Next Article in Journal
On the Moderating Effects of Country Governance on the Relationships between Corporate Governance and Firm Performance
Previous Article in Journal
Credit Risk Model Based on Central Bank Credit Registry Data
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JRFM
Volume 14
Issue 3
10.3390/jrfm14030139
jrfm-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

How Can Enterprise Risk Management Help in Evaluating the Operational Risks for a Telecommunications Company?

by
José Ruiz-Canela López
1,2
1
Department of Business and Strategy, CIS-Endicott International University, c/Velázquez, 140, 28006 Madrid, Spain
2
Department of Management, Rey Juan Carlos University, Paseo de los Artilleros, 38, 28032 Madrid, Spain
J. Risk Financial Manag. 2021, 14(3), 139; https://doi.org/10.3390/jrfm14030139
Submission received: 9 February 2021 / Revised: 14 March 2021 / Accepted: 19 March 2021 / Published: 23 March 2021
(This article belongs to the Section Risk)
Browse Figures
Versions Notes

Abstract

:
Operational risk is defined as the potential losses resulting from events caused by inadequate or failed processes, people, equipment, and systems or from external events. One of the most important challenges for the management of the company is to improve its results through its operational risk identification and evaluation. Most of Enterprise Risk Management (ERM) scholarship has roots in the finance/risk management and insurance (RMI) discipline, mainly in the banking sector. This study proposes an innovative operational risk assessment methodology (OpRAM), to evaluate operational risks focused on telecommunications companies (TELCOs), on the basis of an operational risk self-assessment (OpRSA) process and method. The OpRSA process evaluates operational risks through a quantitative analysis of estimates which inputs are the economic impact and the probability of occurrence of events. The OpRSA method is the “engine” for calculating the economic risk impact, applying actuarial techniques, which allow estimation of unexpected losses and expected losses distributions in a TELCO. The results of the analyzed business unit in the field work were compared with standardized ratings (acceptable, manageable, critical, or catastrophic), and contrasted against the company’s managers, proving that the OpRSA framework is a reliable and useful management tool for the business, and leading to more research in other sectors where operational risk management is key for the company success.

1. Introduction

It is known that business organizations find their fundamental purpose through value creation for stakeholders, usually represented by their customers, shareowners, employees, shareholders, suppliers as well as by the social impact they produce (Krause and Tse 2016). A common aspect of the organizations is that in their strategic and operational decisions, they face uncertainty. ERM (Enterprise Risk Management), a basic reference of this research study, is a framework (COSO 2004; COSO 2017) that covers various risk types that organizations face (Karaca and Senol 2017). Beals et al. (2015) explains that ERM facilitates the awareness of risk factors which helps management in making decisions. The focus of ERM is the deployment of a risk management process for the business, enabling the adoption of best practices with the stakeholders’ support. A key step of the risk management process is risk evaluation (COSO 2017).
Rubino (2018) explains that risk and uncertainty bring negative outcomes, as well as positive opportunities; in order to implement this philosophy within the company, events need to be identified and evaluated, stating that the published ERM frameworks have some limitations, such as the lack of risk evaluation techniques to be implemented in specific sectors. Accordingly, one of the most important challenges for the management of the company is to improve its results through its operational risk identification, evaluation, and management, being the operational risks the basic and most common events for any business unit in an organization (Callahan and Soileau 2017). The most studied tested experiences about the use of operational risk evaluation methods belong to financial and insurance disciplines (Chernobai et al. 2007; McShane 2018), particularly in the banking sector, through models such as Basel II (Basel Committee on Banking Supervision 2006, 2009). There is a lack of contrasted references in the telecommunications sector. In fact, while McShane et al. (2011) rely on the financial services industry to analyze good practices in risk evaluation techniques, Monda and Giorgino (2013) indicate the limitations of finding similar quantitative evaluation methods for other industries, such as telecommunications.
This paper seeks to address the aforementioned limitations and it has the objective of building a risk assessment methodology (based on a risk self-assessment process and method) to establish a reference for operational risk evaluation of companies in the telecommunications sector, enhancing their business results. The companies implementing risk management models based on ERM for risk evaluation, achieve high financial results and receive best evaluations from the market (Florio and Leoni 2017), which is related to the idea of “what you don´t measure, it is difficult to know if it can be improved” (Ruiz-Canela López 2004).

1.1. ERM and the Value for the Shareholders

Among all the stakeholders, it is relevant to stress the importance of ERM in shaping shareholder value both in developed and developing economies. In their study of ERM programs implementation for specific firms, Hoyt and Liebenberg (2011, 2015) found a positive correlation between firm value and the deployment of ERM. McShane et al. (2011) also found a positive association between Standard and Poor´s ERM Quality rating and company value within the insurance industry. In the case of financial organizations, risk management has always played a central role based on shareholder value concepts (Dickinson 2001). Additionally, for non-financial firms a positive relationship was found between ERM and their values, even over financial crisis period from 2001 to 2011 (Anton 2018). Bertinetti et al. (2013) found a positive statistically relation between the ERM implementation and firm value, for both financial and non-financial industries. Manab and Ghazali (2013) conclude in their research that each type of organization, whether profit or non-profit, provides value for its stakeholders. They also analyze that risk management practices have an effect on shareholder value on certain aspects of risk management variables; for non-financial companies, less regulated compared to financial companies, almost all variables have an impact on shareholder value. Lechner and Gatzert (2018) findings show that size, international diversification, and the industry sector (banking, insurance, and energy) positively impact the implementation of an ERM framework, leading to shareholder value creation. Furthermore, Gatzert and Martin (2015) conducted a comparative assessment of empirical evidence study regarding the determinants of ERM and its value once implemented, which showed a relevant positive impact on corporate value and performance. Additionally, the research of Altuntas et al. (2020) reviews various studies to confirm the positive relationship between ERM adoption and value creation for firms, pointing out that their performance increase after ERM programs implementation.

