A company may be achieving good sales and maintaining a sound financial position, yet simultaneously suffer from weak internal controls, flawed user permissions, over-reliance on specific individuals, or a lack of clear plans for dealing with disruptions and cyberattacks. These risks don’t always appear directly in the financial statements, but they can escalate into significant losses if not systematically managed and reviewed.<\/p>\n\n\n\n
Therefore, reviewing operational and technical risk management within an organization has become a fundamental necessity, not merely an additional administrative procedure.<\/p>\n\n\n\n
What are operational and technical risks?<\/p>\n\n\n\n
Operational risks are those arising from weaknesses or failures in internal processes, employee errors, deficiencies in policies and procedures, system malfunctions, or external events that affect an organization’s ability to conduct its business efficiently.<\/p>\n\n\n\n
Technical risks, on the other hand, are those associated with the use of technology within an organization, such as information security, ERP systems, databases, user permissions, backups, technical malfunctions, cyberattacks, and data loss or leakage.<\/p>\n\n\n\n
In simpler terms: operational risks relate to how work is carried out, while technical risks relate to the digital systems and tools upon which that work depends.<\/p>\n\n\n\n
Why does an organization need to review these risks?<\/p>\n\n\n\n
An organization may only discover weaknesses in its risk management after a problem occurs. Examples include an accounting system crash, loss of customer data, an email breach, unauthorized payments, incorrect financial transactions, or a supply chain disruption due to the absence of backup procedures.<\/p>\n\n\n\n
A risk management review helps an organization identify weaknesses before they escalate into crises. It also helps management understand the strength of its control systems and the organization’s preparedness to handle errors, malfunctions, and technical threats.<\/p>\n\n\n\n
The goal is not only to minimize losses but also to build a more disciplined and stable operating system.<\/p>\n\n\n\n
First: Reviewing Operational Risks within the Organization<\/p>\n\n\n\n
An operational risk review begins by examining the policies and procedures that govern work within the organization. Are there written procedures for the procurement cycle? Are there clear rules for approving payments? Are there limits of authority for the finance department? Are processes adequately documented?<\/p>\n\n\n\n
The existence of written procedures does not necessarily mean they are implemented. Therefore, the auditor does not simply read the policies but also tests the actual compliance with them across different departments.<\/p>\n\n\n\n
The problem might be that the company operates based on employees’ personal experience rather than a clear organizational system. This makes the organization vulnerable to errors when a key employee is absent or the team changes.<\/p>\n\n\n\n
Task separation is one of the most important elements of internal control. The same person should not be responsible for executing, recording, approving, and reviewing a process.<\/p>\n\n\n\n
For example, if one employee can create a new supplier, record an invoice, approve a payment, and execute a bank transfer, this is a serious operational vulnerability. Even if manipulation doesn’t occur, the system itself allows it to happen.<\/p>\n\n\n\n
Therefore, the auditor reviews the distribution of responsibilities among employees and ensures that there is cross-checking to minimize the potential for error or misuse.<\/p>\n\n\n\n
The procurement cycle is one of the areas most exposed to operational risks because it involves suppliers, pricing, invoicing, payments, and inventory.<\/p>\n\n\n\n
The auditor reviews whether purchase requests are approved, whether quotations are compared, whether purchase orders exist, whether goods or services are received before payment, and whether the invoice matches the purchase order and receipt.<\/p>\n\n\n\n
Payments are also examined to ensure they are made to legitimate suppliers, based on proper documentation, and with clear authorization.<\/p>\n\n\n\n
In the sales cycle, risks center around incorrect revenue recording, unauthorized discounts, poor collection, customer debt accumulation, or poor credit management.<\/p>\n\n\n\n
The auditor reviews sales policies, credit limits, discount approvals, and the reconciliation of sales orders with invoices, delivery notes, and collections. Debt aging and collection rates are also reviewed to determine the risk of outstanding customer balances.<\/p>\n\n\n\n
Weak sales controls can lead to direct losses, inflated revenue, or high levels of uncollectible debt.<\/p>\n\n\n\n
Inventory is one of the assets most susceptible to loss, damage, and poor recording. Therefore, reviewing it is a crucial part of operational risk assessment. The auditor reviews receiving, issuing, storage, and inventory procedures, ensuring accurate inventory records, clear authorizations, and a separation between warehouse managers, finance, and purchasing.<\/p>\n\n\n\n
Overwhelming, damaged, or slow-moving items are also examined, as poor inventory management can lead to capital stagnation or overvaluation of assets.<\/p>\n\n\n\n
Human resources risks include improperly registered employees, unapproved salaries, undocumented bonuses, and incomplete insurance and tax obligations.<\/p>\n\n\n\n
The auditor reviews employment contracts, attendance records, payrolls, bank transfers, management authorizations, and insurance and tax obligations.<\/p>\n\n\n\n
It is also verified that job responsibilities are clear and that employees have a sufficient understanding of the procedures associated with their roles.<\/p>\n\n\n\n
Second: Reviewing Technical Risks within the Organization<\/p>\n\n\n\n
User privileges within financial and operational systems are among the most critical areas of technical risk. Employees should only have the privileges necessary to perform their jobs.<\/p>\n\n\n\n
