Source: Global Risk Oversight Report
In the last five years, U.S. organizations have experienced significant increases in the volume and complexity of risks, with 32% of companies experiencing an operational surprise in that time period (see figure above). As organizations grow and evolve, so do the complexity, frequency, and impact of risks that are poorly managed. Losses from failure to properly manage operational risk have led to the downfall of many financial institutions — with over 100 reported losses exceeding $100 million in recent years. Moreover, growing pressure from the board for increased risk oversight also points to the importance of having a strong operational risk management practice in place. But how many organizations actually do?
According to a 2017 ERM Initiative study commissioned by the Association of International Certified Professional Accountants, risk management practices around the world are relatively immature: less than 30% of global organizations have “complete” enterprise risk management processes in place. This may suggest that there is a disconnect between operational and enterprise risk management and strategy execution in organizations.
In many organizations, operational risk management is one of the most tenuous links in their ability to meet the demands of customers and stakeholders. While operational risk management is a subset of enterprise risk management, similar challenges like competing priorities and lack of perceived value affect proper development among both programs. Some common challenges include:
Establishing an effective operational risk management program is helpful for achieving an organization’s strategic objectives while ensuring business continuity in the event of disruptions to operations. Having a strong ORM also demonstrates to clients that the company is prepared for crisis and loss. Organizations that can effectively implement a strong ORM program can experience improved competitive advantages, including:
As organizations begin the process of creating an operational risk framework and program, some areas that the risk management team should focus on include:
Developing an operational risk program begins with risk management teams engaging with business process owners in identifying the risks and controls in the organization. While every organization will approach measuring operational risk differently, one of the first steps to understanding the nature of operational risks in your organization is through a Risk and Control Self-Assessment (RCSA).
The RCSA is a framework that provides an enterprise view of operational risk and can be used to perform operational risk assessments, analyze your organization’s operational risk profile, and chart a course for managing risk. The RCSA forms an important part of an organization’s overall operational risk framework. An RCSA requires documentation of risks, identifying the risk levels by estimating the frequency and impact of risks and documenting the controls and processes related to those risks. A general best practice for organizing the assessment approach is by conducting the RCSA at the business-unit level.
The RCSA should be developed to serve as a reference for your organization’s risk initiatives. Below are several leading industry best practices for developing your Risk and Control Self-Assessment:
Technology enablement increases the value Operational Risk Management brings to the organization. When planning the Operational Risk Management function, consider building the library of risks and controls and the risk assessment process into a risk management application. Establishing effective risk management capabilities is an important part of driving better business decisions and is an important tool the C-suite leverages for competitive advantage. Embedding the processes with technology ensures these are applied consistently. A strong Operational Risk Management program can help drive your operational audits and risk library, as well as your SOX and Cybersecurity compliance programs. Find out how AuditBoard can help you manage, automate, and streamline your operational risk management program, and help you turn your operational risks into opportunities to gain a competitive advantage. Get Started with OpsAuditToday.
1. Measuring Operational Risk, Ernst & Young
2. Operational risk management: The new differentiator, Deloitte
3. Operational Risk Management (ORM) Framework in Banks and Financial Institutions, Metricstream
4. Operational risk management: The new differentiator, Deloitte