Features of enterprise risk management associated with operational risks

Introduction

The implementation of entrepreneurial activity is directly related to the concept as "risk". According to legal terminology, each action legal entities (organizations) and individual entrepreneurs in the process of carrying out activities aimed at making their profits conjugate risk to one degree or another. The legal relations associated with entrepreneurial activity, whether to conclude a transaction between two organizations, the labor relations between the employer and employees of the company or the actions of a group of companies aimed at legitimate taxation in the framework of the holding, carry all sorts of risks, both for the company itself and for its participants and employees.

The risk of non-fulfillment of contractual obligations for the supply of paid-in-advance goods, the risk of losing opportunities to pay to the lender due to the review of the bank's license to carry out banking operations, in which the entrepreneur will open the current account, as well as the risks of administrative penalties, including in the form of suspension of activities for the decision of the tax or customs authority, are just some examples of the numerous situations are not always possible to predict within the entrepreneurial activities. The fact that entrepreneurial activity is associated with a risk of reducing or complete loss of assets combines these situations. In order, as far as possible, to minimize the number of such situations, an entrepreneur needs an understanding of the specifics of a particular type of risk, as well as knowledge of how to manage them. The article discusses various options for classifying the risks of entrepreneurial activity and the factors that determine them.

Insufficient attention to the problem of risk minimization on the part of business entities is manifested in: inability to analyze and assess the degree of risk, lack of a well-developed management policy and optimization of business activities, poor elaboration of procedural issues of risk reduction. All this, ultimately, hinders the development of modern society as a whole and leads to the degradation of economic relations.

Purpose of the work: within the framework of the concept of corporate risk management ERM, to study the basic types of risks (operational, credit, market and economic one) and assess their role in the modern economy, to analyze external and internal operational risks and propose approaches to their quantitative assessment.

Theoretical Basis

Risk classification allows distributing them into some homogeneous clusters, and then applying specific methods for risk management of their analysis and evaluation. The classification allows clarifying possible risk types in the specific activities of the subject of the economy. One of the possible approaches to the classification of the risks offered by Erisk (Risk24.ru, 2021) is shown in the Figure 1.

Figure 1. Possible risk classification (Source: Risk24.ru, 2021)

As part of ERM concept, the basic types of risks are given: operational, credit, market and economic one. ERM includes methods and processes of risk management and assessment of opportunities to achieve the goals specified by the decision makers. The authors briefly defined the specified risks as follows:

• credit risk is the loss from the reluctance or the impossibility of partners to fulfill their financial obligations;
• operational risk (OR) is related direct losses from incorrect behavior of staff, inadequate implementation of internal business processes or external events;
• market risk is the deterioration of the financial situation due to changes in market dynamics, (participation of foreign capital, interest rates, price of shares);
• economic risk is caused by errors in making management decisions or in case of economic activity.

According to the materials (Weforum.org, 2020) for 2020, the following trends were observed in changing the dynamics of priorities of socioeconomic risks (Figure 2).

Figure 2. Dynamics of global risk trends: a) – Economic; b) – Enviromental; c) – Geopolitical; d) – Societal; e) Technological (Source: authors)

Methodology

In the financial field, a cluster approach is usually applied to identifying and systematizing the risks of the subjects of the economy when building internal risk management systems. According to the authors, the most advanced in this area are the requirements relating to the activities of financial institutions (including in the field of economic and information security). In particular, having studied the methods of classifying risks under Basel II Accords, we can be understand that it is used the basis of the principle of a multidimensional risk classification: an approach in the form of a surround-geometric model with axes (consolidation levels, business lines and types of risks, time horizons).

Next, we are going to consider in more detail operating and economic risks as the most frequent in the activities of the subjects of economic relations directly affecting their economic and information security. At the same time, the risks associated with the violation of the continuity of business processes, which enterprises face in their activities, can be included in various classification risk systems grouped by several criteria.

