Internal Risk vs External Risk

Explain the differences between internal risks and external risks, as they are used in operational risk management.

According to Basel II (2006) operational risk refers to the different types of risks that result or arise from inadequate, poor, or failed internal control processes, people, and systems as we as other external events. This definition illustrates what operational risk is, rather the definition does not pinpoint what operational risk is not. To a larger extent, the various definitions of operational risk provide a combination of events and effects or impacts, instead of providing the list of risks.

According to CIMA (2008), the operational risk does occur at any level or position within an organization. To cement this Blunden and Thirlwell argued that, operational is universal in nature and tends to be a risk that is involved in every single activity that takes place in the organization. There are various ways that can be used to control operational risk in an organization. The various categories in which operational risks can be classified include;

• business interruption
• errors or omissions by employees
• product failure
• health and safety
• failure of IT systems
• fraud
• loss of key people
• litigation
• loss of suppliers.

 

CIMA (2008) postulated that there are two ways in which operational risks can be identified, namely internal and external operational risk identification. Risk identification plays a paramount role in the management of risk because it allows us to pick the sources of risk, which can be people, process, and technology. All of which can be internal or external risks.

Techniques that can be used in risk identification include workshops for brainstorming, risk-based audits which involve intuitive assessments, risk assessment matrix, and risk ranking, risk reporting (CIMA: 2008). Risk registers, physical inspection, and incident investigation are also among the techniques that can be used in risk identification.

In addition to this, critical dependencies in people, processes, systems, and external structures can be used in the identification of risk. Having said this, we have to differentiate between the internal and external risk, however, we need to take note of the definition of operational risk management, because the definition highlighted that some internal and external risks can fall under operation risks.

Internal Risk

Internal risks are the types of risk that do arise from poor systems or poor performance by employees, lax internal control systems, that will lead to fraud, accidents in the production facilities, and operational inefficiency, as well as low-quality products. Since the definition of operational risk does not provide a precise definition, but rather the categories of where risks arise, these categories can be used in defining internal risks. Internal risk arises from people’s failure, failure in the process, failure in the system or controls, and information technology.

According to Popov et al, the internal risks have the potential to derail effective operations and can negatively affect the achievement of organizational objectives. In highlighting the differences, one would argue that the organization does have control over internal risks, and to a larger extent does not have control over the impact and likelihood of the external risks. As a result, management does have a direct influence on either the likelihood of occurrence or impact of internal risks.

External Risk

The last part of operational risk did highlight that, “other external events” which implies that, some external risks do fall under the operational risks. According to Beers (2020), the external risk is those risks that the organization does not have control over, and cannot easily predict their likelihood of occurrence or the actual impact to the organization, COVID-19 being a good example. Natural factors, economic factors, and political factors are among the sub-categories of external risk.

• Economic risk – refers to the wide economic risks, that do affect all the business with the economy, for instance, economic risk arising from the recession, or the changes in the oil prices, changes in the interest rates, and exchange rates.
• Political risk – The changes in the political environment in a country tend to pose external risks to the business environment, for instance, the pull out of the Paris Agreement on Climate Change (PDF) – NRDC by the former President of United State of America, had posed an external risk to the companies operating in the renewable energy. During his tenure, the trade war was the talk of the day, and these trade wars, lead to some business inconveniencing and posed greater risks on many Chinese companies like Huawei.
• Natural risk – these types of risks can be in the form of cyclones (Mozambique example), earthquakes (Japan example), veld fires in Brazil affecting the tourism industry. These are the types of risks that an organization might not have control of but do lead to the closure of the business. Popov also included hazards in the definition of external risks, to a larger extent, they include risks arising from terrorism, malicious activity in cyberspace, pandemics (COVID-19), transnational crime, and man-made accidents.

 

Conclusion

In classifying risks, it is important for the risk manager to take note that, classification of risk is usually general in nature, and risk managers should not narrow their classification trying to cover every risk, that the organization will be facing. Different types of risks tend to overlap, and it is important for risk managers to develop their own risk classification that will be tailored to the needs of the organization, taking into account that, not all risks are negative, and as such, some risks are desirable and important for the success of the company.

 

References

Bank for International Settlements, Basel II. 2006. International Convergence of Capital Measurement and Capital Standards: A Revised Framework – Comprehensive Version, June 2006.

CIMA. 2008. Operational Risk, Topic Gateway series No. 51. The Chartered Institute of Management Accountants 26 Chapter Street London SW1P 4NP United Kingdom

Georgi Popov, Bruce K. Lyon, Bruce Hollcroft. Risk assessment: a practical guide to assessing operational risks. John Wiley & Sons, Inc., 2016