, Loeb MP, Tseng CY (2009) Enterprise risk management and firm performance: a contingency perspective. J Account Public Policy 28(4):301–327

Greuning, HV, Brajovic-Bratanovic S (2022) Analyzing banking risk: a framework for assessing corporate governance and risk management. 3(2):1–12

Hashim NAAN, Nawi NMM, Bakar NA, Rahim MA, Yusoff AM, Mohd Halim MHM, Ramlee SIF, Remeli MR (2022) Factors influencing customer revisit intention to Mamak restaurants in Penang. Lect Notes Netw Syst 485:275–289

Hashim NAA, Yusoff AM, Awang Z, Aziz RC, Ramlee SIF, Bakar NA, Fatt BS (2019) The effect of domestic tourist perceived risk on revisit intention in Malaysia. International Journal of Innovative Technology and Exploring Engineering 2(1):11–32

Hashim NAAN, Awang Z, Yusoff AM, Safri FHM, Fatt BS, Velayuthan SK, Novianti S (2020a) Validating the measuring instrument for determinants of tourist’s preferences toward revisit intention: a study of Genting highland. J Adv Res Dyn Cont Syst 12(2):51–72

Hashim NAAN, Aziz RC, FahmieRamlee SI, Zainuddin SA, Zain ENM, Awang Z, MuhamedYusoff A (2020) E-learning technology effectiveness in teaching and learning: analyzing the reliability and validity of instruments. In IOP Conference Series: Materials Science and Engineering 993(1):0120–96

Hillson D, Murray-Webster R (2017) Understanding and managing risk attitude. Routledge, London

Holmes D, Gastaldo D (2002) Nursing as means of governmentality. J Adv Nurs 38(6):557–565

Hopkin P (2018) Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers, London

Iqbal W, Fatima A, Yumei H, Abbas Q, Iram R (2020) Oil supply risk and affecting parameters associated with oil supplementation and disruption. J Clean Prod 255(1):231–355

ISO (2009a) ISO 31000: 2009 Risk management—principles and guidelines. Geneva, Switzerland: International Standards Organization. Retrieved from  https://www.iso.org/obp/ui/#iso:std:iso:31000:en . Accessed 18 Jan 2022

ISO (2009b) ISO GUIDE 73:2009 Risk management — vocabulary. Geneva, Switzerland: International Standards Organization. Retrieved from https://www.iso.org/standard/44651.html . Accessed 28 Jan 2022

ISO (2018) ISO 31000:2018 Risk management - guidelines. Geneva, Switzerland: International Standards Organization. Retrieved from https://www.iso.org/home.html . Accessed 28 Jan 2022

ISO (2019) IEC 31010:2019 Risk management - risk assessment techniques. Geneva, Switzerland: International Standards Organization. Retrieved from https://www.iso.org/standard/72140.html . Accessed 28 Jan 2022

Koval S (2021) Risk management in the sphere of wages. Univ Econ Bull 51:66–73

Kwak DW, Seo YJ, Mason R (2018) Investigating the relationship between supply chain innovation, risk management capabilities and competitive advantage in global supply chains. Int J Oper Prod Manag 25(1):31–55

Leo M, Sharma S, Maddulety K (2019) Machine learning in banking risk management: a literature review. Risks 7(1):29

Lyon D (2018) The culture of surveillance: Watching as a way of life. John Wiley & Sons, New York

Maran L, Bracci E, Funnell W (2016) Accounting and the management of power: Napoleon’s occupation of the commune of Ferrara (1796–1799). Crit Perspect Account 34:60–78. https://doi.org/10.1016/j.cpa.2015.10.008 . Retrieved from http://www.sciencedirect.com/science/article/pii/S1045235415001082 . Accessed  8 Jan 2022

Munir M, Jajja MSS, Chatha KA, Farooq S (2020) Supply chain risk management and operational performance: the enabling role of supply chain integration. Int J Prod Econ 227:107667

Nettleton S (1991) Wisdom, diligence and teeth: discursive practices and the creation of mothers. Sociol Health Illn 13(1):98–111

