Senior Management has two perspectives on risk. In the traditional Enterprise Risk Management (ERM) view, the goal is to find the perfect balance of risk and reward. Sometimes the organization will accept more risk for a chance at growing the organization more quickly and at other times the focus switches to controlling risks with slower growth. The Operational Risk Management (ORM) perspective is more risk-averse, and focuses on protecting the organization. Get an in-depth overview of Operational Risk Management, including the 5 steps of the ORM process. Show
What Is Operational Risk Management?Operational risk is the risk of loss resulting from ineffective or failed internal processes, people, systems, or external events that can disrupt the flow of business operations. The losses can be directly or indirectly financial. For example, a poorly trained employee may lose a sales opportunity, or indirectly a company’s reputation can suffer from poor customer service. Operational risk can refer to both the risk in operating an organization and the processes management uses when implementing, training, and enforcing policies. Operational risk can be viewed as part of a chain reaction: overlooked issues and control failures — whether small or large — lead to greater risk materialization, which may result in an organizational failure that can harm a company’s bottom line and reputation. While operational risk management is considered a subset of enterprise risk management, it excludes strategic, reputational, and financial risk. What Are Examples of Operational Risk?Operational risk permeates every organization and every internal process. The goal in the operational risk management function is to focus on the risks that have the most impact on the organization and to hold accountable employees who manage operational risk. Examples of operational risk include:
History of Operational RiskOver the last two decades, the methodology for evaluating internal controls and risks has become more and more standardized. The standardization has been in response to government regulators, credit-rating agencies, stock exchanges, and institutional investor groups demanding greater levels of insight and assurance over risks and the effectiveness of controls in place to mitigate them. The release of COSO’s Internal Control-Integrated Framework in 1992 and the Sarbanes-Oxley Compliance Act of 2002, fueled by financial frauds at WorldCom and Enron, have led to increased pressure on the need for organizations to have an effective operational risk management discipline in place. In the U.S. the greatest pressure for increased involvement of senior executives in risk oversight comes from the audit committee. More recently, COSO released an Enterprise Risk Management Framework. After working with the frameworks for several years, risk managers have moved to an operational risk management process. How Does Operational Risk Management Work?When dealing with operational risk, the organization has to consider every aspect of all its objectives. Since operational risk is so pervasive, the goal is to reduce and control all risks to an acceptable level. Operational Risk Management attempts to reduce risks through risk identification, risk assessment, measurement and mitigation, and monitoring and reporting while determining who manages operational risk. These stages are guided by four principles:
Risk IdentificationOperational Risk Management begins with identifying what can go wrong. As a best practice, a control framework should be used or developed to ensure completeness. Risk AssessmentOnce the risks are identified, the risks are assessed using an impact and likelihood scale. Measurement and MitigationIn the risk assessment, the risks are measured against a consistent scale to allow the risks to be prioritized and ranked comparative to one another. The measurement also considers the cost of controlling the risk related to the potential exposure. Monitoring and ReportingRisks are monitored through an ongoing risk assessment to determine any changes over time. The risks and any changes are reported to senior management and the board to facilitate decision-making processes. What Is the Primary Objective of Operational Risk Management?As the name suggests, the primary objective of Operational Risk Management is to mitigate risks related to the daily operations of an organization. The practice of Operational Risk Management focuses on operations and excludes other risk areas such as strategic risks and financial risks. While other risk disciplines, such as ERM, emphasize optimizing risk appetites to balance risk-taking and potential rewards, ORM processes primarily focus on controls and eliminating risk. The ORM framework starts with risks and deciding on a mitigation scenario. Operational Risk Management proactively seeks to protect the organization by eliminating or minimizing risk. Depending on the organization, operational risk could have a very large scope. Under the topic of operations, some organizations might categorize fraud risk, technology risks, as well as the daily operations of financial teams like accounting and finance. The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an institution’s business functions.” Given this viewpoint, the scope of operational risk management will encompass cybersecurity, fraud, and nearly all internal control activities. Applying a control framework, whether a formal framework or an internally developed model, will help when designing the internal control processes. One approach to understanding how ORM processes look in your organization is by organizing operational risks into categories like people risks, technology risks, and regulatory risks. PeopleThe people category includes employees, customers, vendors and other stakeholders. Employee risk includes human error and intentional wrongdoing, such as in cases of fraud. Risks include breach of policy, insufficient guidance, poor training, bed decision making, or fraudulent behavior. Outside of the organization, there are several operational risks that include people. Employees, customers, and vendors all pose a risk with social media. Monitoring and controlling the people aspect of operation risk is one of the broadest areas for coverage. TechnologyTechnology risk from an operational standpoint includes hardware, software, privacy, and security. Technology risk also spans across the entire organization and the people category described above. Hardware limitations can hinder productivity, especially when in a remote work environment. Software too can reduce productivity when applications do increase efficiency or employees lack training. Software can also impact customers as they interact with your organization. External threats exist as hackers attempt to steal information or hijack networks. This can lead to leaked customer information and data privacy concerns. RegulationsRisk for non-compliance to regulation exists in some form in nearly every organization. Some industries are more highly regulated than others, but all regulations come down to operationalizing internal controls. Over the past decade, the number and complexity of rules have increased and the penalties have become more severe. Understanding the sources of risk will help determine who manages operational risk. Enterprise Risk Management and Operational Risk Management both address risks in the same areas but from different perspectives. In an effort to consolidate these disciplines, some organizations have implemented Integrated Risk Management or IRM. IRM addresses risk from a cultural point of view. Depending on the objective of the particular risk practice, the organization can implement technology with different parameters for teams like ERM and ORM. How Many Steps Are in the ORM Process?While there are different versions of the ORM process steps, Operational Risk Management is generally applied as a five-step process. All five steps are critical, and all steps should be implemented. Step 1: Risk IdentificationRisks must be identified so these can be controlled. Risk identification starts with understanding the organization’s objectives. Risks are anything that prevents the organization from attaining its objectives. Step 2: Risk AssessmentRisk assessment is a systematic process for rating risks on likelihood and impact. The outcome from the risk assessment is a prioritized listing of known risks. The risk assessment process may look similar to the risk assessment done by internal audit. Step 3: Risk MitigationThe risk mitigation step involves choosing a path for controlling the specific risks. In the Operational Risk Management process, there are four options for risk mitigation: transfer, avoid, accept, and control.