1.2. Literature Review

Starting with the literature review, in addition to the abovementioned sources and all references included in the rest of the sections, we must say that ERM began to take root in the late 1990s and has since created positive expectations for effective management and good corporate governance. However, as evidenced by research, such as the study of Fraser and Simkins (2016) applied to a best practice business case in risk management deployment, many companies belonging to different sectors still struggle with ERM implementation. Nevertheless, over the last two decades, ERM approach has gained substantial momentum, and many firms have implemented risk management processes for risk identification, evaluation, and management. Despite its growing experience in practice, ERM frameworks have attracted little attention research compared to other disciplines. However, relevant literature on specific ERM-related issues has been developed and has inspired this study. In order to initially understand the overall context of this research, it has been necessary to review the following: one set of papers that examine the factors that influence ERM adoption (Beasley et al. 2005; Kleffner et al. 2003; and Liebenberg et al. 2003); other research works that study the effects of ERM adoption on performance (Beasley et al. 2008; and Gordon et al. 2009); as well as another cluster of papers that explores risk management practices in specific organizational settings (Mikes 2009; Wahlström 2009; and Woods 2009). As studied by Nocco and Stulz (2006), a carefully designed ERM approach can be a source of long-run competitive advantage through its effects at both a “macro” or company-wide level (i.e., enabling senior management to identify, measure, and manage to acceptable levels the risks faced by the firm) and “micro” or business-unit level (e.g., adding value by ensuring that relevant risks are efficiently evaluated by operating managers and employees throughout the company).
The discipline of operational risk management has been maturing for decades within the financial sector, supported by regulatory initiatives such as Basel II Accord (Basel Committee on Banking Supervision 2006), and business factors due to increasing competition, improved risk-based decision making and value creation for stakeholders. Major strides for this sector have been developed in areas such as risk evaluation and loss data collection in line with the main objective of Basel II which is “to enhance the stability and soundness of the international banking system, in particular by strengthening risk management practices and developing significantly more risk-sensitive capital requirements” (Basel Committee on Banking Supervision 2006). Pakhchanyan (2016) performed a complete survey of operational risk management literature for financial institutions, that provides evidence of advanced techniques based on operational losses distributions for risk evaluation for the financial sector. The author also develops the operational risk concepts following Basel framework where the foundations are the operational loss data. Being financial risks central to the business, every financial institution is also exposed to multiple non-financial risks which tend to be hard to evaluate, decreasing transparency in the activities of management. Successful financial institutions have a sophisticated understanding for evaluating their core financial risks (primarily, credit and market risks); however, these institutions also face operational risks exposures related to customers, information technology and processes, among others, defined as “non-traditional” risks in this sector. While non-traditional risks can have a real impact on the financial performance of an entity, they have been considered as incidental, and therefore denominated as non-financial risks. The professionals in the financial units tend to be expert in evaluating the activities that generate the financial risks, but they are less knowledgeable about the non-financial risks, including operational risks (Brown et al. 2019). In fact, operational risk is not a new concept for financial institutions, as operational losses have been reflected in banks´ balance sheets for many decades (Chernobai et al. 2007).
Another lesson learnt from financial services organizations attribute considerable importance to benchmarking themselves against their peers only, instead of looking outside of their sector. For this reason, in order to gain knowledge and experience for enhancing performance and results, it is reasonable to build ERM models for other sectors and consider a business case or case study approach (Ashby 2008), which is the focus of this research. Therefore, it is recognized that despite these advances for the financial services, there should be relevant lessons to be learnt from other industry sectors such as manufacturing and energy production, or from others where knowledge about risk management is scarce, such as in the telecommunications industry. One fundamental difference between the financial sector and other major industrial services is that financial factors, such as capital analysis, are better studied and modelled than risk management and evaluation in other industrial services where operational events and losses are the result of multiple interrelating operational causes and events. Nevertheless, in every sector, financial and non-financial, loss prevention activities, such as risk evaluation, are needed for the success of firms; however, literature review shows that most of ERM studies for evaluating risks are focused on entities belonging to non-telecommunications sector. Baxter et al. (2013) relied on the financial services industry to evaluate ERM operating performance; however, the samples of their studies were only limited to firms within financial and insurance sectors, which are not generalizable to other industries such as the telecommunications industry. Prior economic and finance literature differ from non-financial firms in concepts related to investment and regulation which have implications for implementing risk assessment techniques, where financial firms have been developing studies for financial leverage, profitability, and price setting behavior, while non-financial firms have not performed this vast knowledge and research (Armstrong et al. 2016). Furthermore, as studied by Breden (2008), operational risk evaluation for non-financial firms is not an easy practice for the following reasons: (i) operational risk is highly context-dependent: it is concerned with the risk of loss resulting from the failure of systems, processes, people, and from external events, and all firms have different processes, systems and practices to face them; (ii) there is no static portfolio of operational risks: the new challenges are showing up every day due to innovation and new technology (e.g., cyber risk); and (iii) there is no defined risk portfolio: while, for example, considering and individual credit risk it is easy to identify the amount of exposure, for an operational risk (e.g., fraud or systems failure) it is very difficult to evaluate how great a firm´s exposure might be. Nevertheless, recent research for non-financial industry is becoming more frequent as the study developed by Ibrahim and Esa (2017) for the construction industry where it can be found an interesting approach for data collection and analysis which led the authors to conclude that ERM implementation has positive significance to be applied in an organization to enhance the firm performance either in financial or non-financial aspects. Wieczorek-Kosmala (2014) reviews why and how risk management issues grow in importance within both financial and non-financial firms. The main reason for this trend is the rapid dynamics and constant hardening of the business operations. An efficient implemented risk management approach is helpful in overcoming obstacles and in providing organizations a competitive advantage over those companies that do not manage risk. ERM frameworks are usually perceived as the procedures applicable for financial entities, due to the fact that in the financial sector the problem of over-excessive assumption of risk is the main concern where the regulatory bodies address the issue of capital adequacy, providing clear evaluation methods the financial institutions are expected to meet (Basel Committee on Banking Supervision 2006). However, ERM and its associated methodologies should be implemented in any type of organization, regardless of its sector.
Additionally, and following with the literature review of reference papers, the research based on case studies and best practices on ERM has proven to be an efficient approach (Woods 2009; Fraser et al. 2014), not only for the risk management discipline but also for related subjects such as sustainability (Forcadell and Aracil 2019). Ching and Colombo (2015) also base their research case studies for analyzing the behavior patterns in the adoption of risk management practices by the companies surveyed, as well as for moving into a convergence between theoretical practices and those adopted by the firms in a diversity of industry segments.
Within every national economy, the companies in the telecommunications sector stands out a specific segment of the service sector characterized by increasing competitive challenges and exploration of new opportunities for generating innovative networks and services, which lead these companies to redefine their role in the market as well as to create new business models for new sources of profit, based on ERM frameworks and tools (Wu et al. 2011). In fact, due to the type of services provided by large telecommunications services companies, very much capital intensive and in somehow intangible compared to other physical products, make it necessary for them to pay attention to ERM, from risk identification and risk evaluation to selection and implementation of the appropriate risk management methodology. This is key for protecting the company´s property and profit by decreasing potential losses. An interesting study for telecommunications business operations was developed by Dos Santos et al. (2005) where the concept of service level assessment is explained, which is a theoretical concept related to operational risk evaluation. Arena et al. (2010) used a case study of a wide range of telecommunications services provider to highlight the importance of using risk self-assessment and scenario analysis for helping organizations in linking risk management with business strategy and objective-setting for the business decision making process. Gandini et al. (2014) develops an empirical investigation on sustainable development for telecommunications companies, which depends on the ability to manage risks in a responsible way. Literature reveals that risks in telecommunications domain are complex to evaluate due to lack of methodologies for predicting emerging threats to the services and this is costing telecommunication operators billions of dollars (Yesuf 2017). One main reason for this loss may be that there is little emphasis given to the important step of risk evaluation process, unlike other sectors where there is much more research and experiences in risk assessment approaches. Foto et al. (2018) use a case study for risk management in the telecommunication industry. They reviewed the advantages and disadvantages of financial risk management in the telecommunications industry. The study included an assessment of financial risk management practices for the industry based on reliable data and statistical research. There are recent studies (e.g., Sehrawat 2019) that examine the nature and strategies of risk management in large telecom companies such as Nokia, where general and theoretical patterns and drivers for risk management are described to ascertain how the company´s strategy is managing risk. They describe the “what needs to be done” but leave for future research the “how to implement ERM”, in particular the way to evaluate operational risks. Kozarevic and Besic (2015) describe the efficiency of existing procedures for risk management and the possibility for improving the existing situation in the telecommunications sector, using the methodology of case study for “BH Telecom” company. Their paper develops the specificities of risk management in telecommunications services including a risk classification and a brief general description of methods based on the postulates on statistics and actuarial mathematics (through a theoretical model and questionnaires) for this sector, highlighting the importance of measures for loss reduction of perils and risks. They conclude that it is necessary to provide constant evaluation of a company´s risks to understand their impact and probability of occurrence for every operational risk.
Following with the literature review, the methodology of this research considers various concepts studied by Renn (2008) such as: (i) the definition of risk, which contains three elements: outcomes that have an impact, likelihood of occurrence, and the specific context in which the event may materialize; (ii) the scope of negative effects about the undesirable outcomes; (iii) the conceptualization of uncertainty for qualifying or quantifying (evaluating) the risks; and (iv) the rule of aggregation for practical conclusions of risk impact and probability of occurrence. Several authors support in their studies the use of actuarial analysis (Cohen 1996), probabilistic risk assessment and scenario techniques (Bedford and Cooke 2001) in an attempt to predict risk impacts and likelihood, and loss-probability functions for showing distributions of information gathered in the interviews with managers (Kolluru 1995) and data aggregation through Monte Carlo simulations (Forester et al. 2006). Operational risk quantification can be based on the extreme value theory (EVT) (Embrechts et al. 1997) applied in the way that the tail of the operating loss distribution (the distribution of losses estimated for value-adding process using a statistical method) is fitted separately by fat-tail distributions, such as the Weibull distribution, whereas the empirical distribution is used for the lower part of the loss distribution. Additionally, Diebold et al. (2000) review and study the applicability of extreme value theory to risk management as well as the Value at Risk (the cumulative value of the operating losses at a specific confidence level and for a specific period) and threshold (the value of loss in the distribution that separates losses using the EVT) concepts. In accordance with Barton et al. (2012) indications, ERM and risk evaluation cannot be stagnant, it should be organic and alive. To be consistent with this recommendation, the methodology considers a unique data set obtained from management through surveys and interviews, in order to estimate the variables for the loss distribution. The use of qualitative data to be collected and then quantitatively analyzed is becoming most natural in recent research (Saleem et al. 2019), where the process of analysis is based on questionnaires distributions, resulting data to be expressed as statistical figures as well as to apply statistical tools needed to test the hypotheses or to build risk management methodologies. In fact, surveying through questionnaires the top/middle managers to obtain data related to operational risks evaluation is considered a best practice (Beasley et al. 2005). Furthermore, one of the most useful approaches for establishing a framework for operational risk uses the technique of control self-assessment (Wade and Wynne 1999). In this, a questionnaire or series of workshops are used to identify and evaluate relevant risks for the firm by asking the responsible parties within the company to subjectively assess various parts of the organization and its characteristics. In order to implement the control self-assessment (CSA) framework, the identification of events is needed for every business unit within the organization. For each event category, specific questions are answered to gain insight into the associated risk and their severity and probability of occurrence. As explained by Jacobus (2015), control self-assessment, the basic element for a risk self-assessment (RSA) approach, is at the core of ERM as a process and method to engage management and employees in evaluating risks; it also drives the growth of risk and control ownership among the employees. Finally, an important aspect is that the accuracy of risk evaluation methods depends on the soundness of risk model and the availability of data. The appropriateness of those risk models, such as ERM, is inherently linked to data availability and the impact and probability of occurrence of events. Whatever methodology is chosen, the firm needs to understand the likelihood and potential impact of the risks that it faces (Breden 2008). Furthermore, the accuracy of risk evaluation methods depends on the measurability of outcomes and understanding of effects (Muermann and Oktem 2003).
Blanco-Mesa et al. (2019) conclude about the importance of ERM implementation in large companies, where control measures to be implemented for risk evaluation are key for the management team. The executives need to prioritize risk management efforts, including the use of methodology and tools for evaluating and treating the information to improve the process of decisions-making in uncertain contexts. Furthermore, the lack of a clear understanding of the alignment between the firm ERM programs and the industry´s ERM frameworks, as well as the lack of vast literature, may limit the development and implementation of ERM, including operational risk evaluation systems for financial and non-financial firms. Karanja (2016) explains the two main industry-sanctioned ERM models, COSO and ISO 31000, that firms refer to when implementing ERM approaches. Further details are included and described in the next section, as these frameworks are the essential pillars on which this research is based on the methodological point of view.
The article is organized as follows. After Section 1 (Introduction, including literature review), in Section 2 (Materials and Methods) we present and explain the methodology we propose and we define operational risk, a list of main ERM frameworks, and a description of the chosen one to support risk evaluation. In Section 3 and Section 4 (Results and Discussion) we provide the output of the study, the methodology for evaluating operational risks for a TELCO (Telecommunications Company) and the results analysis for the TELCO and their interpretation. Finally (Section 5), some conclusions, where we include a summary of findings, implications for researchers and practitioners, future research directions as well as the limitations of the study.

2. Materials and Methods

In order to understand the methodology of this research, it is important to consider that the main objective of this study is precisely to build, describe, and apply an operational risk assessment methodology (OpRAM) for evaluating operational risks in a telecommunications company, based on two interrelated components: an operational risk self-assessment process (OpRSA process) and an operational risk self-assessment method (OpRSA method). Both components were built, illustrated, and analyzed using a case study approach (e.g., Ashby 2008; Ching and Colombo 2015; Forcadell and Aracil 2019; Foto et al. 2018; Fraser et al. 2014; and Woods 2009) applied to a specific TELCO company (hereinafter named “TELCO”). The TELCO is a global telecommunications company listed in Lima, Madrid, and New York. It is one of the largest telephone operator and mobile network providers in the world. It provides fixed and mobile telephony, broadband and subscription television, operating in Europe and in America, operating in 12 countries and with presence in 24, with an average of 115,000 employees, revenues of 350+ million euros, and 280+ million accesses (customers). TELCO´s risk management approach under continuous development and improvement is COSO and the reasons for ERM adoption include: legal and market requirements, corporate governance and internal controls reinforcement, as well as good practices deployment. The specific scope of the field work applied to TELCO, that supports the results and conclusions of this research, is defined in the first step of the OpRSA process.

