Some of the risks that should be considered under the framework of the operational risk management process are:

• Human resources risk. This is related to the risk of losing competent staff, failure to attract appropriate staff, being understaffed for the volume of activity, inadequate training, no succession plan and workplace-related risk (e.g. stress). Part H of these Guidelines provides supporting information on the management of these risks within the actuarial department.
• Governance risk. This relates to the risks arising from poor governance within the institution and may lead to inefficiency in carrying out processes, reputational issues, lack of monitoring of external providers, conflicts of interest, etc. Governance covers a range of different processes and procedures, including reporting (Part D of these Guidelines), peer review processes (Part A), skills and experience of personnel (Part H), meeting professional standards and compliance issues (Part F), and carrying out calculations correctly (Part B). The ISSA Guidelines on Good Governance provide an in-depth generic review of different processes and should be referred to. The ISSA Guidelines on Investment of Social Security Funds provide additional information on investment governance.
• Regulatory risk. This refers to not meeting the legislative requirements relating to the system and may include investing in assets which are proscribed, not meeting minimum service delivery targets or providing necessary information to beneficiaries, and failure to comply with legislated reporting requirements. A number of these risks relate to scheme-related risks but also are part of broader governance risk assessment. Part F provides detailed information on regulatory risks as well as compliance with professional standards, and Part D describes requirements regarding proper communication, reporting and disclosure.
• Reputational risk. This risk includes events that lead to a negative impact on the reputation of the institution and may include failure to pay benefits, a delay in paying benefits, poor service quality, errors in benefits calculations, potential conflicts of interest, etc. Reputational risk may have an important financial impact on the organization. Independent expert review and operational controls, described in Guidelines 10 and 11, could be indicators as well as sources of mitigation of this risk with respect to actuarial work. Guidelines 13, 51 and 25 to 28 also provide supporting information related to the management of this risk. It should be noted that one source of reputational risk is the provision of inadequate or inappropriate benefits and services (referred to in Guideline 33).
• Operational risk. This includes risk relating to the day-to-day operation of the social security system, for example ICT-related risk (such as inadequate testing of new systems and software), contribution collection, record keeping and business continuity. Operational risk can be linked to catastrophe risk since a flood, hurricane or tsunami can cause the loss of buildings or facilities (hospitals, clinics. etc.). This risk is directly related to the scheme objectives and financing risks set out in Guideline 33 and can include:
• poor communication and information provision (leading to the possibility of claims for compensation and adverse judgements by ombudsmen);
• problems with contribution collection (jeopardizing financing of the scheme and reducing effective coverage rates);
• lack of a disaster recovery plan; and
• inadequate record keeping and complex claims procedures (reducing effective coverage rates).

The ISSA Guidelines on Information and Communication Technology and ISSA Guidelines on Contribution Collection and Compliance assist social security institutions in mitigation of this risk. In respect of actuarial involvement, reference should in particular be made to Guidelines 2, 27, 28 and 50, as well as Part B of these Guidelines.