These include an extensive list of types of risks, for example, internal business errors: process risks, legal risks, risks of using an unsuccessful model of business management and risks of lack of liquidity to ensure uninterrupted financing of business processes.

According to ERM concept and Basel II Accords, a group of risks involving the consequences of violation of the continuity of business processes correspond to the type of OR. Formally speaking, it can be considered a very wide range of probable negative results of enterprises that are not related to market and credit risks (Risk24.ru; 2021).

OR are described in more detail in Basel II as "risks of direct or indirect losses arising due to inadequate internal processes, improper behavior of staff or external events" (Vyatkin et al., 2016). The loss caused by unsuccessful management solutions is not included in OR, and, according to ERM classification, these losses are related to business risks. Some examples of operational losses associated with the discretization of business processes include direct faults of computer equipment and caused by accident at the production, consequences of various legal actions, natural disasters, terrorist attacks, fires, etc.

Economic practice shows that the variety of areas of the emergence of OR at all stages of economic activities of enterprises makes it appropriate to grouping them in categories for internal and external OR.

Internal OR are possible negative consequences as a result of not very successful (or self-contained) actions of people, business processes (mistakes of methodology, execution and violation of risk limits) and technologies which every enterprise may face. Most of the consequences described are unforeseen, which makes these risks indefinitely, little predictable and periodic. Systematic data collection in this area goes back to 2004 after the adoption of Basel II Accords, that is, there is few accumulated statistical material.

External OR are related to the impact of external circumstances: change of political regime, technological breakthroughs, change in legal norms and procedure for their application, natural disasters and strategic changes in the company's activities. These risks are a measure of the success of the reaction to external factors chosen by the company's management company.

Taking into account world practice, it makes sense to apply the following as OR assessment methods: basic-indicator (BI), standardized (S) and advanced measurement approach (AMA).

With the first BI method of calculating risk capital (RC) for OR fixed percentage α (for banks, for example, a value of 15% is recommended) is taken from the average for the three previous year's positive annual revenues of the organization and is calculated by the following formula:

                                                                (1)

where Gross Income (GI) is a positive, Zt is the number of previous three years with a positive gross annual income, t is the index of the year, Gt-i is the gross annual income per year t-i. Changing RC is conducted annually.

                                  (2)

The third AMA method implies an assessment of expected and spontaneous losses on OR, capable of covering probable "tails" of the functions of damage to the risks. A similar approach is an attempt to calculate the necessary redundant capital to protect against possible OR events that allow rare, but random and asynchronous peak values of losses in the so-called "tightened tails" of distributions.

As part of this method, OR are divided into eight business lines with seven types of risky events in each: “internal deception, external deception, workplace safety, customers and products, damage to physical assets, business reduction and processes management” (Krichevsky, 2012).

The collected actual data on losses exceeding the specified threshold is presented as follows:

 }                             (3)

where  specifies the k-th of the loss of type l for the business line b in the year t-i; ; T≥5 years;

 is the number of such losses. It should be noted that for each category (i, b, l) some threshold values may be introduced by the decision-making (business analyst), and in practice, losses, smaller thresholds neglected.

They are summed first for each type of business

                                                  (4)

and then according to the summary losses:

.                                                                            (5)

The loss data is used to calculate a risk measure similar to Value at Risk (VaR) for the found distribution function of the loss value of the next year with a confidence probability in the range of 0.99-0.999. Thus, the value of VaR at the level of value (α), usually from 0.001 to 0.0025 takes the following form:

.                                                               (6)

what is equal to quantil the loss distribution functions describing the temporary statistical row from the corresponding levels of OR.

It is clear that the extremely high values of the trust probability are oriented reserves by losses from OR on the level of the row level, which are characteristic of almost 100% of the case of losses from the collected statistical series. This is done in an attempt to cover the extreme values of losses characteristic of OR, through the total VaR by type of business.

Also all of the above risks have a significant impact on the continuity of the business processes being implemented by the subject of the economy, which in turn affects their competitiveness and value of the business, namely their economic and information security.