2.1. Methodology

For the OpRSA process, the methodology is based on COSO ERM (COSO 2004) components (in particular, the event identification and risk assessment ones). The sub-section “Operational Risks. ERM Standards and Frameworks” analyzes this methodological approach. Risk identification and evaluation workshops and semi-structured interviews and brainstorming were the risk assessment tools for building the OpRSA process, as means of collecting a broad set of ideas, ranking them by the team of the TELCO. Two inputs were considered to initiate the construction of the OpRSA process. First, the definition of operational risks for a TELCO, as well as on prior identification of its main events (Renn 2008). This definition was done by the TELCO´s management team considering the concepts defined in COSO (2004), and by benchmarking of the financial and banking sector experiences; in this case the definition of operational risk included in Basel II (Basel Committee on Banking Supervision 2006) was chosen in order to create a common language within the organization to implement an ERM framework. The risk typology to classify and identify all operational failures or possible loss events, which are inputs for this study, was articulated through interviews and brainstorming sessions with the managers of different areas of the TELCO, which led to an event identification model (Gandini et al. 2014; and Kozarevic and Besic 2015). It includes the following 9 risk types: (1) end customer and sale of products and services; (2) poor quality/interruption of service; (3) failures/damage to assets (equipment, networks, systems, facilities, buildings); (4) suppliers, counterparties, contractors and other agents; (5) processes; (6) breach of/non-compliance with laws and standards; (7) fraud and unauthorized activities; (8) employment practices and on-the job safety; and (9) harm to environment or to third parties. Both COSO framework and ISO 31000 standard include this identification step.
The second component of the methodology is the evaluation of the operational risks in the following way. For the OpRSA method, and once the risks had been previously identified, detailed facilitated workshops were conducted with top/middle managers to gather the required information, considering the best practice of surveying through questionnaires. The survey instrument, based on control self-assessment method, provided the key inputs for structuring the OpRSA method defined in this research. The main data was collected from managers who were considered knowledgeable and reliable informants about risk evaluation process inputs (events impact and likelihood). For every organizational unit under the scope of the TELCO case study, it was performed a quantitative analysis of subjective estimates which inputs are the economic impact and the probability of occurrence of every event for calculating expected, unexpected losses and rating classes for risk evaluation, applying robust actuarial techniques based on scenario analysis. The statistical concepts previously reviewed in the literature were implemented to build the OpRSA method, where additional references are included.

2.2. Operational Risks: ERM Standards and Frameworks

Some useful definitions of risk are: “risk is the possibility that events will occur and affect the achievement of objectives” (COSO 2017) and “risk is the effect of uncertainty on objectives and an effect is a positive or negative deviation from what is expected” (ISO 31000 2009). Basel II Agreements of July 2004 define operational risk as “potential losses resulting from events caused by inadequate or failed processes, people, equipment and systems or from external events” (Basel Committee on Banking Supervision 2006). There are a number of standards and frameworks to guide companies in their implementation of ERM. Some of them are mentioned by Lundqvist (2014) and Perera (2019): COSO, ISO 31000, the joint Australia/New Zealand 4360-2004 standards, the Turnbull guidance, the Casualty Actuarial Society framework, the International Association of Insurance Supervisors framework, COBIT for Information Technology, Standards and Poor´s ERM framework, and Basel II. The most frequently mentioned, and particularly used for risk evaluation in this study, are COSO´s ERM integrated frameworks (COSO 2004 or COSO II; COSO 2017 or COSO IV) and ISO 31000 standards (ISO 31000 2009; ISO 31000 2018).
The reference model used for risk evaluation in this study is COSO II for two reasons: (i) it includes all the key elements for building a risk assessment methodology (process orientation, effected by people of an organization and strategically related to a top management approach, designed to manage potential events within its risk appetite-value of resources that the organization is willing to put at risk, and goal oriented). This is evident in this framework´s definition of Enterprise Risk Management as “a process, affected by an entity´s board of directors, management, and other personnel, applied to strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO 2004); and (ii) the prior existence of a COSO based internal control framework for assessing the TELCO´s risk map that was already in place and known in the organization and that was intended to be developed and improved to allow economic quantification of risks.
ISO 31000 (2009), as shown in Figure 1, develops a risk management process which “involves the systematic application of policies, procedures and practices of communicating and consulting, establishing the context and assessing, monitoring, and reviewing risk”.
ISO 31000 implementation for risk management implies an in-depth understanding of all the concepts detailed in the standard by the managers involved in a risk evaluation process and method (e.g., risk analysis, risk evaluation, risk assessment, risk treatment, and the interrelation among them), and for this reason ISO 31000 was not considered a practical approach for the objectives of this study. In summary, ISO 31000 (2009) does not create challenges for those who use language and approaches that are unique to their area of work but different from this standard (Purdy 2010). Furthermore, as studied by Lalonde and Boiral (2012), in managing risks through ISO 31000, managers must question their own assumptions in the implementation of such a standard, and consider the specificities of their organizational environment while being vigilant in its monitoring, a hard task for people who are not subject matter experts on standards deployment. COSO is quite well adapted to the global market, as well as to its organizations, while ISO 31000 standard works better for companies that have ISO 9001 (2015) quality certification (Dias 2017). Nevertheless, standards such as ISO/IEC 31010 (2009) help in applying risk assessment techniques.
COSO II provides a practical approach for risk evaluation. Moeller (2007) is a good reference for a clear understanding of the COSO II framework. COSO II framework (COSO 2004), the one which supports this research and depicted in Figure 2, presents eight components of ERM: (i) the internal environment sets the tone of an organization and its philosophy of risk management and risk appetite; (ii) objective setting aligned with the organization´s strategy and consistent with its risk appetite; (iii) event identification of all risks, where operational risks are relevant for the business; (iv) risk assessment, the main component for this study, to consider the extent to which potential events may affect a company´s ability to achieve its objectives; (v) risk response for avoiding, accepting, reducing, or sharing risk; (vi) control activities to ensure that risk responses are carried out; (vii) information and communication to link together each of the other components; and (viii) monitoring for the framework to work effectively on a continuous basis. It also has four categories of objectives: strategic, operations (where operational risks need to be evaluated), reporting, and compliance with laws and regulations.
COSO IV, which is the latest version of this framework, pays more emphasis of how ERM links strategy, risk, and performance, but it does not add to COSO II any relevant aspect for risk evaluation purposes.

3. Results

The main result of this study is the building, description, and application of an operational risk assessment methodology (OpRAM) which has two components: an operational risk self-assessment process (OpRSA process) and an operational risk self-assessment method (OpRSA method), for evaluating operational risks in a telecommunications company (TELCO). The OpRAM development is based on the use of data collection analysis (Saleem et al. 2019; and Ibrahim and Esa 2017), through questionnaires (Beasley et al. 2005) responded by managers of the TELCO, statistical techniques on operational loss distributions (Pakhchanyan 2016), risk assessment tools (ISO/IEC 31010 2009), as well as the application of control and risk self-assessment approaches (Jacobus 2015; and Wade and Wynne 1999), actuarial analysis (Cohen 1996), probabilistic risk assessment and scenario techniques (Bedford and Cooke 2001), Basel II recommendations (Basel Committee on Banking Supervision 2006), and COSO and ISO 31000 frameworks (Karanja 2016), among other theories referenced in the following sections.
The risk assessment methodology is based on the identification of the various operational event categories already in place in the TELCO, and it is grounded in the following factors: (ii) the belief that the opRAM is particularly appropriate to an environment of fast paced business, organizational, and technological changes, because the predictive perspective of the scenario analysis allows such changes to be included immediately in the measurement of risks, whereas in a model based on historical loss data, there would be some delay (2–3 years); and (ii) the existence of operational risk management methodologies in enterprises of similar characteristics and size of the TELCO (for example, in the banking sector, based on Basel Models) (Basel Committee on Banking Supervision 2006, 2009).
The main characteristics of the OpRAM are: (i) involvement of the business units (BUs), in the economic quantification of the risk, following the OpRSA process through estimates of the average economic impact and probability of occurrence of each of the operational events; and (ii) calculation of the economic impact of the risk, applying robust actuarial techniques (OpRSA method), based on scenario analysis (Fraser and Simkins 2016), that reflects the risk appetite of each BU which is analyzed, and provide reliability and credibility and, consequently, the use of the risk measurement for making decisions (Wu et al. 2011).

3.1. Operational Risk Self-Assessment Process

The concept of risk self-assessment process is based on the process of control self-assessment (Arena et al. 2010) which helps in identifying, analyzing, and mitigating risks through cooperative problem solving (Hubbard 2005). The operational risk self-assessment process (OpRSA process) is articulated in six phases as showed in Figure 3.

3.1.1. Definition of the Scope of the OpRSA Process

The activities of this phase are the definition of the approach, top-down (top/middle management involved) vs. bottom up (operational staff); and integral (whole organization) vs. partial (the relevant units of the TELCO in terms of potential losses). The identification of the organizational units to be evaluated is decided in this phase. The nature of the different types of operational events makes it necessary their assessment to be done in a single session with the participation of all the people in the BU with responsibility and knowledge for estimating the inputs of the OpRSA method (mean frequency, mean severity, and worst case).
For the TELCO field study, a top-down and partial approach has been analyzed, looking for the management commitment and faster implementation of the OpRSA process as well as for being focused on the main BU and segment which generates most of the operational events in the company. In line with the partial approach, the scope of the field study analyzes the Residential segment of the Fixed Line BU of the TELCO.

3.1.2. Adjustment and Parametrization of the OpRSA Method

The objectives of this phase are the creation of the questionnaires, the definitions of the risk thresholds (cut-offs) and assessment ranges (rating classes), and the setting and parametrization of the calculation engine embedded in the OpRSA method and supported by the OpRSA SW (a TELCO´s internal software for managing data). The core element is the questionnaire, which must be designed for each organizational unit, where the event is the driving element. The questionnaires are composed of a number of questions that are put to the managers, who must respond for each type of event regarding the estimates. The OpRSA method allows an estimate of the economic impact of the risk being evaluated and expressed in terms of expected loss (EL) and unexpected loss (UL). The EL is what the TELCO expects to lose in the specified time period. The UL is what the TELCO could lose if an unexpected event happens in the BU.
The risk thresholds, which are needed to identify the risk levels (rating classes), are an expression of the risk appetite of the TELCO. The objective of the rating process is to associate the risk type to a specific rating class. Since it is difficult to obtain an exact risk measure, it is useful to work with a low number of rating classes. Based on the economic acceptability of certain levels of UL, three risk thresholds have been defined to establish four rating classes: rating A acceptable (best situation with minimum risk of operational losses), rating B manageable (non-worrisome risk of loss, first sign of alert), rating C critical (problematic situation where a deeper analysis should be performed to evaluate the opportunity of mitigating actions), and rating D catastrophic (very critical situation which needs an immediate mitigating action). The use of ranges to measure risks is described by Hargreaves (2010). When defining risk thresholds, these may be fixed in two ways: (i) direct identification of an economic sum that is representative of the organizational unit. This amount represents the absolute economic “unexpected losses” related to the BU´s risk appetite; and (ii) exposure indicator, which is the parameter that best represents the BU´s activity in order to define the limit points that mark the different ranges or thresholds. The exposure indicator is basic to provide aggregated information regarding the size of the BU under analysis, but it should also be a proxy of the effective operational riskiness of the BU, since only such a driver would allow a meaningful normalization of unexpected loss (UL). More precisely, since the objective of the analysis is the single question (i.e., a single event), UL should be compared to a monetary indicator considered meaningful and able to express the exposure of the BU for that specific operational loss event. Another relevant aspect in the choice of the exposure indicator is related to its availability in the management information system. For these reasons, accounting indicators are typically used; more specifically P&L (Profit and Loss) measures, since they are particularly good in expressing size and exposure characterizing the operations within a time horizon. Main options for exposure indicators are “gross margin”, “OIBDA” (Operative Income Before Depreciations and Amortizations)”, “gross revenue”, and “total costs”. The chosen indicator should be representative and reliable of “operational volumes” expected for the next year. Following this, an exposure indicator (EI) needs to be defined for every BU. In general, this indicator shows the size of the organizational unit and the risk thresholds are identified by fixing cutoffs (percentages) over these indicators. This normalized measure of unexpected loss (UL) in relation with a risk indicator ratio (UL/EI) allows to create a common scale for all the BUs and define “universal” thresholds based on this ratio. For this reason, as explained before, the EI is a proxy of the effective operational riskiness of the organizational unit, since it is a driver that allows a meaningful normalization of the UL. Figure 4 shows an illustration of risk thresholds, expressed in terms of exposure indicator ratio (UL/EI).
The risk thresholds based on the OpRSA method used in this study, were supported by the finance department of the TELCO, and were validated with the managers of the different organizational units. The risk thresholds of the different BUs were established using two exposure indicators, the trade margin for units with income statements and the operating expenses for the rest of the units. The percentages established in the TELCO for the two exposure indicators are presented in Table 1.
As an example, if a BU has a target trade margin of €1000 Million (MM), its thresholds would be established as shown in Table 2.
For this BU, a risk would be considered acceptable if the losses are less than €10 MM, manageable if they are between €10 MM and €20 MM, critical if they are between €20 MM and €30 MM, and potentially catastrophic if they are higher than €30 MM.