The auditor reviews user lists, the privileges granted to each user, inactive accounts, accounts of employees who have left the company, and highly sensitive administrative privileges.<\/p>\n\n\n\n
Excessive privileges can allow for the modification of financial data, the deletion of transactions, the bypassing of authorization procedures, or unauthorized access to confidential information.<\/p>\n\n\n\n
Information security is not limited to security software. It is a comprehensive system that includes passwords, multi-factor authentication, email usage policies, device protection, data encryption, and employee awareness.<\/p>\n\n\n\n
The auditor reviews the existence of clear information security policies, their effective implementation, and the organization’s ability to prevent unauthorized access to sensitive data.<\/p>\n\n\n\n
Weaknesses in this area can lead to customer data leaks, account compromises, business disruptions, or direct financial losses.<\/p>\n\n\n\n
Having a backup is not enough. The important questions are: Are backups performed regularly? Where are the backups stored? Who has access to it? Has data recovery actually been tested?<\/p>\n\n\n\n
Many organizations discover during a crisis that their backups are incomplete or unrecoverable. Therefore, the auditor reviews the backup plan, its frequency, storage locations, test logs, and the organization’s ability to restore operations within an acceptable timeframe.<\/p>\n\n\n\n
What happens if the accounting system fails? What happens if the internet goes down? What happens if the company suffers a cyberattack? What happens if the organization loses critical data?<\/p>\n\n\n\n
These questions are a crucial part of a business continuity audit. The auditor reviews whether the organization has a clear plan for handling failures and crises, whether responsibilities are clearly defined, and whether employees know what to do in the event of a major disruption.<\/p>\n\n\n\n
An untested plan often fails during a crisis. Therefore, it should not be merely a document on file, but rather a set of realistic, actionable procedures.<\/p>\n\n\n\n
An organization may have a robust system, but the data within it could be inaccurate or incomplete. Therefore, a technical risk review includes examining data quality, such as duplicate customer or supplier codes, missing data, classification errors, or processes modified without adequate documentation.<\/p>\n\n\n\n
Data integrity is crucial because it impacts financial reporting, management decisions, operational analytics, and tax compliance.<\/p>\n\n\n\n
Any modification to a financial or operational system can create risks if it is not properly tested and approved. Examples include modifying permissions, changing the method of tax calculation, adding a new screen, modifying a financial report, or updating an ERP system.<\/p>\n\n\n\n
The auditor reviews change management procedures: Who requests the change? Who approves it? Is it tested before implementation? Is a backup created before the change? Is its impact on operations documented?<\/p>\n\n\n\n
The absence of these controls can lead to system errors that recur without being quickly detected.<\/p>\n\n\n\n
Third: The Relationship Between Operational and Technical Risks<\/p>\n\n\n\n
In practice, operational and technical risks are not separate. The technical system supports operations, and operations rely on data, permissions, and reports.<\/p>\n\n\n\n
For example, weak system permissions can lead to the approval of incorrect payments. The absence of backups can disrupt invoicing and collection processes. Duplicate customer data can negatively impact collections and financial reporting. A lack of inventory tracking can lead to poor purchasing decisions.<\/p>\n\n\n\n
Therefore, risks should be reviewed from a holistic perspective, not as separate, isolated departments.<\/p>\n\n\n\n
How is risk management reviewed within an organization?<\/p>\n\n\n\n
The review process involves several interconnected steps. The auditor begins by understanding the nature of the business and its main processes, then identifies potential risks in each operational or technical cycle. Next, they assess existing controls, test their implementation, identify weaknesses, and finally, provide actionable recommendations to management.<\/p>\n\n\n\n
It is crucial that the recommendations are actionable. The value lies not in a lengthy report filled with jargon, but in clear observations that help management improve controls and mitigate risks.<\/p>\n\n\n\n
Indicators of Weak Risk Management<\/p>\n\n\n\n
Management should be aware of several signs, including frequent recurring errors, reliance on a single employee for sensitive operations, delayed financial reports, persistent inventory discrepancies, excessive permissions within the system, the absence of a tested backup, inadequate documentation of contracts and approvals, and repeated manual payments and reconciliations.<\/p>\n\n\n\n
These indicators do not necessarily mean there is a current crisis, but they do mean the organization is exposed to excessive risks.<\/p>\n\n\n\n
The Role of Management in Strengthening the Risk Management System<\/p>\n\n\n\n
The responsibility for risk management lies primarily with management. Management must establish clear policies, define responsibilities, implement effective controls, review authorizations periodically, invest in data protection, and train employees to adhere to procedures.<\/p>\n\n\n\n
A review reveals weaknesses, but it is not successful on its own if management is not prepared to correct the system.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Reviewing operational and technical risk management within an organization has become essential for protecting the business. Risks do not always manifest as direct losses, but often begin with a weak procedure, uncontrolled authorization, an unsecured system, or inaccurate data.<\/p>\n\n\n\n
A strong organization is not one that does not face risks, but one that recognizes its risks, measures them, establishes practical controls to mitigate them, and continuously reviews these controls.<\/p>\n\n\n\n