What’s one of the most significant risks businesses face today? That would be operational risk.
Don’t think so? Consider the fates of Enron, Worldcom, Lehman, and myriad subprime mortgage-debt backed institutions.
So, what’s operational risk, after all? It’s the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
These are all risks that overlap with and exacerbate more materials risks. One might even say that in the absence of operational failure, material risks are much less significant.
Mitigating operational risk is the purview of operational risk management. And given the acceleration of operational risk, we’ve created this overview and guide to answer the pressing question, what is operational risk management?
So, what is operational risk management?
Operational risk management (ORM) is a process focused on identifying, assessing, prioritizing, and mitigating risks that arise from an organization’s day-to-day operations and business workflows.
As Reuters Legal defines it, ORM involves the systematic process of understanding, managing, and monitoring risks to minimize the potential negative impact on an organization’s objectives and outcomes.
How’s that different than enterprise risk management (ERM)? Well, there are overlaps as some experts consider ORM a subset of ERM.
The biggest difference, though, is the goal of ERM is to minimize intentional risk.
What about ORM? It seeks rather to reduce unintentional risk, i.e., those that involve internal processes, systems, people, and external events.
To do so, operational risk managers identify procedures that can minimize the likelihood and impact of unnecessary risks on the organization to ensure that it can continue operating even in the face of unpredictable events.
Given the nature of operational risk, ORM must be conducted thoroughly. There should be clear processes and protocols in place to identify and address all known risks.
As a result, effective ORM, i.e., putting those clear processes and protocols in place in a sustainable fashion, offers the following benefits:
The above benefits don’t discount the clear challenges to operational risk management.
One of the more significant is a lack of senior-management interest.
Simply put, many firms don’t believe operational risk is material risk. Instead, they consider operational risk as back-office risk.
This leads executives, in particular, to think that ORM is only about managing control weaknesses in processes at a tactical level.
Too often, these views affect funding and staffing. Funding and staffing, by definition, affect resource allocation and methodology development.
As a result, the following challenges to ORM emerge:
Companies might uncover numerous operational risks as part of the risk management process. However, it takes resources (outlays of personnel, technologies, and/or other assets) to tackle those risks. Company resources are finite.
The rationale for getting started with operational risk management today is that the risk picture is deteriorating quickly. Indeed, this change in the threat environment is overwhelming many companies who are facing multi-directional risk.
Companies often pursue operational risk on an ad hoc and/or siloed basis. This might be fine if a company only faces one risk at a time. But as risk accumulates – itself a sign of business maturation – this approach quickly becomes untenable.
Companies also find themselves stymied once they’ve identified risks. What to do then? Without internal tools to properly integrate the knowledge base of risk into risk management systems, risks will remain un-controlled.
So, how to get operational risk management right then? One place to start is to follow the principles undergirding ORM.
According to the Basel Committee, the principles of ORM include the following:
So, how to go about achieving operational risk management based on these principles?
Operational risk management is an actual process (or cycle) of risk assessment, decision making, and implementation (of controls) that needs to be pursued.
The precise strategies needed to implement effective operational risk management include the following:
The identification stage consists of isolating all potential operational risks, whether recurring risks or potential one-offs. Risk identification involves staff across the business, not just C-suite executives.
Once identified, operational risks must be added to a risk register where they are to be assessed based on a number of factors, like how likely the risk is to occur, how frequently the risk will occur, and the potential risk exposure to human and non-human assets if the risk is not managed.
The use of a risk matrix, an established risk assessment methodology, is a standardized way of prioritizing risks in a central risk register by likelihood and consequences.
The severity of each risk can then be assessed separately, either as inherent, target, or residual risk, using a common methodology. At the end of the evaluation, risk is traditionally categorized as either very high, high, medium, low, or very low.
In analyzing risk, teams will consider which risk controls (if any) to put in place. Additionally, teams will provide decision makers with a thorough risk analysis, a clear cost and benefit evaluation as well as outlines of possible alternative measures to take.