3.1.3. Execution of Questionnaires

In this phase there is a quantitative answers collection with the BU managers in terms of mean frequency, mean severity, and worst cases estimates (Barton et al. 2012), which are the inputs of the framework for the scenario analysis performed by the OpRSA method. The process of executing the questionnaires was completed as follows: once the questions were identified, meetings with the managers were held with the staff of the BU under study in order to validate the questions and for them to answer. For the probability of occurrence (likelihood) of the events, once the risk thresholds were validated by the BU, the question is asked in terms of the estimated average frequency, i.e., the average number of loss events expected for the considered time period (one year), considering the quality of the existing controls and the available assets. After this question was answered, the managers estimated the average economic severity, defined as the mean economic impact expected for an event, considering the existence of controls and recoveries. Finally, the managers answered the worst case question, which is defined as the economic impact of an event in the worst possible situation. The last phase of the execution of questionnaires process was the on-site validation of the results obtained when the assessment was completed, providing the average expected losses, the average unexpected losses and the rating obtained, indicating that they were reasonable. Fraser (2010) presents relevant information which was used for conducting the risk interviews.

3.1.4. Review and Optimization of the OpRSA Process

In this phase, the OpRSA process performed the analysis of results, shared them with the organizational units of the BU and made the fine tuning of the results and ratings. This phase involved studying the results in order to achieve consistency in terms of expected and unexpected losses and standardized rating. The results obtained in the BU under study were analyzed by checking them with the audit and finance departments.

3.1.5. Reporting of Results of the OpRSA Process

This is the phase of the OpRSA process where risk reports are designed, prepared, and shared with the organization. This is relevant for this study to prove the effectiveness of the proposed OpRAM methodology. Reports constitute a reliable tool that provided strategic and operational information, giving a global overview of the TELCO´s risk exposure to be managed, alerting on anomalous or critical situations, and providing reliable information for making decisions.

3.1.6. Maintenance of the OpRSA Process

Basic activities to be included in this phase of maintenance are: periodic review of the OpRSA methodology, review of the level of execution of the questionnaires, update of questions (events in the TELCO) included in each questionnaire and risk thresholds, as well as assurance of flow of information to management.

3.2. Operational Risk Self-Assessment Method

The operational risk self-assessment method (OpRSA Method) consists of a quantitative analysis of subjective estimates (mean frequency, mean severity, and worst case) collected through the OpRSA process to get an output expressed in terms of risk (unexpected loss). This quantitative analysis is based on an actuarial approach for modelling frequency and severity of risks in order to characterize the potential operational losses. This information, essential to estimate severity dispersion around its mean value, is useful to obtain an output in terms of UL and to define the risk thresholds.
The scheme of the OpRSA method for every event is defined as follows: the inputs are the subjective information coming from the three estimates. The outputs are the EL distribution, the UL distribution, and the rating percentages based on UL results. The scheme structure for transforming the inputs into outputs has been performed through the following elements: an actuarial approach and hypotheses on statistical distributions for frequency and severity and their convolution for building EL and UL density curves, an UL map based on these hypotheses, i.e., quantitative classes for frequency and impact (number of events per year for frequency and € classes for severity and worst case), and definition of risk thresholds of normalized unexpected losses (based on appropriate exposure indicators) to build the risk levels (rating classes). The statistical features basics for creating the OpRSA method are described by Basel framework, Chernobai et al. (2007), and Strzelczak (2008).

3.2.1. Actuarial Approach

The logic of the actuarial approach is to consider separately the distribution of the number of occurrences within a certain time horizon (frequency) and the distribution of the impact of the single event in that period (severity); and then proceed at their convolution to get a unique distribution, the loss distribution, to be cut at the preferred quantile to get the Value at Risk (VaR) at the desired confidence level (Diebold et al. 2000). According to this approach, expected loss-EL is the expected value of the potential loss distribution, while unexpected loss-UL is the difference between the quantile at 99.9% (Value at Risk) of the loss distribution and the expected value of the same loss distribution (EL). It evaluates the degree of dispersion of the distribution in relation to its average value (mean), so it can be considered as a risk measurement (Guillén et al. 2007 and Jobst 2007).
The following parametric hypotheses have been adopted: for the frequency, that can be described by a single parameter (mean frequency), the Poisson distribution. For the severity, to be described by two parameters, the Weibull distribution (Embrechts et al. 1997), which can be associated with mean severity and worst case, representing quantile at 99.9% on severity distribution. Once the frequency and severity distributions which describe specific loss event types are defined, loss distribution can be obtained via Monte Carlo convolution (Forester et al. 2006). Monte Carlo simulation consists of a random sampling from the severity of many events that have been analyzed according to the previous chosen sample made on the frequency distribution. Through this distribution, the unexpected loss can be determined at the desired confidence level as shown in Figure 5.
This means that for each combination (L, a, b) in the 3-D space identified by mean frequency (Poisson- L, mean severity (Weibull-a) and worst case (Weibull-b)), a precise level of expected and unexpected loss can be determined (Martínez-Sánchez et al. 2016).
The next step consists of identifying in this space all the points with the same level of unexpected loss, defined as “iso-UL surface”. In particular the attention is focused on those three iso-UL surfaces identified by the three critical levels of unexpected loss, coming from the definition of cut-offs on the ratio UL/EI.

3.2.2. Classes of Frequency, Severity, and Worst-Case Thresholds

The risk thresholds are based on every BU depending on their size and their strategic objectives. Therefore, it is necessary to define a measure expressing the risk level that can be associated with a specific risk type and for this reason, the risk thresholds are identified through specific rating classes, being the unexpected loss the way to represent the risk. Starting from these abovementioned iso-UL surfaces, the rating classes for the collection of the subjective estimates can be determined. The collection of the answers related to frequency corresponds to a mean severity-worst case plane identified by the mean frequency value suggested by the interviewees according to the proposed Table 3 as a reference scale.
This plane (iso-UL plane), cutting the iso-UL surfaces, which represent the three critical levels of UL stemming from the cut-offs previously defined, identifies, by intersection, the iso-UL curves which determine groups of points with the same unexpected losses (UL1, UL2, and UL3, respectively), as shown in Figure 6.
Two properties for these curves emerge: linearity and parallelism. On this plane, the relevant area to be considered for the analysis is limited the following two constraints. First, mean severity worst case (since the quantile at 99.9% on severity distribution is associated to worst case, it is reasonable, by construction, that the mean of this distribution is less than or equal to the worst case itself). Second, mean severity 1/100 worst case (the hypothesis is not to consider too extreme cases in which worst case is equal to more than one hundred times the mean severity). Therefore, the range under analysis is determined considering the upper limit (intersection between the bisector-first constraint- and the highest iso-UL curve), and the lower limit (intersection between the lowest constraint and the lowest iso-UL curve), as shown in Figure 6. The answer about frequency, together with cut-off on the UL and the abovementioned constraints, brings to the identification of the severity range, on which the severity classes will be concentrated to discern the rating classes.
This aspect is important because it strongly reduces the relevant interval to be considered for severity during the analysis, allowing focusing the limited number of severity classes to be proposed to the interviewee. Once the relevant range of severity has been determined, the criteria for the determination of the severity classes need to be defined. Severity classes depend on the calibration linked to the size of the unit and on the first answer given to the mean expected frequency for the loss event. In the definition of these division criteria the first choice is related to the number of severity classes to be proposed to the interviewee to collect the subjective estimates. The number of classes adopted has to be sufficient to be able in discerning between the different rating classes (the OpRSA SW was parametrized with 8 rating classes); this number is constant, independent from the frequency answer. Once the number of classes to be used has been set, starting from the intersections of the iso-UL curves and the constraints, the identification of the boundaries of each class can be performed in the following way which summarizes the abovementioned criteria: we only keep the three main thresholds deriving from the intersection of the iso-UL curves with the bisector (mean severity ≤ worst case), and are kept together with the lowest threshold given by the intersection of the first iso-UL curve with the lowest constraint. The criteria to be followed for the definition of the questions on worst case also need to be defined. The only estimate on the mean severity does not allow to get a full description of the whole distribution of the impact of the single event. This third estimate makes the problem fully determined, allowing a precise identification of a finite area characterizing the set of collected answers (frequency-mean severity-worst case). The intersection between the mean level of the chosen severity class and iso-UL critical curves identifies the thresholds to be proposed for the question on the worst case.