Nik Hashim NAA, Yusoff AM, Awang Z, Aziz RC, Ramlee SIF, Bakar NA, Noor MAM, Fatt BS (2019) The effect of domestic tourist perceived risk on revisit intention in Malaysia. Int J Innov Technol Explor Eng (IJITEE) 8(10):4591–4596

Omer MS (2019) Level of risk management practice in Malaysia construction industry from a knowledge-based perspective. J Archit Plan Constr Manag 9(1):33–41

Osman LH (2017) The pattern of inter-organizational level of connectivity, formal versus informal ties. JurnalKomunikasi: Malaysian J Commun 33(1):59–79

Patwary AK, Mohamed M, Rabiul MK, Mehmood W, Ashraf MU, Adamu AA (2022a) Green purchasing behaviour of international tourists in Malaysia using green marketing tools: theory of planned behaviour perspective. Nankai Bus Rev Int 13 (2):246–265

Patwary AK, Rasoolimanesh SM, Rabiul MK, Aziz RC, Hanafiah MH (2022b) Linking environmental knowledge, environmental responsibility, altruism, and intention toward green hotels through ecocentric and anthropocentric attitudes. Int J Contemp Hosp Manag (ahead-of-print) 34(12):4653–4673

Patwary AK, Yusof MFM, Simpong DB, Ab Ghaffar SF, Rahman MK (2022c) Examining proactive pro-environmental behaviour through green inclusive leadership and green human resource management: an empirical investigation among Malaysian hotel employees. J Hosp Tour Insights (ahead-of-print)

Patwary AK (2022) Examining environmentally responsible behaviour, environmental beliefs and conservation commitment of tourists: a path towards responsible consumption and production in tourism. Environ Sci Pollut Res 1–10

Poteat T, Millett GA, Nelson LE, Beyrer C (2020) Understanding COVID-19 risks and vulnerabilities among Black communities in America: the lethal force of syndemics. Ann Epidemiol 47:1–3

Rachidi H, Hamdaoui S, Merimi I, Bengourram J, Latrache H (2022) COVID-19: unbalanced management of occupational risks—case of the analysis of the chemical risk related to the use of disinfectants in the dairy industry in Morocco. Environ Sci Pollut Res 29(1):106–118

Article   CAS   Google Scholar  

Rahman MK, Masud MM, Akhtar R, Hossain MM (2022) Impact of community participation on sustainable development of marine protected areas: assessment of ecotourism development. Int J Tour Res 23(6):1–11

Rodrigues F, Borges M, Rodrigues H (2020) Risk management in water supply networks: Aveiro case study. Environ Sci Pollut Res 27(5):4598–4611

Roos J, Von Krogh G (2016) Organizational epistemology. Springer, Berlin

Said NBM, Zainal HB, Din NBM, Zainuddin SAB, Abdullah TB (2020) Attitude, subjective norm, and perceived behavioural control as determinant of hibah giving intent in Malaysia. Int J Innov Creativity Change 10(10):61–70

Shah MAR, Rahman A, Chowdhury SH (2018) Challenges for achieving sustainable flood risk management. J Flood Risk Manag 11:S352–S358

Shanker R, Bhanugopan R, Van der Heijden BI, Farrell M (2017) Organizational climate for innovation and organizational performance: the mediating effect of innovative work behavior. J Vocat Behav 100:67–77

Sharif A, Saqib N, Dong K, Khan SAR (2022) Nexus between green technology innovation, green financing, and CO2 emissions in the G7 countries: the moderating role of social globalisation. Sustain Dev 14(1):70–121

Szymański P (2017) Risk management in construction projects. Procedia Eng 208:174–182

Wales WJ, Covin JG, Monsen E (2020) Entrepreneurial orientation: the necessity of a multilevel conceptualization. Strateg Entrep J 14(4):639–660

Wang C, Cheng Z, Yue XG, McAleer M (2020) Risk management of COVID-19 by universities in China. J Risk Financ Manag 13(2):36

Wang L, Cheng Y, Wang Z (2022) Risk management in sustainable supply chain: a knowledge map towards intellectual structure, logic diagram, and conceptual model. Environ Sci Pollut Res 29(2):66041–66067

