Senior Management typically has one of two perspectives on risk. In the traditional Enterprise Risk Management (ERM) view, the goal is to find the perfect balance of risk and reward. Sometimes, the organization will accept more risk for a chance to grow the organization more quickly, while other times the focus switches to controlling risks with slower growth. The Operational Risk Management (ORM) perspective is more risk-averse, focusing on protecting the organization. Keep reading to get an in-depth overview of Operational Risk Management, including the five steps of the ORM process.
What Is Operational Risk Management?
Operational risk is the risk of loss as a result of ineffective or failed internal processes, people, systems, or external events that can disrupt the flow of business operations. These operational losses can be directly or indirectly financial. For example, a poorly trained employee may directly lose the company a sales opportunity, or a company’s reputation can suffer indirectly from poor customer service.
Operational risk can refer to both the risk in operating an organization and the processes management uses when implementing, training, and enforcing policies. Operational risk can be viewed as part of a chain reaction: overlooked issues and control failures can— whether small or large — lead to greater risk materialization, which may result in an organizational failure that can harm a company’s bottom line and damage its reputation. While operational risk management is considered a subset of enterprise risk management, it excludes strategic, reputational, financial, and market risks, focusing on unsystematic risks.
Examples of Operational Risk
Operational risk permeates every organization and every internal process. The goal of the operational risk management function is to focus on the risks with the most impact on the organization and to hold employees who manage operational risk accountable.
Examples of operational risk include:
- Employee conduct and employee error
- Breach of private data resulting from cyber attacks
- Technology risks tied to automation, robotics, and artificial intelligence
- Business processes and controls
- Development and introduction of new products
- Physical events, such as natural disasters
- Internal and external fraud
- Workplace safety risks
A Brief History of Operational Risk
Over the last two decades, the methodology for evaluating internal controls and risks has become more and more standardized. The standardization has been in response to government regulators, credit-rating agencies, stock exchanges, and institutional investor groups demanding greater levels of insight and assurance over companies’ risk-control environment; that is, risks and the effectiveness of controls in place to mitigate them. Originally geared towards financial services, the emphasis on standardized risk management was partially driven by the Basel Committee on Banking Supervision (Basel Committee), which was founded in 1974 and includes a number of international members. Since then, the discipline of risk management has spread beyond the financial and banking industries. The release of COSO’s Internal Control-Integrated Framework in 1992 and the Sarbanes-Oxley Compliance Act of 2002, fueled by financial fraud at WorldCom and Enron, have led to increased pressure on the need for organizations to have an effective operational risk management discipline in place. In the U.S., the greatest pressure for increased involvement of senior executives in risk oversight comes from the audit committee. More recently, COSO released an Enterprise Risk Management Framework. After working with these frameworks for several years, many risk managers have moved to an operational risk management process.
Table: Loss Event Types and Examples Defined by the Basel Committee
Table source: FDIC Operational Risk Management
How Operational Risk Management Works
When dealing with operational risk, the organization has to consider every aspect of its objectives. Since operational risk is so pervasive, the goal is to reduce and control every risk to an acceptable level. Operational Risk Management attempts to reduce risks through the linear process of risk identification, risk assessment, measurement and mitigation, monitoring, and reporting while determining who manages operational risk.
These stages are guided by four principles:
- Accept risk when benefits outweigh the cost.
- Accept no unnecessary risk.
- Anticipate and manage risk by planning.
- Make risk decisions at the right level.
Risk Identification
Operational Risk Management begins with identifying what can go wrong. As a best practice, a control framework should be used or developed to ensure completeness. Identifying risks begins with scenario analysis — taking a look at the challenges facing the business and pinpointing areas that could disrupt operations or pose another risk to the organization.
Risk Assessment
Once the risks are identified, the risks are assessed using an impact and likelihood scale, also known as a Risk Assessment Matrix. At this stage, risks are categorized by type of risk and level of risk.
Measurement and Mitigation
In the risk assessment, risks are measured against a consistent scale to allow the risks to be prioritized and ranked compared to one another. The measurement also considers the cost of controlling the risk related to the potential exposure.
Monitoring and Reporting
Risks are monitored through an ongoing risk assessment to determine any changes over time. The risks and any changes are reported to senior management and the board to facilitate decision-making processes.
Primary Objectives of Operational Risk Management
As the name suggests, the primary objective of Operational Risk Management is to mitigate risks related to the daily operations of an organization. The practice of Operational Risk Management focuses on operations and excludes other risk areas such as strategic and financial risks. While other risk disciplines, such as Enterprise Risk Management (ERM), emphasize optimizing risk appetites to balance risk-taking and potential rewards, ORM processes primarily focus on controls and eliminating risk. The ORM framework starts with risks and deciding on a mitigation strategy.
