Identifying specific risks isn't a one-off exercise undertaken every few years with the senior people - to succeed it must involve the entire organization and become part of its culture. The first steps are to identify, assess and prioritize.

Definitions of operational risk tend to be very generic. One definition is "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events." Firms therefore apply their own interpretation to this to come up with their own methods of classifying their risks. There is no right answer. What is important is that the classifications are relevant and clearly defined.

A number of factors explain why risk management has become so important. Risk is increasing, as capital markets become ever more volatile and change with alarming speed. At the same time, regulatory attention is increasing (particularly in the UK), which goes hand-in-hand with more onerous corporate governance requirements. As clients and consultants become more demanding, it is no longer enough for firms to say they manage risks. They have to be able to prove it. Meanwhile, senior management, which could be on the fiduciary hook for discipline or a fine, needs assurance that there are no hidden risks.

Investment firms are open to risk on many fronts:

* Business risk, as a result of developments in the external market.
* Crime risk, which can arise through theft, fraud, hacking or money laundering.
* Disaster risk, from fires or floods.
* Information technology risk, which involves the reliability, robustness and security of your systems.
* Legal risk, ranging from third-party disputes over a transaction to an employment legislation issue.
* Regulatory and reputational risk, leading to fines, increased fees, withdrawal of authorization and negative publicity.
* Systems and operations risk, which stems from breakdowns in business procedures, processes, systems or controls.

In developing risk management strategies, a company must first decide if it accepts a risk. If it does, there are a number of options: retain the risk (by planning for it or repricing); reduce the risk (by implementing or improving controls); transfer the risk (through insurance, hedging or outsourcing); or exploit the risk (by increasing the firm's exposure and repricing or redesigning).

Operational risk strategies yield many benefits.

* They tell the CEO whether or not the business is compliant.
* They show you what is going well and what is not, i.e. where you have to concentrate attention and resources.
* They keep people informed (internal and external, i.e. UK FRAG and Canadian S5900) by giving objective data on which to base observations and assertions.

In conclusion, risks are never static. As the environment changes, so do the risks that a firm faces, whether this is through internal factors such as staff moves or technology, or external factors such as industry developments, government regulation and competition. A risk assessment must be continuously revisited to ensure that risks remain manageable and that no new ones emerge.

Simply having good corporate governance is not enough. We need to ensure that all interested parties know how the firm is being run and that management is in control. Having an effective risk management system in place ensures that there is a structured way of looking at what risks the firm is facing and how much they might hurt. But the biggest risk of all is complacency and thinking that once you have identified the biggest risks and their relationships, you can relax and get on with other business. This is really only just the beginning. *