Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More

The Essentials of Operational Risk Management

What is operational risk management?

Operational risk management has evolved as the management process to mitigate threats posed by operational risks.

What are operational risks, then? Put simply, operational risks are the risks of doing business. More specifically, they are the risks businesses face from ineffective or failed internal processes, people, systems, or external events. Operational risks, if realized, can lead to serious losses – not just financial losses, but non-direct costs, as well.

So, what’s involved in operational risk management? Well, operational risk management is a process involving risk analysis, risk strategy, and risk control in the identification and reduction of risks that may occur in daily business operations.

The purpose of operational risk management, like risk management and compliance risk management, is the control and minimization of risks.

Why is operational risk management so important in the current climate? 

So, why focus on operational risk management today? As mentioned, realized risk can cost companies dearly.

Not just that. Operational risk management itself, as this article will establish, can also be an important tool in increasing revenue and productivity as well as ensuring compliance and mitigating risk.

But getting serious about operational risk management today is critical because operational threats themselves have gotten so much more serious. Just consider the operational risk examples that enterprises face today; they include:

  • Enterprise-wide interruption, disruption, or failure
  • Loss of systems control or data
  • Financial loss
  • Safety hazards
  • Reputational damage
  • IT infrastructure damage
  • Customer churn
  • Employee churn
  • Legal liability or regulatory fines for harm caused by employees intentionally or negligently
  • Legal liability or regulatory fines for harm caused by external bad actors
  • Competitive disadvantage

Not listed, the increasing digitization of business processes exacerbates all operational risk by making companies more reliant on sources that are themselves at great risk of interruption.

However, companies must pursue digitization strategies or face competitive disadvantage.

The evolution of operational risk management

This Catch-22 can only be resolved within the operational risk management framework, particularly since the broader field of risk management has evolved to meet the threat posed by digitization.

How so?

Going into the Financial Crisis of the late 2000s, risk management tended to focus on crisis management. Many experts believed this reactive approach to risk management might have blinded decision makers to the keen threats their companies faced.

Coming out of the Financial Crisis, though, risk management has evolved, alongside business-model changes (more broadly), to facilitate looking at the threat picture more holistically via powerful analytical tools (More on those later).

How does operational risk management work?

So, how does operational risk management work today?

Operational risk management is an actual process (or cycle) of risk assessment, decision making, and implementation (of controls) that needs to be pursued. The stages of the operational risk management life cycle include:

Risk identification

The identification stage consists of isolating all potential operational risks, whether recurring risks or potential one-offs. Risk identification involves staff across the business, not just C-suite executives.

Risk assessment

Once identified, risks must be added to a risk register where they are to be assessed based on a number of factors, like how likely the risk is to occur, how frequently the risk will occur, and the potential risk exposure to human and non-human assets if the risk is not managed. The use of a risk matrix, an established risk assessment methodology, is a standardized way of prioritizing risks in a central risk register by likelihood and consequences. The severity of each risk can then be assessed separately, either as inherent, target, or residual risk, using a common methodology. At the end of the evaluation, risk is traditionally categorized as either very high, high, medium, low, or very low.

Analysis

In analyzing risk, teams will consider which risk controls (if any) to put in place. Additionally, teams will provide decision makers with a thorough risk analysis, a clear cost and benefit evaluation as well as outlines of possible alternative measures to take.

Decision

Based on the analysis furnished, decision makers will choose the best control (or combination of controls).

Implementation

Carrying out the decision taken requires having a plan for applying the selected controls. Adequate time and resources must also be allocated for any control measure to be successful. In addition, implementing controls requires clearly communicating your plan to everyone involved.

Monitoring

Implementation, however, isn’t the end of the story. Once they’re put in place, controls will have to be consistently monitored to ensure they are working as expected.

Operational Risk Management Life CycleImage: The Operational Risk Management Life Cycle

What are examples of operational risk management?

So, what are examples of operational risk management strategies than can be implemented and monitored? Generic risk management strategies tend to include risk avoidance, risk acceptance, risk transfer, risk reduction, and risk retention.

They mean:

Risk avoidance

The elimination of hazards, activities, and exposures that can negatively affect an organization and its assets.

Risk acceptance

The acknowledging of the possibility for small or infrequent risks without taking steps to hedge.

Risk transfer

The process of formally or informally shifting the financial consequences of particular risks from one party to another.

Risk reduction

The mitigation of impact of potential losses by reducing the likelihood and severity of a possible loss.

Risk retention

The planned acceptance of potential losses.

Is there an enterprise level to operational risk management?

Can these strategies be pursued at the enterprise level? The short answer is absolutely.

The caveat, though, is that enterprise level risk differs from operational risk.

How so?

Operational risks, as noted, are related to the delivery of specific programs, functional or operational objectives. They include risks inherent to the design, management, or performance of business processes, systems, people, and external events.

Meanwhile, enterprise risks are broader in scope. These are uncertainties whose impacts could significantly affect the ability of an enterprise to achieve its mission.

Enterprise risks can be pervasive, as well. That means they cut across an agency’s organizational boundaries. Enterprise risks can also be localized, meaning they’re only applicable to one office or division but still likely to have a high impact on the entire organization.

What are the benefits of operational risk management?

So, why integrate operational risk management and enterprise risk management? To answer, let’s look at the traditional benefits of risk management, as detailed in international risk management standard ISO 31000:

Risk management creates and protects value

Risk management contributes to the achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.