Operational Risk Management proactively seeks to protect the organization by eliminating or minimizing risk.
Depending on the organization, managing operational risk could have a very large scope. Some organizations might categorize fraud risks, technology risks, as well as the daily operations of financial teams like accounting and finance as part of this umbrella. The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an institution’s business functions.” Given this viewpoint, the scope of operational risk management will encompass cybersecurity, fraud, and nearly all internal control activities.
Applying a control framework, whether a formal framework or an internally developed model, will help when designing the internal control processes. One approach to understanding how ORM processes look in your organization is by organizing operational risks into categories like people risks, technology risks, reputational risks, and regulatory risks.
People
The people category includes employees, customers, vendors, contractors, and other stakeholders. Employee risk includes human error and intentional wrongdoing, such as in cases of fraud. Risks include breach of policy, insufficient guidance, poor training, bad decision-making, or fraudulent behavior. People can pose a risk to the organization even externally, as social media is more and more likely to have an impact on business. Risks associated with people can be especially sensitive and tricky, especially since people play a role in every aspect of an organization’s operations. Fostering a healthy risk culture through training and regular communication is key to managing this area of risk.
Technology
Technology risk from an operational standpoint includes hardware, software, privacy, and security. Technology risk also spans the entire organization and affects the people category described above. Hardware limitations can hinder productivity, especially when in a remote work environment. Software too can reduce productivity when applications suffer an outage or employees lack training. Software can also impact customers as they interact with your organization. External threats exist as hackers attempt to steal information or hijack networks. This can lead to leaked customer information and data privacy concerns.
As technology expands to play a larger role in all of our lives risks in this space become increasingly significant and complex. If not included already, business continuity plans should address risks related to technology failures and other disruptions.
Regulations
Risk for non-compliance to regulation exists in some form in nearly every organization. Some industries are more highly regulated than others, but all regulations come down to operationalizing internal controls. Over the past decade, the number and complexity of rules have increased and the penalties have become more severe.
Understanding the sources of risk will help determine who manages operational risk. Enterprise Risk Management and Operational Risk Management both address risks in the same areas but from different perspectives. To consolidate these disciplines, some organizations have implemented Integrated Risk Management or IRM. IRM addresses risk from a cultural point of view. Depending on the objective of the particular risk practice, the organization can implement technology with different parameters for teams like ERM and ORM.
Steps in the ORM Process
While there are different versions of the ORM process steps, Operational Risk Management is generally applied as a five-step process. All five steps are critical, and all steps should be implemented.
Image: Steps in the ORM Process
Image source: PWC Operational Risk Management
Step 1: Risk Identification
Risks must be identified so these can be controlled. Risk identification starts with understanding the organization’s objectives. Risks are anything preventing the organization from achieving its objectives.
- Process Analysis: Review internal processes, including production, IT, human resources, and customer service, to identify potential fail points or vulnerabilities.
- Loss Data Analysis: Examine historical loss data within the organization to identify trends and areas of concern. This includes financial losses, data breaches, compliance violations, and any incidents that disrupted operations.
- Risk Workshop and Interviews: Conduct workshops and interviews with employees at various levels to gather insights on perceived risks, potential areas of improvement, and past incidents.
- External Event Analysis: Consider external events and changes in the regulatory landscape that could impact operations. This includes industry trends, technological advancements, and geopolitical events.
- Scenario Analysis: Develop hypothetical scenarios to identify potential risks and their impact. This helps in understanding the organization’s resilience and preparedness for unlikely but impactful events.
Step 2: Risk Assessment
Risk assessment is a systematic process for rating risks based on likelihood and impact. The outcome of the risk assessment is a prioritized listing of known risks, along with the risk owner and risk mitigation plan, also known as a risk register. It may not be possible or advisable for an organization to address all identified risks — thus, prioritization is critical for the management of operational risk and points project teams to the most significant risks. This risk assessment process may look similar to the risk assessment done by internal audit, and should, in fact, be informed by prior audit reports and findings.
Step 3: Risk Mitigation
The risk mitigation step involves developing and choosing a path for controlling specific risks. In the Operational Risk Management process, there are four options for addressing potential risk events: transfer, avoid, accept, and mitigate.
- Transfer: Transferring shifts the risk to another organization. The two most common means for transferring are outsourcing and insuring. When outsourcing, management cannot completely transfer the responsibility for controlling risk. Insuring against the risk ultimately transfers some of the financial impacts of the risk to the insurance company. A good example of transferring risk occurs with cloud-based software companies. When a company purchases cloud-based software, the contract usually includes a clause for data breach insurance. The purchaser is ensuring the vendor can pay for damages in the event of a data breach. At the same time, the vendor will also have their data center provide SOC reports showing there are sufficient controls in place to minimize the likelihood of a data breach.