Based on the analysis furnished, decision makers will choose the best control (or combination of controls).
Carrying out the decision taken requires having a plan for applying the selected controls. Adequate time and resources must also be allocated for any control measure to be successful. In addition, implementing controls requires clearly communicating your plan to everyone involved.
Implementation, however, isn’t the end of the story. Once they’re put in place, controls will have to be consistently monitored to ensure they are working as expected.
So, what are examples of operational risk management strategies than can be implemented and monitored? Generic risk management strategies tend to include risk avoidance, risk acceptance, risk transfer, risk reduction, and risk retention.
They mean:
The elimination of hazards, activities, and exposures that can negatively affect an organization and its assets.
The acknowledging of the possibility for small or infrequent risks without taking steps to hedge.
The process of formally or informally shifting the financial consequences of particular risks from one party to another.
The mitigation of impact of potential losses by reducing the likelihood and severity of a possible loss.
The planned acceptance of potential losses.
So, what can be done, particularly if you find it challenging to fully control all the risks within your company? Well, the most pragmatic approach to effectively implement operational risk management within any organization is to pursue informed risk profiling and decision-making aimed at maximizing returns.
Considering that risk is inevitable, navigating trade-offs in operational risk management is unavoidable. To make more informed trade-offs, stakeholders must adopt a strategic business perspective, anchoring their risk management practices within the broader organizational context.
Translating these principles into action begins at the highest levels, where executives advocate for heightened risk awareness and transparency. Additionally, executives should empower staff to contribute their insights to enhance risk processes and controls.
What’s more, fostering a robust reporting culture will further support a conducive risk environment. How can better reporting outcomes be achieved?
Executives will need to invest in appropriate tools (More below) to enable their teams to comprehensively assess and document risks, including providing detailed rationale for accepting certain identified risks (and rejecting others).
Other strategies for implementing operational risk management within the enterprise include:
Seem overwhelming? It doesn’t have to. Digital operational risk management software helps companies mitigate operational risks and strengthen enterprise resilience.
Solutions like Noggin Resilience, in particular, help organizations proactively identify, assess, and mitigate potential risks that could cause operational failures or disruptions to their normal operations.
With what features? Noggin’s operational risk management software offers the following:
Align risk management initiatives with organizational objectives to ensure risks are managed in a way that aligns with your objectives so you can effectively manage threats and capitalize on opportunities.
Keep track of your compliance obligations with ease using a centralized register that enables you to monitor breaches and collaborate with your team to ensure compliance throughout your organization.
Get a head start with Noggin's pre-existing library of potential operational risks and corresponding control measures, inspired by the best industry practices to save time in recognizing and recording operational risks.
Proactively identify, assess, and manage operational risks through a centralized workspace that provides a holistic view of risks, and streamlines risk assessment processes while fostering effective stakeholder collaboration and communication.
Gain oversight into the ongoing management of risk controls as they are implemented and maintained in your operational environment, using scheduled audits that personnel can complete from anywhere, on any device.
Streamline the risk document management process by leveraging Noggin’s centralized document management functionality to ensure personnel have the right information at their fingertips.
Create custom reports that summarize historical data with charts, recommendations, and sign-offs. Export these as PDF or Word documents and share with stakeholders and executives to enable them to make informed decisions, manage threats, and benefit from opportunities.
Consolidate data to gain valuable insights and visualize it through interactive dashboards, charts, risk matrices, and maps in real-time, from any device.
Finally, the rise in operational risk has many asking, what is operational risk management? As this guide and overview have sought to answer, ORM involves the systematic process of understanding, managing, and monitoring risks to minimize the potential negative impact on an organization’s objectives and outcomes.
And key to the process should be digital software like Noggin that provides a holistic view of risks, streamlines operational risk-related processes, and fosters effective stakeholder collaboration and communication.
But don’t just take our word for it. Request a demo of Noggin to see for yourself.