GOST R ISO 22301-2014 (State Standart, 2015) specifies the requirements for effective Business Continuity Management System (BCMS) to protect against incidents, lowering the likelihood of their appearance and developing the response and recovery after incidents. The activities of the enterprise can be described through the synergistic interaction of dynamic contour streams (material, energy, information, financial and personnel) (Pitelinskiy, 2007a). To reduce the risk of incidents and its structural optimization, it makes sense to apply the methods of simulation (Alibekov et al., 2020).

BCMS is an element of an organization's management system that includes organizational structure, planning activities, policies, distribution of responsibility, processes, procedures and resources.

So, according to the authors, effective BCMS should:

• ensure the implementation of business processes in terms of incidents and generated violations, as well as planning the continuity of business operations;
• take into account the influence of the risk of incident and uncertainty factors.

It is necessary to clearly understand which resource and organizational conditions are needed and sufficient to ensure the activities of the enterprise at the desired level of its effectiveness (which can be established as a set of target values of key parameters related to the company's activities).

In practice, there is always a current organizational structure of an enterprise in the activities of which, with a certain probability, incidents arise that distort the implemented business processes and adversely affect the effectiveness of its activities.

There are two methodological approaches to the study of possible incidents and their degree of influence on the business processes implemented by the enterprise:

• by conducting a number of certain bubble events and optimize their resource provision. Events are performed in some sequence and minimize the possibility of an incident;
• by representing an incident that arises with a certain probability in the form of a multidimensional random variable, whose characteristics are studied by methods of statistical modeling (through a directed computing experiment) to assess the severity of its effects and frequency of occurrence.

Also, within the framework of solving the problem indicated in the article, it seems necessary to identify the discrepancy between the design and actual metrics of the organizational structure (establishing its structure and functioning schemes based on the needs of a particular organization) to solve the optimization problem for dynamic contour flows (information, financial, material, energy and staff) enterprises/organizations:

е=│rk — pk│→min,                                                            (7)

where k is the considered hierarchical level of the system; pk, rk are the actual design and measured metrics at the k-th level of the hierarchy (Pitelinskiy, 2007a).

Results

Next, we consider the relation of the activities of a decision maker (organization management) with the emergence of economic risks that caused the threat of economic and information security of the economic entity and the possible consequences of a legal nature for them.

The legal concept of "risk" is used by the Russian legislator to determine the essential characteristics of entrepreneurial activities. So, according to paragraph 1 of article 2 of the Civil Code of the Russian Federation, civil legislation regulates relations between entrepreneurial persons based on the fact that entrepreneurial is an independent carrying on its risk activities aimed at systematic profit from the use of property, sales of goods, fulfillment of works or providing services by persons registered in this quality in accordance with the procedure established by law (Civil Code of the Russian Federation No. 51-FZ, 1994).

The absolute majority of participants in entrepreneurship are not individual citizens, but individual entrepreneurs and organizations or legal entities under the legislation of the Russian Federation. At the same time, the concept of "organization", "legal entity" and "corporation" used in legal vocabulary is legal fiction, and any actions committed by the organization creating legal facts depend on the will of a particular individual holding the position of the head (director) of the organization and / or a number of individuals in the management bodies of the organization.

Assessing the circumstances of the business entity; they evaluate their relativeness not just to the "ordinary business risk, but use "reasonable entrepreneurial risk" (Vlasova and Udalova, 2020).

This term in judicial practice is used in many different situations, in particular, such as the rise in prices for materials used in the execution of the contract, in the event of coordination by the parties to its solid price; the disadvantage of the expected financial results from the activities of a commercial organization in the absence of evidence of its execution by the juridical order, leading to losses, when resolving the issue of compulsory liquidation of a legal entity in court under the claim of its participant; possible additional expenses of economic entities, such as the costs associated with the development of the land plot, transfer the gas pipeline outside the land plot, etc. (Vlasova and Udalova, 2020).

