During the COVID-19 pandemic, in addition to dealing with financial challenges such as a drop in assets or liquidity, organisations were faced with issues that go to the core of operational risk management - people, systems, processes and external environment.

Operational risk, defined by the Basel framework as arising from failures of processes, people, systems or external events, concerns itself with a broad range of threats, such as fraud, deliberate or accidental actions of employees, malfunctions of technological systems and broken processes.

Put simply, it encompasses damages and losses that organisations could sustain due to risks other than credit and market risks. Consequently, financial services firms are required to not only hold capital aside to guard against such operational risk losses, but most importantly, manage this wide-ranging risk effectively.

This is particularly important during the pandemic, where at times of multiple lockdowns, staff moved to working from home (WFH) environment, and many of the day-to-day processes and controls have undoubtedly changed. The primary mechanism for understanding the change in the risk and control landscape of the firm is reliance on each and every employee to recognise, report and manage operational risks.

So, what is risk and how can we help our employees to think about it? Without oversimplifying, risk is an intuitive concept, and we are taking risk-based decisions daily, perhaps without always realising it. Our internal compass guides us; risk takers welcome thrilling situations and engage in bungee jumping, mountain biking and skydiving. Risk-averse, conservative individuals stay as far away as possible from anything remotely threatening, take precautions and buy insurance.

Similarly, within a corporate environment, it is essential to find ways of inspiring employees to think and talk about risk, in as many ways as possible. Here are some suggestions:

Encourage staff members to proactively consider risks within their daily processes and activities. This can be achieved by exploring simple open questions, such as what could go wrong, or what might prevent you from achieving your objectives, or if you were building this process from scratch, what would you be concerned about. The intention is to talk about risk in language the employees can easily understand, even better without using the actual word risk itself.

Instil and promote a no-blame culture, supporting employees to raise their hand and speak up when things go wrong. This will enable the firm to quickly resolve the issues and prevent recurrence, and maintain a healthy, ‘no surprises’ environment.

Examine failures and conduct lessons learned. Inevitably, mistakes will happen. It is vital to constructively focus on lessons learned, bringing the attention to celebrating improvements made as a result of the error rather than pointing fingers. Right attitude creates a positive risk management brand, a cornerstone of robust risk management culture, which is even more important during the pandemic times.

Provide training and education. A combination of face-to-face and online modules with relevant examples that resonate with employees help to develop the right thinking.

Establish accountability. Risk management is the duty of each and every employee, and not just the risk department. Incorporating risk management into employee goals and performance objectives goes a long way to instilling the right risk culture of the organisation.

Organisations where employees practice risk thinking and take ownership of operational risk management are less likely to suffer damaging incidents. They also stand a better chance of dealing with them effectively if they do occur.

Any views, assumptions or opinions expressed in this article are those of the author.

Elena Pykhova, Executive operational risk, Bank of Valletta