- Avoid: Avoidance prevents the organization from entering into a risk-rich situation or environment. For example, when choosing a vendor for a service, the organization could choose to accept a vendor with a higher-priced bid if the lower-cost vendor does not have adequate references.
- Accept: Based on the comparison of the risk to the cost of control, management could accept the risk and move forward with the risky choice. As an example, there is the risk an employee will burn themselves if the company installs new coffee makers in the break room. The benefit of employee satisfaction from new coffee makers outweighs the risk of an employee accidentally burning themselves on a hot cup of coffee, so management accepts the risk and installs the new appliance.
- Mitigate: Mitigating risks involves implementing action plans and controls that reduce the likelihood of the risk and/or the impact it would have if the risk were realized. For example, if an organization allows employees to work from home, there is a risk of data leakage due to the transmission of data across the public internet. To mitigate this risk, management might implement a VPN service and have remote users access the business network through VPN only. This would reduce the likelihood of data leakage, thereby mitigating the risk.
We’ve mentioned a few times that very few risks can be eliminated. Noting the residual risk — the risk remaining after mitigation — is an equally important part of the risk mitigation phase of ORM.
Step 4: Control Implementation
Once risk mitigation decisions are made, action plans are formed, and residual risk is captured, the next step is implementation. Controls should be designed specifically to address and mitigate the risk in question. The control rationale, objective, and activity should be formally documented so the controls can be clearly communicated and executed. Controls might take the form of a new process, an additional approver, or built-in controls that prevent end users from making errors or performing malicious activities. Whenever possible, controls should be designed to be preventive, rather than detective or corrective. With risk management and medicine, it seems the best cure is prevention. That said, it may be impossible to prevent a risk from occurring, which is where detective controls come into play. Detecting anomalies and then correcting them may be sufficient to mitigate certain risks.
Most likely, your organization already has some controls in place to combat risks. It’s still wise to review those controls on an annual basis (at minimum) and determine whether additional controls are needed if there are gaps in the control, or if the control is sufficient to address the risk and requires no changes.
Step 5: Monitoring
Since controls may be performed by people who make mistakes, or the environment could change, controls should be monitored. Control monitoring involves testing the control for appropriateness of design, and operating effectiveness. Any exceptions or issues should be raised to management with action plans established.
Within the monitoring step in the Operational Risk Management strategy, some organizations, especially in financial services, have adopted continuous monitoring or early warning systems built around key risk indicators (KRIs). Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposure in various areas of the enterprise. KRIs designed around ratios monitored by business intelligence applications are how banks can manage operational risk, but the concept can be applied across all industries. KRIs can be designed to monitor nearly any potential risk and send a notification. As an example, a company could design a key risk indicator around customer satisfaction scores. Falling customer satisfaction scores could indicate customer service representatives are not being trained or that the training is ineffective.
State of Operational Risk Management
In the last five years, U.S. organizations have experienced significant increases in the volume and complexity of risks, with 32% of companies experiencing an operational surprise in that time period (see figure above). As organizations grow and evolve, so do the complexity, frequency, and impact of poorly managed risks. Losses from failure to properly manage operational risk have led to the downfall of many financial institutions — recent bank collapses are speculated to have been caused by poor operational risk management and decision-making around the valuation of assets. Moreover, growing pressure from the board for increased risk oversight also points to the importance of having a strong operational risk management practice in place. But how many organizations actually do?
According to a 2017 ERM Initiative study commissioned by the Association of International Certified Professional Accountants, risk management practices around the world are relatively immature: less than 30% of global organizations have “complete” enterprise risk management processes in place. This may suggest a disconnect between operational and enterprise risk management and strategy execution in organizations.
Challenges and Shortcomings of Operational Risk Management
In many organizations, operational risk management is one of the most tenuous links in their ability to meet the demands of customers and stakeholders. While operational risk management is a subset of enterprise risk management, similar challenges like competing priorities and lack of perceived value affect proper development among both programs. Some common challenges include:
- Organizations do not have sufficient resources to invest in operational risk management or ERM.
- Lack of communication and education around the importance of operational risk management and the consequences of operational failures on a company’s bottom line.
- Lack of awareness, interest, or appreciation across boards and C-suite executives regarding operational risk management.
- Lack of consistent methodologies to measure and assess risk poses challenges when it comes to providing an accurate portrait of an organization’s risk profile.
- Establishing standard risk terminology to be used moving forward, which is conducive to successful Risk and Control Self-Assessments (RCSAs).
