Study tips: identifying operational and cyber risks

aat comment

All businesses have to weigh up the opportunities that they have to succeed and be profitable against the inherent risks and uncertainties that just being in business entails. 

Risk comes from a wide variety of sources and sits on a sliding scale of manageability. Individual businesses only have limited influence over economic or political risks for instance. The vote for Brexit is an example of a political risk and the uncertainty that it has caused has resulted in changing economic conditions that pose economic risks.

Businesses can exert a degree of influence over political and economic risks through being members of organisations such as the CBI (Confederation of British Industry) or the FSB (Federation of Small Businesses). However, as these are examples of external risks, the ability to manage them is limited.

Risks that threaten the day-to-day running of an individual business are easier to assess and mitigate. These are known as operational risks. The generally accepted definition of operational risk was written by the Basel Committee on Banking Supervision.  The committee defined operational risk as ‘the risk that deficiencies in information systems or internal processes, human errors, management failures or disruptions from external events will result in the reduction, deterioration or breakdown of services.’

Operational risks can be organised into a number of classifications:

  • Reputational – any kind of threat that could result in lost business due to the character or quality of a business being questioned or negatively perceived
  • Litigation – the likelihood that legal action may be taken against a business and the possible losses that could ensue
  • Process – possible losses resulting from a lack of or poorly designed processes
  • Systems – possible losses resulting from a lack of or poorly designed systems
  • People – possible losses or damage resulting from intentional or accidental human error
  • Events – possible losses or damage from one-off external events that are unlikely but could have serious consequences

Whilst most of the list is pretty self-explanatory, you may have read it and wondered what the difference is between a process and a system. By definition a system is made up of inter-connecting processes. If we think about a company that manufactures cars, there will be a process for making the engine, another for assembling the bodywork, another for fitting the interior and so on.  When all the processes come together, you end up with a system for making a car.

One of the tricky issues with identifying risks is that within a given situation there is likely to be more than one risk to manage and often other ethical issues are at stake too. Let’s consider some hypothetical circumstances.

An accounting firm has three partners and offices in York on the banks of the River Ouse. One of the partners is being investigated by the National Crime Agency (NCA) for suspected money laundering as they failed to carry out Customer Due Diligence (CDD) checks on one of their clients, who has been charged under the Proceeds of Crime Act.

There are a whole number of issues here:

  • The partner has failed to uphold the fundamental principle of professional competence and due care by not conducting CDD.
  • They have also bought the profession into disrepute as their behaviour has resulted in a criminal investigation. Therefore the principle of professional behaviour has been breached too.
  • There may be self-interest and/or intimidation threats if the partner knew that the client was laundering proceeds of crime. However this is unclear and will be for the NCA to determine.
  • There were certainly inadequate safeguards in place. Money Laundering Regulations (MLR) impose a duty on firms to establish and maintain practices, policies and procedures to deter and detect activities relating to money laundering and terrorist financing.  This did not happen.

Whilst all the above is important and relevant, if we are asked to identify the operational risks this is not what we need. Instead we need to analyse the situation into the specific areas of operational risks as follows:

  • Event risk – the location of the office on the river bank makes it at risk of the unlikely yet potentially serious risk of flooding if the river bursts its banks.
  • Process risk – inadequate processes have allowed a client to be taken on without proper CCD being undertaken.
  • People risk – the partner either deliberately or accidentally failed to carry out fundamental CCD.
  • Litigation risk – the firm will be held responsible for the breach in MLR and will have to face the legal consequences.
  • Reputational risk – a criminal investigation is likely to have a negative effect on the firm’s reputation that could result in loss of both existing and potential business.

Being able to clearly identify operational risks is a central activity to all organisations and key to running successful and sustainable businesses. Due to the nature of the accounting profession, accounting professionals not only need to understand the operational risks within their own businesses but also within their clients’, as they will be involved in identifying and assessing risks as well as implementing safeguards and controls to mitigate them.

Browse the full range of AAT study support resources here

Gill Myers is a self-employed accounts consultant. She has taught AAT qualifications since 2005 and written numerous articles and e-learning resources.

Related articles