The category "Normal Entrepreneurial Risk" was widely used in the context of the responsibility of the head of the legal entity, and in fact, the provisions of article 53.1 of the Civil Code of the Russian Federation indicate some generalized standardized rules for the behavior of the director who follow most of the entities of business activities. At the same time, modern business conditions are forced to leave the usual options for action, which is why the category "ordinary entrepreneurial risk" cannot be considered certain. It should be noted that when evaluating the result of certain unprofitable deals of the company for compliance with ordinary entrepreneurial risk, it is advisable to consider the possible long-term effects of perfect actions, because in order to maximize profits in a long period, in the short term, the company may have unprofitable transactions. The economic feasibility of activity here is determined by the chosen strategy for the development of a particular legal entity, which in the short term may require significant investments in order to extract profits in subsequent periods.

Therefore, the court should characterize the actions of the head as contrary to the interests of a legal entity and not corresponding to "ordinary entrepreneurial risk" only when while the company's damage is to proven, the total lack of a long-term strategy for obtaining any profit will be proven as well. In that case, if the probability of profit at the time of decision has existed, the court should not refute the presumption of the faithfulness of the head, even if the economic efficiency of the decision was reduced.

The director can be held accountable in the form of losses in the following cases:

• unreasonable admission to the work of the employee (losses are that such an employee has received wages in the absence of a real need for its work, in the expenditures of the organization related to the dismissal of such an employee, for example, the payment of the output benefit, etc.) (Resolution of the Federal Arbitration Court of the Ural District, 2011);
• causing the organization of damages by the actions or inactions of an employee or a counterparty in a civil-legal contract, including when these persons were obviously unfair, or the control over them was not properly organized (Resolution of the Federal Arbitration Court of the Ural District, 2007);
• causing damages due to improper organization of work (protection, accounting, etc.) (Resolution of the Federal Arbitration Court of the East Siberian District, 2013).

At the same time, the Resolution of the Plenum of the Supreme Arbitration Court of the Russian Federation of July 30, 2013 №62 "On some issues of compensation for damages by persons belonging to the legal entity bodies" (Resolution №62) (Resolution of the Plenum of the Supreme Arbitration Court of the Russian Federation, 2013) gives space for discretion to the Court indicating the need to take into account the size of the business and other circumstances.

At the same time, it is unlikely to be considered justified and arbitrary the shifting by the director of their responsibility on other persons, if, according to a staffing schedule, a small team works in the organization, for example, consisting of less than ten employees. A similar approach is applicable when considering the relationshi between the company with counterparties: depending on the size of the business and the commercial significance of the contract, the director is obliged to maintain a certain sphere of direct control.

Increased norms contain foreign law and order. For example, according to the laws of the Federal Republic of Germany, the responsibility of the head of the organization includes planning and business control, including financial issues, investments and human resources. The legislation of the Austrian Republic imposes on the director the obligation to establish the organizational structure in the company and to form control mechanisms (Gerner-Beuerle et al., 2013).

It is incorrect to put the equal sign between the requirement to take informed solutions and the requirement to prevent errors, which, however, does not justify the unqualified actions of the manager, not even attempted to collect the information necessary for making a decision. Since it is understood that the director is a person who can manage property more efficiently than the owner (one of the motives of the property, management and in the broad sense specialization), a decrease in the scope of the requirements for the director seems unreasonable.

Therefore, it is only possible to welcome the preservation in paragraph 3 of the Resolution №62 of the indication that the actions or innactions of the Director are unreasonable if he accepted the management decision without taking into account the information known to it, which is important in this situation, or before making a decision, did not take action to receive the information necessary and sufficient for its adoption, which are common to business practices under similar circumstances, in particular, if it has been proven that with the existing circumstances, a reasonable director would postpone the decision before receiving additional information. At the same time, in Resolution №62, it is rightly emphasized that it is necessary to collect the amount of information that is usually collected under similar circumstances: typical example is the verification of the powers of a counterparty on information from the register of real estate rights when concluding a real estate purchase and sale transaction. Thus, the director, defining the circle of the collected information, is obliged to take into account the nature of the upcoming decision, and most importantly, how large will the costs of obtaining information be in comparison with the potential benefit from the decision.