Weatherburn CJ, Guthrie B, Dreischulte T, Morales DR (2020) Impact of medicines regulatory risk communications in the UK on prescribing and clinical outcomes: systematic review, time series analysis and meta-analysis. Br J Clin Pharmacol 86(4):698–710

Wijethilake C, Lama T (2019) Sustainability core values and sustainability risk management: moderating effects of top management commitment and stakeholder pressure. Bus Strateg Environ 28(1):143–154

Willumsen P, Oehmen J, Stingl V, Geraldi J (2019) Value creation through project risk management. Int J Project Manage 37(5):731–749

Wressell JA, Rasmussen B, Driscoll A (2018) Exploring the workplace violence risk profile for remote area nurses and the impact of organisational culture and risk management strategy. Collegian 25(6):601–606

Wu J, Xiong Y, Ge Y, Yuan W (2022) A sustainability assessment-based methodology for the prioritization of contaminated site risk management options. Environ Sci Pollut Res 29(5):7503–7513

Yagli I (2020) Bank competition, concentration and credit risk. Intelektinėekonomika 14(2):17–35

York JG, Vedula S, Lenox MJ (2018) It’s not easy building green: the impact of public policy, private actors, and regional logics on voluntary standards adoption. Acad Manag J 61(4):1492–1523

Zadeh HS, Weir T, Filinkov AI, Lord S (2021) Strategic risk management in practice. Data and Decision Sciences in Action 2: Proceedings of the ASOR/DORS Conference. Springer Nature, Berlin

Zainuddin SA, Hashim NAAN, Abdullah T, Mohamad SR, Anuar NIM, Deraman SNS, Awang Z (2020a) Risk management as governmentality in organization. Int J Eng Res Technol 13(12):4439–4449

Zainuddin SA, Hashim NAAN, Abdullah T, Uthamaputhran S, Nasir NAM, Said NM, Anuar NIM (2020b) Risk management: a review of recent philosophical perspectives. Palarch’s J Archaeol Egypt/Egyptology 17(9)

Zhou J, Bi G, Liu H, Fang Y, Hua Z (2018) Understanding employee competence, operational IS alignment, and organizational agility–an ambidexterity perspective. Inform Manag 55(6):695–708

Download references

We would like to thank the UMK FUND research grant for funding this study and publication (project code: UMK FUND (UMK FUND R/FUND A0100/00685A/001/2020/00746).

Author information

Authors and affiliations.

Global Entrepreneurship, Research and Innovation Centre, Universiti Malaysia Kelantan, Kota Bharu, Kelantan, Malaysia

Siti Afiqah Zainuddin & Noorshella Che Nawi

Faculty of Entrepreneurship and Business, Universiti Malaysia Kelantan, Kota Bharu, Kelantan, Malaysia

Siti Afiqah Zainuddin, Noorul Azwin Md Nasir, Tahirah Abdullah & Noorshella Che Nawi

Universiti Malaysia Sabah (UMS), Sabah, Malaysia

Borhan Abdullah

Faculty of Hospitality, Tourism and Wellness, Universiti Malaysia Kelantan, Kota Bharu, Kelantan, Malaysia

Ataul Karim Patwary & Nik Alif Amri Nik Hashim‬

You can also search for this author in PubMed   Google Scholar

Contributions

Siti Afiqah Zainuddin: conceptualization and data analysis. Borhan Abdullah: idea generation and discussion. Noorul Azwin Md Nasir: final review. Tahirah Abdullah: literature review and editing. Noorshella Che Nawi: methodology and literature review. Ataul Karim Patwary: data screening and coding. Nik Alif Amri Nik Hashim: review and editing.

