If you’re involved in business, then you’re involved in risk. And the specific type of risk is operational risk.
Operational risk, like the name implies, is the risk of doing business; operational risk is the risk businesses face from ineffective or failed internal processes, people, systems, or external events.
These risks can come from anywhere, including technology, employees, or regulators.
What they have in common, though, is that if realized, operational risks can lead to serious losses – not just financial penalties, but non-direct costs, like reputational setbacks, too.
How to hedge your bets?
That’s where operational risk management comes in.
Operational risk management is meant to reduce or offset these risks by systematically identifying hazards and assessing and controlling the associated risks to enable decisions to be made that weigh risks against benefits.
Operational risk management, as this article explains, isn’t perfect, though.
Without data and analytics, operational risk management has been too reactive and qualitative. The manual processes it has relied on have also limited the necessary visibility needed to gain timely insights.
However, operational risk management has evolved to embrace data and analytics. The subsequent article details how as well as lays out the digital capabilities needed to bring the benefits of advanced data and analytics to your company.
The evolution of operational risk management
Where did operational risk management come from?
Risk management used to be undertaken in organizational silos. That was until the great wave of scandals and setbacks, culminating in the Financial Crisis of the late 2000s, after which operational risk management gained in popularity.
Operational risk management turned out to be a systematic and integrated approach to the management of the total risks that a company faces with a focus on controls and eliminating risks.
With international standards like ISO 31000, the broader field of risk management quickly moved beyond the confines of financial services, as well.
Benefits of risk management
One of the great benefits of ISO 31000, specifically, is that it codified the benefits of risk management in a language that’s accessible to senior decision makers.
So, what are the benefits of the practice?
Risk management creates and protects value
Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance, and reputation.
Risk management is an integral part of all organizational processes
Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
Risk management is part of decision making
Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
Risk management explicitly addresses uncertainty
Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.
Risk management is systematic, structured, and timely
A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable, and reliable results.
Risk management is based on the best available information
The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts, and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
Risk management is tailored
Risk management is aligned with the organization's external and internal context and risk profile.
Risk management takes human and cultural factors into account
Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization's objectives.
Risk management is transparent and inclusive
Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.
Risk management is dynamic, iterative, and responsive to change
Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.
Risk management facilitates continual improvement of the organization
Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization.
Risk management process
ISO 31000 also helped codify the ongoing risk management process of risk assessment, decision making, and implementation (of controls). These are stages of the operational risk management life cycle, as well. They include:
Risk identification
The identification stage consists of isolating all potential operational risks, whether recurring risks or potential one-offs. Risk identification involves staff across the business, not just C-suite executives.
Risk assessment
Once identified, risks must be added to a risk register where they are to be assessed based on a number of factors, like how likely the risk is to occur, how frequently the risk will occur, and the potential risk exposure to human and non-human assets if the risk is not managed. The use of a risk matrix, an established risk assessment methodology, is a standardized way of prioritizing risks in a central risk register by likelihood and consequences.
The severity of each risk can then be assessed separately, either as inherent, target, or residual risk, using a common methodology. At the end of the evaluation, risk is traditionally categorized as either very high, high, medium, low, or very low.
Analysis
In analyzing risk, teams will consider which risk controls (if any) to put in place. Additionally, teams will provide decision makers with a thorough risk analysis, a clear cost and benefit evaluation as well as outlines of possible alternative measures to take.
Decision
Based on the analysis furnished, decision makers will choose the best control (or combination of controls).
Implementation
Carrying out the decision taken requires having a plan for applying the selected controls. Adequate time and resources must also be allocated for any control measure to be successful. In addition, implementing controls requires clearly communicating your plan to everyone involved.
Monitoring
Implementation, however, isn’t the end of the story. Once they’re put in place, controls will have to be consistently monitored to ensure they are working as expected.
Embracing data and analytics in operational risk management
There have been stumbles along the way, though.
Sure, operational risk management frameworks like ISO 31000 consolidate the core risk management activities of identification, analysis, evaluation, treatment, communication, monitoring, and reporting.
However, they aren’t explicit in pointing up the disadvantages of manual processes.
And manual processes, carried out in periodic and sample-based audits, assurances, likelihood-severity risk matrices, and controls testing, have long been the default in operational risk management.
What’s the problem?
Well, these processes tend to be more reactive and qualitative rather than proactive and scientific.
As a result, they have limited the visibility needed to gain timely insights to inform risk-preventative policies, procedures, controls, and early identification.
What’s the problem, here?
These are precisely the type of insights that are necessary to reduce the frequency and severity of operational loss events, as the fast-moving Covid crisis demonstrated.
Operational risk management, as a result, has had to evolve to better harness data and analytics.
Advantages of advanced data and analytics in risk management
Fortunately, operational risk management has evolved to embrace data and analytics, particularly advanced data and analytics.
What’s been the advantage, though?
When compared to irregular and statistic assessments with manual approaches, advanced data and analytics provides the following benefits in operational risk management:
- Internal data supplemented with external data will offer more scientific risk assessments.
- Data-driven approaches allow for more continuous scanning of the changing risk environment.
- Predictive power and ability to model complex relationships better provide a forward-looking approach.
The overall benefit of advanced data and analytics is to allow operational risk management to become more integral to business decision making.
Operational risk management can now drive revenue rather than how it was before, seen as reactive and overly-compliance focused.
Noggin operational risk management analytics
But how to get the benefits of data and analytics into your operational risk management program? That’s where operational risk management software comes in.
The solutions help organizations proactively identify, assess, and mitigate potential risks that could cause operational failures or disruptions to their normal operations. Centralized workspaces, in particular, provide a holistic view of risks, streamline operational risk-related processes, and foster effective stakeholder collaboration and communication.
As for advanced data and analytics, solutions like Noggin work to consolidate data to gain valuable insights and visualize them through interactive dashboards, charts, risk matrices, and maps in real-time, from any device.
But don’t just take our word for it. Request a demonstration of Noggin to see for yourself.