3.2.3. Analysis of the OpRSA Method Outputs

The subjective estimates treatment of the three parameters and the techniques for output analysis need to be described to understand the results of this study. The answer to each question for frequency, mean severity, and worst case is not punctual, but in classes, so, a priori, loss distribution is not available to determine expected and unexpected loss. The three estimates provided by the interviewee for each risk type allow the individuation of a specific area in the three-dimensional space: the trapezium (area) that represents the aggregated expression of the three collected estimates. Starting from this area, each answer for frequency, severity and worst case can be characterized in terms of expected loss (EL) and unexpected loss (UL). The “average severity-worst case” plane to be analyzed after the collection of the first estimate (average frequency) represents a situation of mean frequency by construction and considering the characterized area by the set of answers, the following relation applies: EL = (average frequency) * (average severity); i.e., for each average severity, since the average frequency is constant on this plane, a different level of EL will correspond to it. Based on this, the area under analysis (outputs) can be characterized in terms of expected loss. The information collected through the three subjective estimates can be understood in terms of probability distribution for the expected loss. This implies that within the severity interval chosen by the interviewee, a distribution can be associated to the analyzed loss event and not simply to a single value of EL. The characterization of the outputs in terms of UL has similar considerations to the abovementioned ideas. As shown in Figure 7, moving at constant levels of UL, i.e., parallel to the iso-UL curves, it is easier to identify those areas to be considered. According to this rationale, each answer (frequency-severity-worst case) can be characterized by a distribution of UL. It is important to highlight the fact that even for the UL, the output is not simply a point estimate but a confidence interval.
As shown in Figure 8, the UL distribution obtained from each answer can be aggregated into the total UL distribution related to the whole questionnaire or to a generic group of answers. Aggregation of risk measures is a main pillar for ERM implementation, as described by Brown et al. (2019). This distribution represents the basic set of information used to get aggregated results in term of total UL (for organizational unit or specific loss event type across the whole organization) and in terms of rating.

4. Discussion

4.1. Empirical Results for the TELCO

The following results are the empirical outputs applied to the TELCO case study based on the implementation of the OpRAM methodology, which main components are: the inputs from the questionnaires (mean frequency, mean severity, and worst case), the economic evaluation of the results in terms of expected loss (EL) and unexpected loss (UL), the Value at Risk (defined as the sum of EL and UL expressing the maximum expected loss in one year with a confidence level of 99.9%), and the three risk thresholds which identify the four rating classes (acceptable, manageable, critical, catastrophic).
In order to distribute the risk thresholds, defined at BU level, among the different events included in the questionnaire, a quadratic relationship was used, with the assumption of statistical independence and same weighting for every event. After calculating the EL and UL for every event, they were compared against the risk thresholds in order to obtain the rating classes. The UL of every individual event is aggregated at the BU type of risk level. For the aggregation at whole BU level, and arithmetic sum is considered. These are the quantitative results to be described in this section for the organizational unit under the scope of this study: Fixed Line BU for the Residential segment. The thresholds for this segment, and the exposure indicator used in its calculation, is shown in Table 4 (it also includes the thresholds for the rest of organizational units within the BU, out of the scope of this field study).
When interpreting the information, we need to consider that the results in terms of UL are not represented by punctual data but through a distribution of probability, and therefore when the UL is compared with the risk appetite defined by the BU, this UL distribution surface may be shared among the different four rating classes. Figure 9 shows an example of a type of risk with UL of 100 € and 99.9% of confidence level, where the results are: 30% probability rating B (manageable) and 70% probability rating C (critical).
In the case of the application of the OpRSA methodology to Residential organizational unit, the results are shown in Table 5.
The Residential organizational unit estimated an average expected loss of 122 MM € in one year, and an average unexpected loss of 55 MM €; the rating classes defined the situation as manageable (94%) based on the risk thresholds proposed by the unit (32 MM €, 64 MM €, and 96 MM €), which indicated a non-worrisome loss, just a first sign of alert. It was found a global result where the unexpected loss was lower than the expected loss. This indicated an overall events typology characterized by a high frequency with a limited severity (small/medium). In this case, the mitigating actions had to be focused on main events to solve failures in order to reduce probability of occurrence of the events and the associated losses. Analyzing the types of events, it was found that the “poor quality” event (risk type 2), together with the “processes” event (risk type 5) had a manageable classification, being acceptable the rest of them (risks types 1, 4, 6, and 7). The Residential organizational unit was mainly oriented to commercial activities and this is the reason why “poor quality” had more importance than the rest of them. The expected and unexpected losses of this event showed, respectively, 69% and 35% over the total unit. Based on the identification of events, “poor quality” had four associated risks: “poor quality in the service provision due to internal causes” of the TELCO, “poor quality in the service provision due to external causes”, “poor quality in the service provision for new customers” and “poor quality due to the rest of causes (interruptions, fraud and billing, as most relevant). The “poor quality in the service provision due to internal causes”, with an expected loss of 42 MM €, represented the largest expected loss in the Residential organizational unit. It had an unexpected loss of 5 MM €, far below the expected loss, which implied that the event had a high frequency of occurrence, as well as a medium or low impact every time it was materialized. The main “poor quality event due to internal causes” was the churn of customers and the ARPU (Average Revenue Per User) was the impact variable. The largest unexpected loss event was “poor quality in the service provision for new customers”, 17 MM € as unexpected loss, being a critical rating class. As the expected loss was 14 MM €, it could be considered that this event had lower frequency and bigger impact than the previous one. Finally, within the “processes” type, the event “errors and delays in the formalization of contracts” was evaluated, with a critical rating class (56%) and 17 MM € of unexpected loss, 8 times higher than the expected loss. This is a low frequency event, once every two years, a with big impact. The interviewed managers argued about the lack of updated contracts with their suppliers due to different reasons.
This quantitative data is the result of the application of the operational risk assessment methodology, and it was contrasted against the business unit managers, providing relevant information for the budgeting exercise across the company for the expected and unexpected losses, improving their decision making for capital allocation and, therefore, helping in cost reduction for the business unit.

4.2. Interpetation of Results

In order to give an appropriate interpretation of this research, it is important to summarize some key issues revealed by the literature review for connecting this paper’s results to previous studies: (i) many companies belonging to various sectors still struggle with risk evaluation techniques based on an ERM approach; (ii) in general, ERM have attracted little attention research compared to other disciplines; (iii) risk management approach is in a state of maturity for financial firms, particularly in advanced techniques, methods and tools for operational risk assessment; (iv) operational risk evaluation for non-financial firms is not an easy practice; (v) there is a lack of research in ERM for no-financial companies, in particular for those in the telecommunications sector; (vi) ERM and its associated methodologies should be implemented in any type of organization, regardless of its sector, for creating value for its stakeholders; (vii) no practical risk evaluation methodology based of risk self-assessment and scenario analysis with the statistical and actuarial approach used in financial firms, has been found and applied in the telecommunications sector; and (viii) the research based on case studies has proven to be a best practice in ERM studies in order to build, contrast and illustrate ERM implementation results.
The results show that it is possible and useful to build a practical methodology (process and method) to help a telecommunications company (TELCO) in evaluating its operational risks, despite the abovementioned key aspects revealed by the literature review. In fact, the results of this research lead to a practical risk evaluation approach for the business of a large company in contrast to other theoretical studies that are focused on the fundamentals of the ERM process but that they do not provide a pragmatic and customized implementation of methodology and practices, even in different sectors or other types of organizations (e.g., Meidell and Kaarboe 2017; Chen et al. 2019). In fact, it has been relevant to review various studies on telecommunications companies. They are all mainly focused on empirical investigations about general characteristics of the sector due to globalization which determines a continuous increase of risks for companies, particularly for large companies in a dynamic environment.
Another result of this study is the convergence between theoretical practices and those illustrated by the TELCO’s case study, in building a practical management tool for supporting the decision-making processes within a company. This is described in the OpRSA process phases and its embedded OpRSA method. In this respect, two innovative aspects resulting from this study are: (i) the use, enhancement, and application of the conceptual COSO ERM framework for evaluating operational risks; and (ii) the extrapolation and adjustment of methods and techniques of common use in the financial sector to a TELCO. These two aspects need to be put in the context that even though academics are increasingly examining the adoption and impact of ERM, their studies are commonly too general, inconsistent, and inconclusive, due to an inadequate specification of how ERM is used in practice, applying specific methodology for its implementation (Mikes and Kaplan 2013). This idea is extended to the building and application of risk evaluation methodology and is due to the lack of knowledge of specific risk management techniques for non-financial large sectors such as the telecommunications (Fraser and Simkins 2016). In this sense, for a large organization, such as the TELCO chosen as a case study for this research, it has been practical to organize regular workshops and questionnaires for data gathering of the risk self-assessment technique, for the field work of the chosen business unit, together with the key business representatives (managers). This approach was led and supported by senior management to ensure that the OpRSA process was conducted with rigor.

4.3. Contributions and Practical Implications

The analysis of the results provides a significant understanding of the proposed methodology and its practical application, and therefore offers several theoretical and managerial contributions and practical implications. The research adds to our theoretical understanding of the topic (ERM) at several levels. First, the study proposes an innovative operational risk evaluation methodology based on universally-accepted ERM frameworks. Second, the research considers operational risks proven and robust experiences from the financial and insurance sector (e.g., loss distribution approach, actuarial approach). Third, as the evaluation step is key in the risk management process, the research provides a practical approach for its implementation based on the theoretical concepts included in the ERM frameworks. In this sense, the contribution of this work is based on the effective construction and application of an operational risk management methodology (OpRMA) for a TELCO which would allow to establish, as a “best practice”, the implementation of operational risk management evaluation models, totally aligned with commonly accepted frameworks (COSO) and standards (ISO 31000) on this subject. The research also has several managerial implications. First, as organizations have to focus on developing risk management practices to evaluate their operational risks, the proposed methodology is a practical approach to achieve it for the telecommunications industry where there is a lack of literature and research. Second, companies from other sectors, apart from financial, insurance, and TELCOs, can extrapolate the content of this research for measuring their operational risks using robust and contrasted methodology (process and method). Third, the results imply that there is a strong and direct impact of risk management practices on firm performance, as the operational risk which can be evaluated are key for the business. Fourth, the study can be appreciated by managers for contrasting their previous knowledge about operational risk impact; in fact, outstanding organizations focus on learning from failures and improving organizational processes for risk prevention in the future, and better responsiveness performance in the present, where this risk evaluation methodology can be a relevant “management tool” for the decision-making process.
Regarding practical implications, the results of the application of the OpRMA were contrasted with the TELCO’s business managers who confirmed their reliability and usefulness for their decision-making processes. This research work would help TELCO companies to understand the usefulness and applicability of the OpRMA to provide value for their stakeholders for: (i) obtaining relevant information to allow management to effectively assess overall capital needs; (ii) reducing operational surprises and losses and improving risk response decisions; (iii) managing multiple and cross-enterprise risks, considering a full range of potential events, in order to realize business opportunities; and (iv) aligning risk appetite and strategy. Milliman Risk Institute, in 2014, performed a survey-based study that indicated the top 5 ways ERM creates value for firms, including improved performance management, enhanced board oversight, higher quality of strategic planning, improved risk-adjusted decision making, and improved capital efficiencies (allocation). The last two ways have been covered by this study by efficiently evaluating the operational risks in a TELCO. Additionally, additional practical implications of this study are linked to some benefits of a sound ERM framework and the fact that risk managers should refrain from only focusing on theoretical models but strive to produce risk evaluation that can be practical for decision-making to identify concrete outcomes. The business units and risk owners should gain from having a comprehensive view of risks, as well as analyzing the risk profile of their activity under adverse conditions. The risk discipline and risk culture can be promoted by an active risk management contribution (Fiol 2019). Furthermore, the implementation of risk management models for the companies in the telecommunications sector, results in the improvement of decision-making processes on risks, it enables control activities, it contributes to efficient allocation of the company’s capital and funds, and it protects and increases the company’s property. Balancing between the benefit that a certain method brings and the costs it creates, is the basic criterion for the application of risk management frameworks in the companies in the telecommunications sector. In some cases, the outer influence such as state regulations can affect the selection of the method to be applied in risk management.

