Operational risks refer to the risk of loss due to incorrect or non-appropriate internal processes and procedures, human errors, incorrect systems or external events, including legal risks.
Operational risks include the following main categories of risk:
- Process risks, which arise due to process weaknesses, unclear distribution of responsibilities, shortcomings in internal control, etc.
- Personnel risks, which arise on, for example, changes in personnel; weaknesses in project management, corporate culture and communication; errors by personnel; risks attributable to remuneration systems, etc.
- IT/systemic risks, which arise due to shortcomings in IT systems, inadequate systems support, etc.
- External risks, which arise in the event of criminal actions, shortcomings among suppliers, disasters, etc.
- Legal risks, which arise, for example, when an agreement is not fully or partially enforceable, lawsuits, adverse judgements or other legal processes that disrupt or adversely impact the business. Legal risks also include compliance risk, which arises as a result of failure to comply with laws, rules, regulations, agreements, prescribed practices and ethical standards, and which can lead to current or future risks as regards earnings and capital.
Security risks are included in operational risks and refer to the risk of inadequate or incorrect internal processes or external events, including cyber-attacks or in sufficient physical security, that can negatively affect the availability, integrity and confidentiality of information and communication systems or the information used to provide services.
The Group manages operational risks, for example, by applying a risk management framework that includes measures for risk identification, assessment, training, control and reporting operational risks. Focus is on managing significant risks by analysing and documenting processes and procedures and by applying risk-mitigating measures.
The Group’s processes have been mapped with controls to ensure that identified risks are managed and monitored effectively. The Group has a procedure for approving new or significant changes in existing products/services, markets, processes or other major changes in the business operations. The procedure is aimed at enabling the Group to effectively and efficiently manage risks that may arise in connection with, for example, new or significantly changed products or services.