Also, in a number of foreign law enforcement as a protective presumption for the directors of companies from lawsuits to attract them to liability for causing losses, the doctrine of the protection of a business (management) decision (Business Judgment Rule) is valid, which has received its most complete development and consolidation in the decisions of the state of Delaware (USA) in the second half of the 20th century, and at present in different variations exists in most countries with a system of general (case) law, including the United States, Canada, England and Wales, as well as Australia.

Discussion

The following possible steps to minimize the negative consequences of incidents for the enterprise during the implementation business processes are seen:

• study of theoretical sources on the problems of studying management activities in the conditions of risk factors and uncertainty;
• systematization, generalization and processing of accumulated theoretical and practical management developments for further applications in practice, staff training, etc.;
• identification of a resource and theoretical and methodological basis for optimal management decisions of the enterprise in specific conditions;
• development (or correction) of the already established organizational structure of management, forms and methods and the composition of implemented business processes.

Due to the variability of ways and ways to improve the efficiency of the enterprise / organization, and taking into account the important role of their management system, when implementing the mechanism for improving production efficiency, it makes sense to use an automated decision-making system to choose a rational way to improve the quality of business processes implemented (Shendrikova, 2013). Also in the works of this author, a system of information and analytical support of the production efficiency mechanism is studied, which correlates with the concept of controlling the dynamic contour streams of the organization (Pitelinskiy, 2007b).

The use of a systematic approach in the logistics management "... provides end-to-end management of streaming processes, improves the quality of control and contributes to the occurrence of a synergistic effect. In the context of globalization, economic crisis and sanctions, the increasing role of logistic costs, the formation of logistics systems on the methodological basis of the logistics theory and in the framework of the system paradigm using a combination of process and object approaches is an important element in improving the management efficiency of a modern dynamically developing enterprise" (Sokolova and Karkh, 2016).

The problem of improving the reliability of production and organizational systems based on the use of logistics principles allows (with the help of effective management and organization) to provide optimal control impacts on them in order to increase efficiency, reliability, competitiveness and adaptability. This is a positive effect on their economic and information. Security as subjects of economics.

Through the use of mathematical modeling, the management subject can optimize, track its dynamics of operation and offer a set of possible variants of system models to select a decision maker. Most real complex systems exist in conditions of uncertainty, which is why they cannot be described by deterministic models.

In order to minimize the mismatch of the control parameters, we can apply the theory of automatic control (TAC). As part of TAC conceptual apparatus (Rizun and Taranenko, 2014), there is the concept of modeling the decision-making process by a decision maker that will develop the theory of decision-making in terms of studying and classifying the specifics of human mental processes, depending on external conditions. It has been established that the main difference between rational and intuitive-heuristic decision-making models is the phenomenon of “enrichment” of incoming information with individual features of the decision maker, which are described within the framework of TAC methodological tools and simulation modeling (SM). These authors obtained a taxonomy of typical TAC elements and studied their compliance with standard decision-making models (from the point of view of the specifics of the implementation of the management decision-making process and the behavior of a decision maker for a certain period of their professional activity). It should be noted here that the choice of a decision maker of a specific strategy for managing an organization is greatly influenced by the existing regulatory framework of economic activity.

Since the definition of organization quality metrics is a rather complex process, it will require the use of a computer. An analytical solution to the problem posed is hampered by random fluctuations of its parameters, which is why it is better to apply SM methods.

