OPERATIONAL RISK CONTROLS IN AN E-COMMERCE ENVIRONMENT
SYED ALAMDAR ALI
Aug 04 - 10, 2008
Going by conventional wisdom, one shouldn't fix a system when it isn't broken. The system should be able to be upgraded according to the enhanced requirements and quickly capture new customer data into or retrieve existing information from a database, thus allowing staff to spend less time creating or updating user profiles, and devote more time to selling loan products. The works of the vendor in this regard should be based on distributed computing, a programming model in which a set of computing instructions is processed at different points within a network. For example in a banking environment, if a customer walks into a branch and applies for a housing loan, the credit control department can immediately assess his credit-worthiness once a branch teller inputs the request. At the same time, the loan department can process the application while the trade finance department assesses whatever the customer has put up as collateral can be accepted. As a result, the branch tellers now require less time to process customers' requests, giving them more time to talk to the customers about new loan products that are available. However, due to the high speed and accuracy required the following operational risk controls should also be kept under consideration in an E-Commerce environment some of which have been explained in great details in FAA System Safety Hand Book 2000.
ACCEPT NO UNNECESSARY RISK: Unnecessary risk is that which carries no commensurate return in terms of benefits or opportunities. Everything involves risk. The most logical choices for accomplishing an operation are those that meet all requirements with the minimum acceptable risk. The corollary to this axiom is "accept necessary risk," required to successfully complete the operation or task. In a virtual environment as most of the documents are only electronically available therefore, it is quite advisable to use digital signatures or any other specific feature with the electronic document which can identify the source and destination and agreement on each document. The avoidance of such features my give rise to unnecessary risk of disowning on the part of either party!
MAKE RISK DECISIONS AT THE APPROPRIATE LEVEL: Anyone can make a risk decision. However, the appropriate decision-maker is the person who can allocate the resources to reduce or eliminate the risk and implement controls. The decision-maker must be authorized to accept levels of risk typical of the planned operation (i.e., loss of operational effectiveness, normal wear and tear on materiel). He should elevate decisions to the next level in the chain of management upon determining that those controls available to him will not reduce residual risk to an acceptable level.
ACCEPT RISK WHEN BENEFITS OUTWEIGH THE COSTS: All identified benefits should be compared against all identified costs. Even high-risk endeavors may be undertaken when there is clear knowledge that the sum of the benefits exceeds the sum of the costs. Balancing costs and benefits is a subjective process, and ultimately the balance may have to be arbitrarily determined by the appropriate decision-maker.
The risk management process operates on three levels. Although it would be preferable to perform an in-depth application of risk management for every operation or task, the time and resources may not always be available. The three levels are as follow:
TIME-CRITICAL: Time-critical risk management is an "on the run" mental or verbal review of the situation using the basic risk management process without necessarily recording the information. This time critical process of risk management is employed by personnel to consider risk while making decisions in a time-compressed situation. This level of risk management is used during the execution phase of training or operations as well as in planning and execution during crisis responses. It is also the most easily applied level of risk management in off-duty situations. It is particularly helpful for choosing the appropriate course of action when an unplanned event occurs during execution of a planned operation or daily routine.
DELIBERATE: Deliberate Risk Management is the application of the complete process. It primarily uses experience and brainstorming to identify risks, hazards and develops controls and is therefore most effective when done in a group. Examples of deliberate applications include the planning of upcoming operations, review of standard operating, maintenance, or training procedures, and damage control or disaster response planning.
STRATEGIC : This is the deliberate process with more thorough hazard identification and risk assessment involving research of available data, use of diagram and analysis tools, formal testing, or long term tracking of the risks associated with the system or operation (normally with assistance from technical experts). It is used to study the hazards and their associated risks in a complex operation or system, or one in which the hazards are not well understood. Examples of strategic applications include the long-term planning of complex operations, introduction of new equipment, materials and operational, development of tactics and training curricula, high risk facility construction, and major system overhaul or repair. Strategic risk management should be used on high priority or high visibility risks.
Risks are more easily assessed and managed in the planning stages. The later changes are made in the process of planning and executing an operation, the more expensive and time-consuming they will become. In order to accomplish this task in planning stage the following six steps should be performed:
1-IDENTIFY THE HAZARD: A hazard is defined as any real or potential condition that can cause degradation, injury, illness, death or damage to or loss of equipment or property. Experience, common sense, and specific analytical tools help identify risks.
2-ASSESS THE RISK: The assessment step is the application of quantitative and qualitative measures to determine the level of risk associated with specific hazards. This process defines the probability and severity of an accident that could result from the hazards based upon the exposure of humans or assets to the hazards.
3-ANALYZE RISK CONTROL MEASURES: Investigate specific strategies and tools that reduce, mitigate, or eliminate the risk. All risks have three components: probability of occurrence, severity of the hazard, and the exposure of people and equipment to the risk. Effective control measures reduce or eliminate at least one of these. The analysis must take into account the overall costs and benefits of remedial actions, providing alternative choices if possible.
4-MAKE CONTROL DECISIONS: Identify the appropriate decision-maker. That decision-maker must choose the best control or combination of controls, based on the analysis of step 3.
5-IMPLEMENT RISK CONTROLS: Management must formulate a plan for applying the controls that have been selected, and then provide the time, materials and personnel needed to put these measures in place.
6-SUPERVISE AND REVIEW: Once controls are in place, the process must be periodically reevaluated to ensure their effectiveness. Workers and managers at every level must fulfill their respective roles to assure that the controls are maintained over time. The risk management process continues throughout the life cycle of the system, mission or activity.
Operational risk management provides a logical and systematic means of identifying and controlling risk. It is not a complex process, but does require individuals to support and implement the basic principles on a continuing basis offering individuals and organizations a powerful tool for increasing effectiveness and reducing accidents. The ORM process is accessible to and usable by everyone in every conceivable setting or scenario.