Nowadays, crisis and business continuity managers don’t only have to worry about external threats to the organization. Internal risks matter just as much. Collectively, these operational risks are the risks of doing business. Too often, though, operational risk management gets short shrift.
How to get it right? Read our short introduction to operational risk management to find out.
How to class operational risks
So, what’s operational risk management all about? Well, operational risk management is the set of processes, encompassing risk assessment, decision making, and implementation of risk controls, targeted at reducing both internal and external threats to acceptable levels.
The threats themselves are operational risks, or the risks inherent in doing business.
This type of risk comes in many types – just think of all the risks businesses face from ineffective or failed internal processes, people, systems, or external events.
However, the five predominant categories of operational risks include:
- People risk
- Process risk
- Systems risk
- External events risk
- Legal and compliance risk
Developing an appropriate operational risk management framework
The breadth of operational risk can be quite staggering. And potential impacts associated with realized threats can be equally overwhelming.
Companies, therefore, must go about developing appropriate and sound information and information-technology infrastructure to meet their current and projected business requirements and support critical operations and risk management.
How to go about building such a framework? Industry best-practice suggests taking the following steps:
- Identify, assess, and manage operational risks with effective internal controls, monitoring, and remediation
- Be able to continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP)
- Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring
Add to that, the resultant operational risk management framework should be suitable to the size, business mix, and complexity of the business.
The framework, as such, should consist of the following components:
- Governance arrangements for the oversight of operational risk
- An assessment of your operational risk profile, with a defined risk appetite supported by indicators and limits
- Internal controls that are designed and operating effectively for the management of operational risks
- Appropriate monitoring, analysis, and reporting of operational risks and escalation processes for operational incidents and events
- A regularly tested business continuity plan (BCP) that sets out how you will identify, manage, and respond to a disruption within tolerance levels
- Processes for the management of service provider arrangements
People in the operational risk management program
But who makes decisions? Operational risks involve the risks of doing business. It’s natural, then, that business decision makers, i.e. Boards of Directors, should develop, maintain, and review the operational risk management framework and program.
What should be the Board’s specific responsibilities? Statutes, such as APRA CPS 230, have prescribed the following:
- Oversee operational risk management and the effectiveness of key internal controls in maintaining operational risk profile within risk appetite. To this end, the Board must receive regular updates on the company’s operational risk profile and then ensure that senior management takes action as required to address any areas of concern.
- Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing, and oversee the execution of any findings
- Approve the service provider management policy, and review risk and performance reporting on material service provider arrangements
Of course, overseeing operational risk management means putting in place the best strategies for the enterprise. What are the leading operational risk management best practices and the operational risk management software solutions needed to implement them?
Read our comprehensive article, Key Strategies for How to Manage Operational Risk to find out.