5. Conclusions

There is a general consensus that enterprise risk management’s (ERM) frameworks growth in popularity has resulted from a response to requirements on organizations to manage risk. However, several ERM studies (Lundqvist 2014) question the validity of these models arguing that, being accepted in the communities which study on risk management, they may turn out to be theoretical and general models to have a successful practical application in the companies. This limitation is even bigger in respect of the challenge of evaluating operational risks for a large telecommunication company, where there is a lack of contrasted references versus all the assessment models implemented in the banking sector (Basel Committee on Banking Supervision 2006; Dutta and Perry 2006; Fontnouvelle and De Jesús 2003; and Singh and Hong 2020). This study attempted to examine how telecommunications companies can evaluate their operational risks. The OpRAM methodology presents a relevant process and method, including the steps that practitioners can find useful and meaningful for telecommunications firms. Furthermore, the OpRAM methodology and its results, the main contribution of this research, were empirically validated with the TELCO’s managers and showed high levels of reliability and validity. This study highlights that in a dynamic and complex world of business, ERM frameworks can be customized for firm needs, in particular for managing their and evaluating their operational risks for enhancing performance and value creation. McShane (2018) argues that “even with two prominent ERM frameworks (COSO ERM and ISO 31000), organizational contexts make a one-size-fits-all method of implementing ERM impossible”, and this is basic reason for research in creating innovative risk management and evaluation methodology such as OpRAM.
Regarding the implications for researchers and practitioners, this study for evaluating operational risks might be used as a benchmarking tool for other entities and industrial sectors, not only for practitioners but also for researchers. Researchers following the path described in this study might be interested in proposing a similar OpRAM methodology for the application in other industries and develop business cases to illustrate the usefulness of the approach. Bromiley et al. (2015) provides a critical review of ERM research for identifying limitations and gaps that management scholars are best equipped to address, including the need for management research for ERM development. Their study contributes with relevant insights for measurement of risk in ERM, analyzing concepts such how managers assess risk may differ from objective measures of risk, as individuals at the top of firms probably have even greater confidence in their judgments than the normal individual, being managers more experienced for the risk management process. Finally, this research could also contribute to the academic community in consolidating theoretical concepts and a practical approach for the ERM discipline.
For future research directions, this study provides an initial foundation that can spawn additional research on operational risk evaluation. Researchers should be encouraged to examine other TELCOs approaches to ERM, as well as to explore other sectors, as the methodology could be extrapolated to them. I believe that the academic community is positioned to greatly contribute to this growing risk management policy need for more effective ERM in multiple sectors. As far as it has been analyzed and based on the literature review of ERM, this study could be considered as an innovative research to explore a practical methodology for operational risks evaluation in a large TELCO, as well as a good reference for further research, not only in the telecommunications sector, but also in other industries in addition to finance and insurance. Therefore, future studies could conduct an in-depth case study of additional firms in every sector (Singh and Hong 2020). Future research may also revisit the cultural factor of attention to detail. This may be because ERM maturity in not good enough yet and attention to may translate an excessive focus on documents and standard operating procedures, more than customized methodologies for firms, which may have adverse consequences for the effective implementation of risk management practices. Other proposals for further research could include the ERM relationship with related disciplines such as business sustainability, corporate governance, corporate social responsibility, and compliance.
Limitations in this research approach are also acknowledged. First, due to the dimension and scope of the TELCO, the field work had to be limited to one specific business unit, while the exploration of a bigger sample could have provided with additional and richer results about the validity of the results. Second, it is uncertain that a similar research could be performed and tested in any other telecommunications company without an ERM strategy in place. An ERM program for evaluating risks must have an organizational mandate to be implemented effectively and the right people in place to identify, measure and manage the risks of the firm. In this sense, we used survey data (questionnaires) obtained from the managers. To the extend those executives might not have accurate first-hand knowledge about the risks to be evaluated within their business units, the research results could be limited as one of the steps of the OpRSA methodology (the execution of questionnaires) is the potential biased that would likely limit our ability to find inputs consistent with the business results. This situation could be minimized and enhanced based on the knowledge and experience of the interviewees (managers), as it was double-checked along the study. Third, other statistical approaches and distributions in the OpRSA method could contribute with different and unexpected results. Finally, one relevant limitation is that various previous studies have relied on the practice of Chief Risk Officer (CRO) appointments as a proxy for risk management and evaluation (Beasley et al. 2008; Hoyt and Liebenberg 2011; Pagach and Warr 2011), and the results of the research could not be contrasted with this non-existent function in the TELCO.
A final “food for thought” comment, as a personal opinion, is that research in risk management in telecommunications and information technology companies is a worthwhile “investment”, as the activities of these sectors stipulate the functioning of not only the entire social system needs, but also the life of the contemporary individual, improving the welfare state.

Funding

This research received no external funding.

Acknowledgments

The author is very grateful to every manager from the private company who provided confidential data, in-company software (OpRSA SW), and participated in the brainstorming sessions and interviews, helping in building the methodology, which is the objective of this article.

Conflicts of Interest

The author declares no conflict of interest.

