- Operational risk refers to the potential losses resulting from a series of operational failures and weaknesses.
- Operational risk issues at Kenya Pipeline Company (KPC) led to the dismissal of the CEO and entire management team amid investigations into the disappearance of 21 million liters of fuel.
- New vulnerabilities have emerged in the field of cybersecurity and many companies entrust the management of cyber risks to specialists.
Poor operational risk management has been the root cause of the largest losses in many financial and non-financial businesses around the world. In Kenya, for example, more than 15 state-sponsored enterprises (SSEs) over the past two or three decades have collapsed.
Other big businesses, such as retailer Nakumatt, have been shuttered after struggling to repay suppliers, landlords and other creditors. Many of these failures were due to fraud and corruption and a lack of commitment to governance and risk management expertise at board and senior management levels.
Operational risk refers to the potential losses resulting from a series of operational failures and weaknesses. Functional failure includes accounting errors, inefficient or failing internal processes, operational execution errors, fraud, management, faulty controls, people and systems or external events. We discuss some of these operational risk issues below.
Haco Industries Company is a highly publicized operational risk fiasco. The CEO and CFO were found to have inflated revenues and profits to disguise their sluggish performance. They were fired for knowingly participating in a pre-billing earnings manipulation scheme that inflated their earnings to obtain hefty bonuses. Management defrauded the company of almost 9 billion shillings.
Operational risk issues at Kenya Pipeline Company (KPC) led to the dismissal of the CEO and entire management team amid investigations into the disappearance of 21 million liters of fuel worth around $2 billion shillings.
Operational risk issues included execution errors, oil spills, overpriced technology, inflated prices for the construction of the pipeline, overspending by the board of directors, bonuses and travel benefits. KPC was defrauded of 272 million shillings in the KPC Ngong forest land scandal in 2012.
Current Vice President William Ruto, Moi’s presidential aide Joshua Kulei and a politician Sammy Mwaita have been accused of acquiring public land by fraud and then selling it to KPC (a parastatal).
The trio won the case on a technicality when KPC’s chief financial officer was unable to testify for his company. The government took over the land without compensating KPC for the fraud. As a result of the scam, KPC failed to recover the money from Ruto, Kulei and Mwaita.
The Kenya Power Company (KPLC) is currently reluctant to collapse due to a fraudulent and corrupt procurement process. For example, just over five years ago, the fraudulent purchase of second-hand transformers continues to plunge the country into darkness at the most crucial moments.
For more than 40 years, the company has embarked on expansion projects that were on the face of it designed to provide Kenyans with energy solutions, quality and reliable service for a better life, including supporting socio- economy of a resilient country. Instead, the projects became conduits of sleaze in the form of carrying out nonexistent feasibility studies for power dams.
For example, high-ranking officials and businessmen have devised mega-projects to deliberately collect bribes, such as the Turkwel. These bribes have disastrous consequences for the Kenyan economy due to the importance of energy in the functioning of industries, businesses and homes.
Legal and regulatory risks are special cases of operational risk. They arise for a variety of reasons and are closely related to reputational risk. For example, a counterparty may not have the legal or regulatory authority to engage in a risky transaction.
For example, the Capital Markets Authority (CMA) recently opened investigations into Cytonn High Yield Solutions (CHYS) and Cytonn Project Notes (CPN) investments worth 13.5 billion shillings.
The financial products of CHYS and CPN are investments considered outside the purview of the AMC and are only sold to high-risk purchasers. Investors in these fund categories are generally advised to invest wisely. The CMA only approves up to 100 investors in these products who would presumably be well aware of the risks involved.
Cytonn was marketing the CHYS and CPN funds as private placements to a closed store of a few knowledgeable investors. However, the court agreed with the AMC that Cytonn raised funds from 3,000 investors and therefore breached regulations that funds raised through private placements could only involve fewer than 100 people.
Operational risk also includes the risk of a cyberattack. New vulnerabilities have emerged in the field of cybersecurity and many companies entrust the management of cyber risks to specialists. For example, many Kenyan institutions use cloud service providers to innovate new services in a cost-effective way.
However, this deep, multi-layered and highly specialized supply chain exposes institutions to unknown cyber risks, threats and vulnerabilities.
The quarterly industry statistics report released by the Communications Authority of Kenya (CA) covering the period July-September 2020 indicated that there has been a sharp increase in cyber threats. Over the past year, threats have increased from 21 million incidences in Q1 2019 to 56 million in Q3 2020.
Operational risk crises can be surprisingly costly and potentially catastrophic. For example, stock prices can crash and institutions slip into oblivion due to operational risk events. Organizations in all industries can reduce their exposure by understanding the various types of operational risks they face and the extent of their potential losses.
Many companies will need to develop a more informed and systematic approach to operational risk management. In practice, the ability to properly measure and manage operational risk is often limited by the complexity of models and the lack of adequate technology to process internal and external market data.
As mentioned earlier, the impact of an operational risk crisis often far exceeds the actual direct loss. For example, it can be shown that the loss to an organization due to such emergencies pales in comparison to the possible loss to shareholders and stakeholders.
Organizations protect their shareholder value and stakeholder interests by preparing in advance to mitigate a risk environment that is becoming increasingly dangerous and costly.
Boards and senior management must help guide their companies toward operational resilience and value protection by embedding strategic risk management capabilities across the organization.
Given the current uncertain economic environment, paying more attention to measuring and managing operational risk in non-financial businesses is a critical success factor. Only a consistent, transparent and active operational risk management policy can help prevent more minor problems from becoming major problems.
Dr. Mark is Managing Partner at Black Diamond Risk Enterprises, sits on several boards, has led Treasury/Trading activities and was Chief Risk Officer at Tier 1 Banks
Mr. Kingori is the founder of Fincap Risk Advisors