Corresponding author

Correspondence to Borhan Abdullah .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Additional information

Responsible Editor: Arshian Sharif

Publisher's note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Zainuddin, S.A., Abdullah, B., Nasir, N.A.M. et al. Sustainable risk management practice in the organization: a Malaysian case study. Environ Sci Pollut Res 30 , 24708–24717 (2023). https://doi.org/10.1007/s11356-022-23897-7

Download citation

Received : 20 August 2022

Accepted : 25 October 2022

Published : 08 November 2022

Issue Date : February 2023

DOI : https://doi.org/10.1007/s11356-022-23897-7

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Sustainable practices
• Extended case study
• Operational risk management
• Phenomenology
• Find a journal
• Publish with us
• Track your research

• Account details
• Follow topics
• Saved articles
• Newsletters
• Help Centre
• Subscriber rewards

You are currently accessing Risk.net via your Enterprise account.

If you already have an account please use the link below to sign in .

If you have any problems with your access or would like to request an individual access account please contact our customer service team.

Phone: 1+44 (0)870 240 8859

Email: [email protected]

You are currently accessing Risk.net via your institutional login.

If you have any problems with your access, contact our customer services team.

Phone: +44 20 7316 9685

Journal of Operational Risk

1744-6740 (print)

1755-2710 (online)

Editor-in-chief: Marcelo Cruz

Impact Factor: 0.645

First Published: March 2006

Operational risk: a forgotten case study

Patrick mcconnell.

• Tweet  
• Facebook  
• LinkedIn  
• Save this article
• Send to  
• Print this page  

Need to know

• In 2003, ten large Wall Street banks were fined a record sum of $1.48 billion for publishing misleading information to investors during the ’dot-com’ bubble.
• Although, not recognised at the time, these fines were precursors to later fines and regulatory actions in a number of large operational risk loss events (ORLEs), such as misselling of mortgages and insurance and manipulation of benchmarks.
• Using Turner’s methodology, these events are studied as a forgotten case study of ‘conflicts of interest’ and ‘conduct risk’ in the banking sector.

In 2002, a number of US financial regulators and agencies, led by the Securities and Exchange Commission (SEC), imposed the largest fines up to that time on ten investment banks and broker/dealers for publishing misleading investor information. The fines and subsequent changes to these industry structures were named the Global Analysts Settlement (GAS), and the regulators’ remedies aimed to ensure that Chinese walls within investment banks were strictly enforced. This paper is a historical case study of the GAS scandal and the first to analyze it from the perspective of operational risk. In retrospect, the GAS case can be seen as an example of an operational risk loss event (ORLE) and, in particular, “conduct risk” (as it later became known). Subsequent events, such as the manipulation of the London interbank offered rate (Libor) and the mis-selling of mortgages and payment protection insurance (PPI), demonstrated that GAS was the precursor of much larger scandals. However, at the time of GAS, the thinking on operational risk management and capital was still being developed by the Basel Committee on Banking Supervision, and the implications of this particular scandal went largely unnoticed. Clearly, an opportunity to incorporate the lessons learned from the GAS case into wider thinking on operational risk was missed. Using Turner’s case study approach, this paper considers the GAS case from the perspective of operational risk, with a view to identifying the lessons to be learned from the scandal and then applied to future, large-scale operational risk events.

Copyright Infopro Digital Limited. All rights reserved.

You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/

If you would like to purchase additional rights please email [email protected]

You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/

• About the editor
• Editorial board
• Call for papers
• Publish with us
• Reprints and permissions

Sorry, our subscription options are not loading right now

Please try again later. Get in touch with our customer services team if this issue persists.

New to Risk.net? View our subscription options

If you already have an account, please sign in here .

More papers in this issue

• Marco Migueis
• Volume 13, Number 3 (September 2018)

Amine Nehari Talet

Browse journals

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Alternatively you can request an individual account here

We apologize for the inconvenience...

To ensure we keep this website safe, please can you confirm you are a human by ticking the box below.

If you are unable to complete the above request please contact us using the below link, providing a screenshot of your experience.

https://ioppublishing.org/contacts/

You may like to read

Researchjournali ® .com is an international journal publishing house from India and publishes research journals on wide range of academic disciplines. It is a division of private limited company dedicated to online publication and promotion of research in global arena. Researchjournali provides an alternative modern approach to academic publication and makes research paper publication easy and simple. At Researchjournali we provide excellent publishing service with highest professional standards to authors.