SM is a research method that simulates the process of functioning of a system or its elements. The essence of SM is in the implementation of algorithms that simulate the behavior (its characteristics and properties) of a real system of algorithms in the composition, volume and range of changes in its parameters, which are appropriate for the study of the system (according to the decision maker). SM is simpler than directed organization experiments for real systems, because it is often possible to observe situations where experiments on real systems are unacceptable. SM allows taking into account the presence of continuous and discrete elements of the system, their nonlinearity, random disturbances and other factors that complicate the conduct of analytical studies. SM is an effective method (and sometimes the only one especially in design) of studying large and poorly structured systems.

Each decision maker needs to know the classification and the basics of developing management decisions, because the efficiency of the companies depends on their efficiency and quality. SM gives the decision maker the number of management decision alternatives (as a set of instances of models that are optimal in a sense). The main advantage of SM is the ability to build a model under conditions of uncertainty without having complete and accurate data, and to find out "what will happen if ...?"

To do this, the decision maker needs to set:

• method for solving a number of standard management tasks and the choice of the appropriate toolkit depending on the laws of development of objects of a particular class;
• parameters of the entrance to the decision-making system or the types of situations studied through SM;
• system of functional parameters at the output of SM, for allowing the adoption of alternative management decisions to avoid or eliminate the problems that have arisen in the activities of the organization.

For example, in (Bogdanova and Sherstyankina, 2017), SM was studied as a tool for the functioning of an organization, for obtaining management decisions close to optimal results by identifying their shortcomings even at the stage of forecasting goals and with the implementation of management goals, taking into account the identified problems. It is noted that in this way it is possible to increase the efficiency of the management process in general and the managerial decisions made by the decision maker in particular.

With SM, the algorithm that implements the model reproduces the process of the system's functioning in time, and simulates its constituent phenomena, their temporal dynamics and logical structure. This makes it possible for the decision maker to determine the parameters of the process state at given points in time using the initial conditions. To apply SM in practice, we need an algorithmic implementation of (pseudo) random functions in them. Typically, SM is most widely used in the form of queuing systems or networks (Walrand, 1993).

Conclusions

Within the framework of the concept of corporate risk management ERM, the basic types of risks (operational, credit, market and economic) are studied and statistical results are presented that characterize their role in the modern economy.

OR began to be viewed as an independent class only relatively recently. This is caused, in our opinion, by the preparation of the financial sector for a new long cycle, or the transition to a new technological order, accompanied by general instability and an increase in systemic (external) OR. The focus of the new paradigm on the “human factor” in general and on highly skilled labor in particular (that is, the widespread informatization and intellectualization of the business processes being implemented) increases the cost of an error in the organization's activities. All this makes the problem of protection against this class of risks extremely urgent, because it is directly related to the comprehensive provision of information and economic security.

According to the authors, the developed tools for mathematical and numerical modeling will make it possible to obtain qualitative and quantitative characteristics of the dynamics of business processes in the key of interest to the decision maker. A detailed analysis of external and internal operational risks has been performed and probabilistic models for their quantitative assessment have been proposed. A model for describing and optimizing the activities of an enterprise/organization is proposed, given in the form of interaction of dynamic contour flows (Pitelinskiy, 2007a). To reduce the risk of incidents and optimize the consumption of available resources, it seems promising to use SM methods and tools as a metrological toolkit, as well as the harmonizing principle of the “golden section” with fractal properties (Pitelinskiy, 2018).

Determined that in the case of the implementation of ordinary entrepreneurial risk, very significant consequences can cause incorrect actions of the management of the organization, which may involve significant threats to the information and economic security of an economic entity, entailing consequences of economic, organizational and legal nature. The court should give a legal assessment to such actions, interpreting the wrong actions of the management as going against the interests of the economic entity and, using specific examples from business practice, justifying their difference from the actions of the head, performed within the framework of “ordinary business risk”. However, here it is important not to cross the fragile line separating the conscientious but not very effective actions of the organization's top management from situations when officials act cynically abusing their position in their personal interests or in the interests of any group of people and not in the interests of the organization they lead.