Risk management is an integral part of all organizational processes

Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.

Risk management enhances decision making

Risk management helps decision makers make informed choices, prioritize actions, and distinguish among alternative courses of action.

Risk management helps to better address uncertainty

Risk management takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.

Risk management makes companies better responsive to change

Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.

Risk management facilitates continual improvement

Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization.

Integrating operational risk management with enterprise risk management yields more benefits still, such as unlocking performance gains that can advance an agency’s mission.

Indeed, the relationship between enterprise and operational risks is one-to-many. In other words, operational risks can be rolled up into fewer and broader enterprise risks.

In practice, though, the line between enterprise and operational risks often blurs, and so, each program, function, or operational unit should have its own risk register and priority risks to manage but shares common tools and processes established.

Are there challenges involved in operational risk management?

Risk management being difficult in the best of times, even teams who deploy best-practice processes will be challenged. Nor is the cost of ineffective risk management trivial, either.

How so?

Get risk management wrong, and your business might suffer from workplace injuries and accidents, productivity loss, damaged assets and products, even significant financial penalty.

What are the other challenges to successful operational risk management? They include:

Limited resources for controlling identified risk

Companies might uncover numerous risks as part of the risk management process. However, it takes resources (outlays of personnel, technologies, and/or other assets) to tackle those risks. Company resources are finite.

Sheer pace and volume of change overwhelming risk teams

The rationale for getting started with operational risk management today is that the risk picture is deteriorating quickly. Indeed, this change in the threat environment is overwhelming many companies who are facing multi-directional risk.

Lack of a comprehensive, integrated operational risk management approach

Companies often pursue operational risk on an ad hoc basis. This might be fine if a company only faces one risk at a time. But as risk accumulates – itself a sign of business maturation – this approach will become untenable.  

Lack of internal (communications) tools to properly integrate the knowledge base of risk into systems for managing risk

Companies also find themselves stymied once they’ve identified risks. What to do then? Without internal tools to properly integrate the knowledge base of risk into risk management systems, risks will remain un-controlled.

How do I implement operational risk management in my enterprise?

So, what can be done, especially if you can’t adequately control all your company’s identified risks? Well, the most sensible way to properly implement risk management in any organization is to pursue informed risk profiling and decision making toward increased returns.

After all, risk is inevitable. Tradeoffs in operational risk management are unescapable. To make better-informed tradeoffs, stakeholders need to operate with a strategic, business perspective in mind, anchoring their risk management practices within a larger, organizational context.

Turning these guidelines into practices will start at the top, with executives promoting greater risk awareness and transparency. Executives must also empower staff to contribute their own ideas to improve risk processes and controls.

What’s more, a robust reporting culture will also facilitate a supportive risk culture. How to get better reporting outcomes? Executives will have to invest in the appropriate tools to enable their teams to fully assess and document risks, including detailed information on why certain identified risks were accepted (and others not).

Additional ways to implement operational risk management in the enterprise include:

  • Limit risk decision making to leaders who have the power to allocate resources
  • Have clear organizational objectives
  • Identify risk roles and responsibilities
  • Put a support structure in place
  • Deploy early warning systems
  • Ensure risk decisions go through a clear review cycle

The role of digital technology in operational risk management

These best practices can be implemented more expeditiously with operational risk management software with robust reporting, governance, and compliance capabilities.

Specifically, bundling operational risk tracking and incident management functionality into the same solution renders incident response to realized risk more efficient. Cross-linking hazards with incidents (within the same solution) gives teams the requisite history and intelligence they need to trigger necessary changes in their risk management plans and processes, as well as helps them identify where controls might have failed to achieve desired outcomes.

It, therefore, makes sense to find a risk management solution capable of handling all types of business-as-usual incidents, as well as planning activities for risk and business continuity management, as well as incidents and the entire emergency management lifecycle.

Ensure your system provides tight integration with assets, contacts, documents, events, tasks, workflows, scheduled reviews, reporting, communications, resource allocations, key risk, and reporting indications, etc.

Noggin’s operational risk management software

Not sure where to turn? Look for a solution that capable of performing the following functions:

  • Support a wide range of risk management standards and well-established risk assessment methodologies, like the risk matrix.
  • Support a parent/child relationship in the risk register for hazards and controls. Hazards and controls should be user-configurable to enable users to tailor the system to their organization’s unique risk management requirements.
  • Permit subjective, objective, and semi-objective assessments. The system should enable both incident and asset-centric risk assessments to be made, with attributes such as characteristics, incident history, and geospatial locations used to derive objective forecasts of likelihood.    
  • Include centrally controlled risk and control libraries, as well as allow users to designate certain controls as mandatory or optional, so as to ensure the consistency of hazard assessment and control planning.
  • Provide for multi-factor consequence and likelihood ratings, as well as threat assessments that can be skewed by qualitative factors, like organizational maturity and data confidence. Users should also be able to temporarily upgrade likelihood ratings in periods of heightened threat.

Or, take a shortcut and consider Noggin’s operational risk management software capabilities. Our integrated platform helps you treat the entire risk management lifecycle to ensure better prevention, by managing the risks you identify using configurable risk matrixes and risk and control registers. 

But that’s not all. Request a Demo of Noggin to see how the Noggin Platform can help you drive reviews and continuous improvement.

New call-to-action