References

  1. Anton, Sorin G. 2018. The Impact of Enterprise Risk Management on Firm Value: Empirical Evidence from Romanian Non-Financial Firms. Inzinerine Ekonomika-Engineering Economics 29: 151–57. [Google Scholar] [CrossRef] [Green Version]
  2. Altuntas, Muhammed, Thomas R. Berry-Stölzle, and Robert E. Hoyt. 2020. Enterprise Risk Management Adoption and Managerial Incentives. Journal of Insurance Issues 43: 1–42. [Google Scholar]
  3. Arena, Marika, Michela Arnaboldi, and Giovanni Azzone. 2010. The organizational dynamics of Enterprise Risk Management. Journal of Accounting, Organizations and Society 35: 659–75. [Google Scholar] [CrossRef]
  4. Armstrong, Chris S., Wayne R. Guay, Hamid Mehran, and Joseph P. Weber. 2016. The role of financial reporting transparency in corporate governance. Economic Policy Review, 107–28. [Google Scholar]
  5. Ashby, Simon. 2008. Operational risk: Lessons from non-financial organisations. Journal of Risk Management in Financial Institutions 1: 406–15. [Google Scholar]
  6. Barton, Thomas, William G. Shenkir, and Paul L. Walker. 2012. Enterprise risk management: Skipping the ERM tune-up: Pay now or pay later. Financial Executive Magazine 28: 22–25. [Google Scholar]
  7. Basel Committee on Banking Supervision. 2006. International Convergence of Capital Measurement and Capital Standards: A Revised Framework. Bank of International Settlements. Basel: BCBS. [Google Scholar]
  8. Basel Committee on Banking Supervision. 2009. Revisions to the Basel II Market Risk Framework. Consultative Document. Bank of International Settlements. Basel: BCBS. [Google Scholar]
  9. Baxter, Ryan, Jean C. Bedard, Rani Hoitash, and Ari Yezegel. 2013. Enterprise Risk Management program quality: Determinants, value relevance, and the financial crisis. Contemporary Accounting Research 30: 1264–95. [Google Scholar] [CrossRef]
  10. Beals, Sarah, Carol Fox, and Steven Minsky. 2015. Why a Mature ERM Effort is Worth the Investment. Risk Management and Insurance Society (RIMS) Executive Report. Available online: https://www.rims.org/Documents/MatureERM_whitepaper.pdf (accessed on 31 March 2019).
  11. Beasley, Mark S., Richard Clune, and Dana R. Hermanson. 2005. Enterprise risk management: an empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy 24: 521–31. [Google Scholar] [CrossRef]
  12. Beasley, Mark S., Donald P. Pagach, and Richard S. Warr. 2008. Information conveyed in hiring announcements of senior executives overseeing enterprise-wide risk management processes. Journal of Accounting Auditing Finance 23: 311–32. [Google Scholar] [CrossRef]
  13. Bedford, Tim, and Roger Cooke. 2001. Probabilistic Risk Analysis: Foundations and Methods. Cambridge: Cambridge University Press. [Google Scholar]
  14. Bertinetti, Giorgio Stefano, Elisa Cavezzali, and Gloria Gardenal. 2013. The Effect of Enterprise Risk Management on Firm Value of European Companies. Working Paper No. 10. Venice: Università Ca’Foscari Venezia, Available online: http://virgo.unive.it/wpideas/storage/2013wp10.pdf (accessed on 30 April 2020).
  15. Blanco-Mesa, Fabio, Julieth Rivera-Rubiano, Xiomara Patino-Hernandez, and Maribel Martinez-Montana. 2019. The importance of enterprise risk management in large companies in Colombia. Technological and Economic Development of Economy Journal 25: 600–33. [Google Scholar] [CrossRef] [Green Version]
  16. Breden, David. 2008. Monitoring the operational risk environment effectively. Journal of Risk Management in Financial Institutions 1: 156–64. [Google Scholar]
  17. Bromiley, Peter, Michael McShane, Anil Nair, and Elzotbek Rustambekov. 2015. Enterprise risk management: Review, Critique, and Research Directions. Long Range Planning Journal 48: 265–76. [Google Scholar] [CrossRef] [Green Version]
  18. Brown, Jeffrey, Michael Duane, and Til Schuermann. 2019. What is enterprise risk management? Journal of Risk Management in Financial Institutions 12: 311–19. [Google Scholar]
  19. Callahan, Carolyn, and Jared Soileau. 2017. Does Enterprise risk management enhance operating performance? Advances in Accounting 37: 122–39. [Google Scholar] [CrossRef]
  20. Chen, Jinhua, Lu Jiao, and Graeme Harrison. 2019. Organisational culture and enterprise risk management: The Australian not-for-profit context. Australian Journal of Public Administration 78: 432–48. [Google Scholar] [CrossRef]
  21. Chernobai, Anna. S., Svetlozar T. Rachev, and Frank J. Fabozzi. 2007. Operational Risk: A Guide to Basel II Capital Requirements, Models, and Analysis, XV-XVI. Hoboken: John Wiley & Sons. [Google Scholar]
  22. Ching, Hong Yuh, and Thalita Maricone Colombo. 2015. Enterprise Risk Management Good Practices and Proposal of Conceptual Framework. Journal of Management Research 6: 69–85. [Google Scholar] [CrossRef] [Green Version]
  23. Cohen, Adrian V. 1996. Quantitative Risk Assessment and Decisions about Risks: An Essential Input into the Decision Process. Accident and Design: Contemporary Debates in Risk Management. Edited by Christopher Hood and David K. C. Jones. London: UCL Press, pp. 87–98. [Google Scholar]
  24. COSO. 2004. Enterprise Risk Management. Integrated Framework. New York: Committee of Sponsoring Organizations of the Treadway Commission. Available online: http://www.coso.org (accessed on 16 December 2020).
  25. COSO. 2017. Enterprise Risk Management. Integrating with Strategy and Performance. New York: Committee of Sponsoring Organizations of the Treadway Commission. Available online: http://www.coso.org (accessed on 16 December 2020).
  26. Dias, Alcina Portugal. 2017. A more effective audit after COSO ERM 2017 or after ISO 31000:2009? Perspectiva Empresarial [Business Perspective] 4: 72–82. [Google Scholar] [CrossRef]
  27. Dickinson, Gerry. 2001. Enterprise Risk Management: Its Origins and Conceptual Foundation. The Geneva Papers on Risk and Insurance 26: 360–66. [Google Scholar] [CrossRef]
  28. Diebold, Francis X., Til Schuermann, and John D. Stroughair. 2000. Pitfalls and Opportunities in the Use of Extreme Value Theory in Risk Management. The Journal of Risk Finance 1: 30–36. [Google Scholar] [CrossRef] [Green Version]
  29. Dos Santos, Michelle P. F., Willem A. Clarke, and Andre Leon Nel. 2005. Enhancing Telecommunications Business Operations by Implementing Operational Risk Management in Service Level Management Operations. TeleManagement Forum, eTOM the Business Process Framework—For the Information and Communications Services Industry, GB921, Version 6.1. (November). Johannesburg: Faculty of Engineering South Africa. [Google Scholar]
  30. Dutta, Kabir, and Jason Perry. 2006. A Tale of Tails: An Empirical Analysis of Loss Distribution Models for Estimating Operational Risk Capital. Boston: Federal Reserve Bank of Boston. [Google Scholar]
  31. Embrechts, Paul, Claudia Klueppelberg, and Thomas Mikosch. 1997. Modelling Extremal Events. Applications of Mathematics No. 36. Berlin/Heidelberg: Springer. [Google Scholar]
  32. Fiol, Fabrice. 2019. Enterprise risk management: Towards a comprehensive yet practical enterprise risk function. Journal of Risk Management in Financial Institutions 12: 320–27. [Google Scholar]
  33. Florio, Cristina, and Giulia Leoni. 2017. Enterprise risk management and firm performance: the Italian case. The British Accounting Review 49: 56–74. [Google Scholar] [CrossRef]
  34. Fontnouvelle, Patrick, and Virginia De Jesús. 2003. Using Loss Data to Quantify Operational Risk. Boston: Federal Reserve Bank of Boston. [Google Scholar]
  35. Forcadell, Francisco Javier, and Elisa Aracil. 2019. Can multinational companies foster institutional change and sustainable development I emerging countries? A case study. Business Strategy and Development Journal 2: 91–105. [Google Scholar] [CrossRef]
  36. Forester, John, Alan Kolaczkowski, Erasmia Lois, and David Kelly. 2006. Evaluation of Human Reliability Analysis Methods against Good Practices. NUREG-1842 Final Report. Washington, DC: U.S. Nuclear Regulatory Commission. [Google Scholar]
  37. Foto, Glediana, Elfrida Manoku, and Valentina Sinaj. 2018. Risk Management in the Telecommunication Industry. Case Study AMC. Konferenca e Katërt Ndërkombëtare për Riskum [Fourth International Conference for Risks]–QSHR [Albanian Center for Risks], Conference Paper. Tirana: Faculty of Economy, Tirana University, pp. 203–12. Available online: http://qshr.org/wp-content/uploads/2013/07/4.18-Glediana.pdf (accessed on 10 March 2021).
  38. Fraser, John R. 2010. How to Prepare a Risk Profile. Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives. Edited by John Fraser and Betty Simkins. Hoboken: John Wiley & Sons, pp. 171–88. [Google Scholar]
  39. Fraser, John R. S., Betty Simkins, and Kristina Narvaez, eds. 2014. Implementing Enterprise Risk Management: Case Studies and Best Practices. Hoboken: John Wiley & Sons. [Google Scholar]
  40. Fraser, John R.S., and Betty J. Simkins. 2016. The challenges and solutions for implementing enterprise risk management. Elsevier Business Horizons Journal 59: 689–98. [Google Scholar] [CrossRef]
  41. Gandini, Giuseppina, Luisa Bosetti, and Alex Almici. 2014. Risk Management and Sustainable Development of Telecommunications Companies. Emerging Issues in Management (Symphoya) 2: 1–14. [Google Scholar] [CrossRef] [Green Version]
  42. Gatzert, Nadine, and Michael Martin. 2015. Determinants and Value of Enterprise Risk Management: Empirical Evidence from the Literature. Risk Management and Insurance Review, 18. [Google Scholar] [CrossRef]
  43. Gordon, Lawrence, Martin P. Loeb, and Chih-Yang Tseng. 2009. Enterprise risk management and firm performance: a contingency perspective. Journal of Accounting and Public Policy 28: 301–27. [Google Scholar] [CrossRef]
  44. Guillen, Montserrat, Jim Gustafsson, Jens Perch Nielsen, and Paul Pritchard. 2007. Using External Data in Operational Risk. The Geneva Papers 32: 178–89. [Google Scholar] [CrossRef]
  45. Hargreaves, Janet. 2010. Quantitative risk assessment in ERM. How to prepare a risk profile. In Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives. Edited by John Fraser and Betty Simkins. Hoboken: John Wiley & Sons, pp. 219–35. [Google Scholar]
  46. Hoyt, Robert E., and Andre P. Liebenberg. 2011. The Value of Enterprise Risk Management. Journal of Risk and Insurance 78: 795–822. [Google Scholar] [CrossRef]
  47. Hoyt, Robert E., and Andre P. Liebenberg. 2015. Evidence of the Value of Enterprise Risk Management. Journal of Applied Corporate Finance 27: 41–47. [Google Scholar] [CrossRef]
  48. Hubbard, Larry. 2005. Control Self-Assessment: A Practical Guide. Florida: IIA (The Institute of Internal Auditors). [Google Scholar]
  49. Ibrahim, Farah Salwati, and Muneera Esa. 2017. A study on enterprise risk management and organizational performance: developer’s perspective. International Journal of Civil Engineering and Technology (IJCIT) Journal 8: 184–96. [Google Scholar]
  50. ISO 31000. 2018. Risk Management. Guidelines. Geneve: ISO (The International Organization for Standardization). [Google Scholar]
  51. ISO 31000. 2009. Risk Management. Principles and Guidelines. Geneve: ISO (The International Organization for Standardization). [Google Scholar]
  52. ISO/IEC 31010. 2009. Risk Management. Risk Assessment Techniques. Geneve: ISO (The International Organization for Standardization). [Google Scholar]
  53. ISO 9001. 2015. Quality Management Systems. Requirements. Geneve: ISO (The International Organization for Standardization). [Google Scholar]
  54. Jacobus, Deddy. 2015. New Paradigm of Managing Risks: Risk and Control Self-Assessment. In The 2014 International Conference on Agro-industry (ICoA): Competitive and sustainable Agro-industry for Human Welfare. Agriculture and Agricultural Science Procedia 3: 32–34. [Google Scholar] [CrossRef] [Green Version]
  55. Jobst, Andreas. 2007. It’s all in data–consistent operational risk measurement and regulation. Journal of Financial Regulation and Compliance 15: 423–49. [Google Scholar] [CrossRef]
  56. Karaca, Süleyman Serdar, and Zekai Senol. 2017. The Effect of Enterprise Risk Management on Firm Performance: A Case Study on Turkey. Ph.D. dissertation, Cumhuriyet University, Sivas, Turkey. Available online: http://www.researchgate.net/publication/228230435 (accessed on 10 March 2021).