Step 4: Control ImplementationOnce the risk mitigation choice decisions are made, the next step is implementation. The controls are designed specifically to meet the risk in question. The control rationale, objective, and activity should be clearly documented so the controls can be clearly communicated and executed.The controls implemented should focus preventive control activities over policies Step 5: MonitoringSince the controls may be performed by people who make mistakes, or the environment could change, the controls should be monitored. Control monitoring involves testing the control for appropriateness of design, implementation, and operating effectiveness. Any exceptions or issues should be raised to management with action plans established. Within the monitoring step in Operational Risk Management, some organizations, especially in the financial industry, have adopted continuous monitoring/early warning systems built around key risk indicators (KRIs). Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise. KRIs designed around ratios that are monitored by business intelligence applications are how banks can manage operational risk, but the concept can be applied across all industries. KRIs can be designed to monitor nearly any potential risk and send a notification. As an example, a company could design a key risk indicator around customer satisfaction scores. Falling customer satisfaction scores could indicate that customer service representatives are not being trained or that the training is ineffective. State of Operational Risk ManagementSource: Global Risk Oversight Report In the last five years, U.S. organizations have experienced significant increases in the volume and complexity of risks, with 32% of companies experiencing an operational surprise in that time period (see figure above). As organizations grow and evolve, so do the complexity, frequency, and impact of risks that are poorly managed. Losses from failure to properly manage operational risk have led to the downfall of many financial institutions — with over 100 reported losses exceeding $100 million in recent years. Moreover, growing pressure from the board for increased risk oversight also points to the importance of having a strong operational risk management practice in place. But how many organizations actually do? According to a 2017 ERM Initiative study commissioned by the Association of International Certified Professional Accountants, risk management practices around the world are relatively immature: less than 30% of global organizations have “complete” enterprise risk management processes in place. This may suggest that there is a disconnect between operational and enterprise risk management and strategy execution in organizations. What Are the Challenges and Shortcomings of Operational Risk Management?In many organizations, operational risk management is one of the most tenuous links in their ability to meet the demands of customers and stakeholders. While operational risk management is a subset of enterprise risk management, similar challenges like competing priorities and lack of perceived value affect proper development among both programs. Some common challenges include:
What Are the Benefits of a Strong Operational Risk Management Program?Establishing an effective operational risk management program is helpful for achieving an organization’s strategic objectives while ensuring business continuity in the event of disruptions to operations. Having a strong ORM also demonstrates to clients that the company is prepared for crisis and loss. Organizations that can effectively implement a strong ORM program can experience improved competitive advantages, including:
How to Develop an Operational Risk Management Program?As organizations begin the process of creating an operational risk framework and program, some areas that the risk management team should focus on include:
The Risk and Control Self-AssessmentDeveloping an operational risk program begins with risk management teams engaging with business process owners in identifying the risks and controls in the organization. While every organization will approach measuring operational risk differently, one of the first steps to understanding the nature of operational risks in your organization is through a Risk and Control Self-Assessment (RCSA). The RCSA is a framework that provides an enterprise view of operational risk and can be used to perform operational risk assessments, analyze your organization’s operational risk profile, and chart a course for managing risk. The RCSA forms an important part of an organization’s overall operational risk framework. An RCSA requires documentation of risks, identifying the risk levels by estimating the frequency and impact of risks and documenting the controls and processes related to those risks. A general best practice for organizing the assessment approach is by conducting the RCSA at the business-unit level. The RCSA should be developed to serve as a reference for your organization’s risk initiatives. Below are several leading industry best practices for developing your Risk and Control Self-Assessment:
Operational Risk Management Tools and ResourcesTechnology enablement increases the value Operational Risk Management brings to the organization. When planning the Operational Risk Management function, consider building the library of risks and controls and the risk assessment process into a risk management application. Establishing effective risk management capabilities is an important part of driving better business decisions and is an important tool the C-suite leverages for competitive advantage. Embedding the processes with technology ensures these are applied consistently. A strong Operational Risk Management program can help drive your operational audits and risk library, as well as your SOX and Cybersecurity compliance programs. Find out how AuditBoard can help you manage, automate, and streamline your operational risk management program, and help you turn your operational risks into opportunities to gain a competitive advantage. Get Started with OpsAuditToday. What are the three ORM levels?Levels of ORM. The ORM process is applied on three levels: in-depth, deliberate, and time critical.
What are the 3 types of risks?Types of Risks
Widely, risks can be classified into three types: Business Risk, Non-Business Risk, and Financial Risk.
What are the 4 principles of ORM?Four Principles of ORM
Accept risks when benefits outweigh costs. Accept no unnecessary risk. Anticipate and manage risk by planning. Make risk decisions at the right level.
What is the third step of the ORM process?Making informed risk decisions is the third step of the ORM process. To better mitigate operational risks in an organization, three key actions are necessary: Identify operational risk management strategies.
|