- Processes are varied and complex due to changes in technology.
- ORM is often consolidated into other functions, such as compliance and IT, preventing ORM from receiving appropriate attention.
- Operational Risk Management programs can be manual, disjointed, and over-complicated, mostly because ORM developed as a reactive function in response to regulations and compliance.
Benefits of a Strong Operational Risk Management Program
Establishing an effective operational risk management program helps achieve an organization’s strategic objectives while ensuring business continuity in the event of business disruptions and system failures. Having a strong ORM also demonstrates to clients that the company is prepared for crisis and loss. Organizations that can effectively implement a strong ORM program can experience improved competitive advantages, including:
- Better C-suite visibility.
- Better informed business risk-taking.
- Improved product performance and better brand recognition.
- Stronger relationships with customers and stakeholders.
- Greater investor confidence.
- Better performance reporting.
- More sustainable financial forecasting.
Effective operational risk management can save an organization in monetary costs by preventing or correcting loss events. ORM encourages the optimization of business practices to make them more efficient and effective. Fostering an operational risk mindset equips an organization to adapt to the future.
Developing an Operational Risk Management Program
In the process of creating an operational risk framework and program, areas the risk management team should focus on include:
- Promoting an organization-wide understanding of the program’s value and function.
- Leveraging technology to implement an automated approach to monitoring, aggregating, and collecting risk data.
- Establishing an effective method for evaluating and identifying principal risks in the organization and a way to continuously identify and update those risks and associated measures.
- Focus on helping the organization reduce material risk exposures while encouraging activities where the potential benefits outweigh the risks.
- Focus on partnering ORM with other functions in the organization to better embed best practices into the organization.
The Risk and Control Self-Assessment
Developing an operational risk program begins with risk management teams engaging with business process owners in identifying the risks and controls in the organization. While every organization will approach measuring operational risk differently, one of the first steps to understanding the nature of operational risks in your organization is through a Risk and Control Self-Assessment (RCSA).
The RCSA is a framework providing an enterprise view of operational risk and can be used to perform operational risk assessments, analyze your organization’s operational risk profile, and chart a course for managing risk. The RCSA forms an important part of an organization’s overall operational risk framework. An RCSA requires documentation of risks, identifying the risk levels by estimating the frequency and impact of risks, and documenting the controls and processes related to those risks. A general best practice for organizing the assessment approach is by conducting the RCSA at the business-unit level.
The RCSA should be developed to serve as a reference for your organization’s risk initiatives. Below are several leading industry best practices for developing your Risk and Control Self-Assessment:
- Integrate Risk and Control Self-Assessment programs into your operational risk initiatives.
- Establish a standard risk terminology and consistent methodologies to measure and assess risk.
- Develop a complete view of risks and controls — this will be important for later analysis.
- Incorporate a trend analysis methodology into your RCSA to identify patterns in risk as well as potential control failures.
- Incorporate a method for identifying non-financial risks that may have impacts harming your bottom line.
- Use your RCSA to budget for operational risk management initiatives.
Operational Risk Management Tools and Resources
Technology enablement increases the value Operational Risk Management brings to the organization. When planning the ORM function, consider building the library of risks and controls and the risk assessment process in a risk management application. Establishing effective risk management capabilities is an important part of driving better business decisions and is a tool the C-suite leverages for competitive advantage. Embedding the processes with technology ensures these are applied consistently. A strong Operational Risk Management program can help drive your operational audits and risk library, as well as your SOX and compliance programs. Find out how AuditBoard can help you manage, automate, and streamline your operational risk management program to help turn your operational risks into opportunities to gain a competitive advantage.
Frequently Asked Questions About Operational Risk Management
What Is Operational Risk Management?
Operational Risk Management attempts to reduce risks through the linear process of risk identification, risk assessment, measurement and mitigation, monitoring, and reporting while determining who manages operational risk.
What are some examples of operational risk?
Examples of operational risk include:
- Employee conduct and employee error
- Breach of private data resulting from cyber attacks
- Technology risks tied to automation, robotics, and artificial intelligence
- Business processes and controls
- Physical events, such as natural catastrophes
- Internal and external fraud
- Workplace safety risks
How does operational risk management work?
Operational Risk Management proactively seeks to protect the organization by eliminating or minimizing risk.
What are the benefits and objectives of operational risk management?
Establishing an effective operational risk management program helps achieve an organization’s strategic objectives while ensuring business continuity in the event of disruptions and system failures.
What are the steps in the ORM process?
The five steps in the ORM process are: 1) Risk Identification, 2) Risk Assessment, 3) Risk Mitigation, 4) Control Implementation, and 5) Monitoring.
Sources
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.