  57. Karanja, Erastus. 2016. Does the hiring of chief risk officers align with the COSO/ISO enterprise risk management frameworks? Journal of Accounting and Information Management 25: 274–95. [Google Scholar] [CrossRef]
  58. Kleffner, Anne E., Ryan B. Lee, and Bill McGannon. 2003. The effect of corporate governance on the use of enterprise risk management: evidence from Canada. Risk Management and Insurance Review 6: 53–73. [Google Scholar] [CrossRef]
  59. Kolluru, Rao V. 1995. Risk Assessment and Management: A Unified Approach. Risk Assessment and Management Handbook. For Environmental, Health, and Safety Professionals. Edited by Rao Kolluru, Steven Bartell, Robin M. Pitblado and Scott R. Stricoff. New York: McGraw-Hill, pp. 1.3–1.41. [Google Scholar]
  60. Kozarevic, Safet, and Nerka Besic. 2015. Risk Management in Telecommunications Services in Bosnia and Herzegovina. Ekonomski Vjesnik [Economic Journal]/ECONVIEWS 28: 9–24. [Google Scholar]
  61. Krause, Timothy A., and Yiuman Tse. 2016. Risk management and firm value: recent theory and evidence. International Journal of Accounting & Information Management 24: 56–81. [Google Scholar]
  62. Lalonde, Carole, and Olivier Boiral. 2012. Managing risks through ISO 31000: A critical analysis. Risk Management Journal 14: 272–300. [Google Scholar] [CrossRef]
  63. Lechner, Philipp, and Nadine Gatzert. 2018. Determinants and Value of Enterprise Risk Management: Empirical Evidence from Germany. The European Journal of Finance, 24. [Google Scholar] [CrossRef]
  64. Liebenberg, Andre P., Robert E. Hoyt, and Anne E. Kleffner. 2003. The determinants of enterprise risk management: evidence from the appointment of chief risk officers. Risk Management and Insurance Review 6: 37–52. [Google Scholar] [CrossRef]
  65. Lundqvist, Sara A. 2014. An Explanatory Study of Enterprise Risk Management: Pillars of ERM. Journal of Accounting, Auditing and Finance 29: 393–429. [Google Scholar] [CrossRef]
  66. Manab, Norlida Abdul, and Zahiruddin Ghazali. 2013. Does Enterprise Risk Management create value? Journal of Advanced Management Science 1: 358–62. [Google Scholar] [CrossRef]
  67. Martínez-Sánchez, José Francisco, María Teresa V. Martínez-Palacios, and Francisco Venegas-Martínez. 2016. An analysis on operational risk in international banking: A Bayesian approach (2007–2011). Estudios Gerenciales [Management Studies] 32: 208–20. [Google Scholar] [CrossRef] [Green Version]
  68. McShane, Michael. 2018. Enterprise risk management: history and a design science proposal. Journal of Risk Finance 19: 137–53. [Google Scholar] [CrossRef]
  69. McShane, Michael K., Anil Nair, and Elzotbek Rustambekov. 2011. Does enterprise risk management increase firm value? Journal of Accounting, Auditing and Finance 26: 641–58. [Google Scholar] [CrossRef]
  70. Meidell, Anita, and Katarina Kaarboe. 2017. How the enterprise risk management function influences decision-making in the organization – A field study of a large, global oil and gas company. The British Accounting Review 49: 39–55. [Google Scholar] [CrossRef]
  71. Mikes, Anette. 2009. Risk management and calculative cultures. Management Accounting Research 20: 18–40. [Google Scholar] [CrossRef]
  72. Mikes, Anette, and Robert S. Kaplan. 2013. Managing Risks: Towards a Contingency Theory of Enterprise Risk Management. Working Paper. Boston: Harvard Business School, pp. 13–63. [Google Scholar]
  73. Moeller, Robert R. 2007. COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework. Hoboken: John Wiley. [Google Scholar]
  74. Monda, Barbara, and Marco Giorgino. 2013. An ERM Maturity Model. Available online: http://www.ssrn.com/abstract=2198944 (accessed on 31 March 2019).
  75. Muermann, Alexander, and Ulku Oktem. 2003. The Near-Miss Management of Operational Risk. The Journal of Risk Finance 4: 25–36. [Google Scholar] [CrossRef] [Green Version]
  76. Nocco, Brian W., and Rene M. Stulz. 2006. Enterprise Risk Management: Theory and Practice. Journal of Applied Corporate Finance 18: 8–20. [Google Scholar] [CrossRef]
  77. Pagach, Donald, and Richard Warr. 2011. The characteristics of firms that hire chief risk officers. The Journal of Risk and Insurance 78: 185–211. [Google Scholar] [CrossRef]
  78. Pakhchanyan, Suren. 2016. Operational Risk Management in Financial Institutions: A Literature Review. International Journal of Financial Studies 4: 20. [Google Scholar] [CrossRef] [Green Version]
  79. Perera, Angage Anoma Samanathi. 2019. Enterprise Risk Management–International Standards and Frameworks. International Journal of Scientific and Research Publications 9: 211–17. [Google Scholar]
  80. Purdy, Grant. 2010. ISO 31000:2009-Setting a New Standard for Risk Management. Risk Analysis Journal 30: 881–86. [Google Scholar] [CrossRef]
  81. Renn, Ortwin. 2008. Concepts of Risk: An Interdisciplinary Review. Journal of Ecological Perspectives for Science and Society (GAIA) 17: 50–66. [Google Scholar] [CrossRef]
  82. Rubino, Michele. 2018. Comparison of the Main ERM Frameworks: How Limitations and Weaknesses can be Overcome Implementing IT Governance. International Journal of Business and Management 13: 203. [Google Scholar] [CrossRef] [Green Version]
  83. Ruiz-Canela López, José. 2004. La Gestión por Calidad Total en la Empresa Moderna [Total Quality Management in the Modern Company]. Madrid: RA-MA. [Google Scholar]
  84. Saleem, Khalil Suleiman Abu, Omar Mohammed Zraqat, and Samer Mohammed Okuour. 2019. The effect of Internal Audit Quality (IAQ) on Enterprise Risk Management (ERM) in Accordance to COSO Framework. European Journal of Scientific Research 152: 177–88. [Google Scholar]
  85. Sehrawat, Sandeep. 2019. Risk management strategies in large telecom companies: with special reference to Nokia. International Journal of Advanced Scientific Research and Management 4: 99–103. [Google Scholar]
  86. Singh, Nitya P., and Paul C. Hong. 2020. Impact of strategic and operational risk management practices on firm performance: An empirical investigation. European Management Journal 38: 723–35. [Google Scholar] [CrossRef]
  87. Strzelczak, Stanislaw. 2008. Operational Risk Management. Warsaw University of Technology. Available online: https://www.researchgate.net/publication/312491702 (accessed on 31 March 2019).
  88. Yesuf, Ahmed Seid. 2017. A Review of Risk Identification Approaches in the Telecommunication Domain. Paper presented at Third International Conference on Information Systems Security and Privacy (ICISSP), Porto, Portugal, February 19–21. [Google Scholar]
  89. Wade, Keith, and Andy Wynne. 1999. Control Self-Assessment for Risk Management and other Practical Applications. Hoboken: John Wiley & Sons. [Google Scholar]
  90. Wahlström, Gunnar. 2009. Risk management versus operational action: Basel II in a Swedish context. Management Accounting Research 20: 53–60. [Google Scholar] [CrossRef]
  91. Wieczorek-Kosmala, Monika. 2014. Risk management practices from risk maturity models perspective. Journal of East European Management Studies 19: 133–59. [Google Scholar] [CrossRef]
  92. Woods, Margaret. 2009. A contingency theory perspective on the risk management control system within Birmingham city council. Management Accounting Research 20: 69–81. [Google Scholar] [CrossRef]
  93. Wu, Tsung-Chih, Charng-Cheng Tsaur, Chia-Hung Lin, and Sen-Yu Shiau. 2011. Surveying Safety Culture in Telecommunications Industry. Journal of Occupational Safety and Health 35: 403–20. [Google Scholar]
Jrfm 14 00139 g001 550
Figure 1. The Risk Management Process from ISO. Source: author own study on ISO 31000 (2009).
Figure 1. The Risk Management Process from ISO. Source: author own study on ISO 31000 (2009).
Jrfm 14 00139 g001
Jrfm 14 00139 g002 550
Figure 2. ERM-Integrated Framework from COSO. Source: author own study based on COSO (2004).
Figure 2. ERM-Integrated Framework from COSO. Source: author own study based on COSO (2004).
Jrfm 14 00139 g002
Jrfm 14 00139 g003 550
Figure 3. OpRSA Process. Source: author own study.
Figure 3. OpRSA Process. Source: author own study.
Jrfm 14 00139 g003
Jrfm 14 00139 g004 550
Figure 4. Assessment Ranges and Risk Thresholds. Source: author own study.
Figure 4. Assessment Ranges and Risk Thresholds. Source: author own study.
Jrfm 14 00139 g004
Jrfm 14 00139 g005 550
Figure 5. Convolution of frequency and severity distributions. Source: author own study.
Figure 5. Convolution of frequency and severity distributions. Source: author own study.
Jrfm 14 00139 g005
Jrfm 14 00139 g006 550
Figure 6. OpRSA Method constraints for range analysis. Source: author own study.
Figure 6. OpRSA Method constraints for range analysis. Source: author own study.
Jrfm 14 00139 g006
Jrfm 14 00139 g007 550
Figure 7. OpRSA Method. Output: Unexpected Loss (UL). Source: author own study.
Figure 7. OpRSA Method. Output: Unexpected Loss (UL). Source: author own study.
Jrfm 14 00139 g007
Jrfm 14 00139 g008 550
Figure 8. OpRSA Method. UL density function. Source: author own study.
Figure 8. OpRSA Method. UL density function. Source: author own study.
Jrfm 14 00139 g008
Jrfm 14 00139 g009 550
Figure 9. Example of UL density function and rating classes. Source: author own study.
Figure 9. Example of UL density function and rating classes. Source: author own study.
Jrfm 14 00139 g009
Table
Table 1. Exposure Indicators for the TELCO (Telecommunications Company).
Table 1. Exposure Indicators for the TELCO (Telecommunications Company).
ThresholdExposure Indicator
Trade MarginOperating Expenses
Manageable99%101%
Critical98%103%
Catastrophic97%105%
Source: author own study based on TELCO´s data.
Table
Table 2. Example of Thresholds based on EI.
Table 2. Example of Thresholds based on EI.
Exposure Indicator1000 MM €
Percentage99%98%97%
Expected value990 MM €980 MM €970 MM €
Threshold10 MM €20 MM €30 MM €
Source: author own study.
Table
Table 3. Frequency classes.
Table 3. Frequency classes.
Frequency Classes (Average Number Events/Year)
Every 10 years0.1
Every 4 years0.25
Every 2 years0.5
Annual1
Half-yearly2
Quarterly4
Monthly12
Every 2 weeks26
Weekly52
2–3 times a week150
Daily250
More times a day500
Source: author own study.
Table
Table 4. Exposure Indicators and Thresholds of BUs (Business Units).
Table 4. Exposure Indicators and Thresholds of BUs (Business Units).
OpRSAExposure IndicatorThreshold 1Threshold 2Threshold 3
Fixed Line Business Unit
ResidentialTrade Margin32,210,00064,420,00096,630,000
ProfessionalsTrade Margin21,800,00043,590,00065,390,000
Carrier ServicesTrade Margin10,270,00020,550,00030,820,000
Quality, Products and ProcessesOperating Expenses3,660,00010,980,00018,300,000
MultimediaOperating Expenses310,000590,000810,000
Source: author own study based on TELCO’s data. Figures in €.
Table
Table 5. Results of Residential organizational unit.
Table 5. Results of Residential organizational unit.
EVENT TYPETYPE 1TYPE 2TYPE 4TYPE 5TYPE 6TYPE 7TOTAL
End CustomerPoor QualitySuppliersProcessesNon-ComplianceFraud
TOTALEL28,060,00084,490,0002,540,0003,730,00040,0002,820,000121,670,000
UL8,000,00019,780,0005,540,00017,920,0001,380,0002,840,00055,460,000
Rating A100.00%0.50%81.20%41.00%100.00%100.00%
Rating B 94.40%18,80%59.00% 94.00%
Rating C 0.90% 6.00%
Rating D
UL.I16,820,00013,730,0006,870,00016,820,0009,710,0009,710,00032,210,000
UL.II33,640,00027,470,00013,730,00033,640,00019,420,00019,420,00064,420,000
UL.III50,460,00041,200,00020,600,00050,460,00029,140,00029,140,00096,630,000
Source: author own study and outputs of OpRSA SW. Figures in €.
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Ruiz-Canela López, J. How Can Enterprise Risk Management Help in Evaluating the Operational Risks for a Telecommunications Company? J. Risk Financial Manag. 2021, 14, 139. https://doi.org/10.3390/jrfm14030139

AMA Style

Ruiz-Canela López J. How Can Enterprise Risk Management Help in Evaluating the Operational Risks for a Telecommunications Company? Journal of Risk and Financial Management. 2021; 14(3):139. https://doi.org/10.3390/jrfm14030139

Chicago/Turabian Style

Ruiz-Canela López, José. 2021. "How Can Enterprise Risk Management Help in Evaluating the Operational Risks for a Telecommunications Company?" Journal of Risk and Financial Management 14, no. 3: 139. https://doi.org/10.3390/jrfm14030139

Article Metrics

Back to TopTop