Senior Management has two perspectives on risk. In the traditional Enterprise Risk Management (ERM) view, the goal is to find the perfect balance of risk and reward. Sometimes the organization will accept more risk for a chance at growing the organization more quickly and at other times the focus switches to controlling risks with slower growth. The Operational Risk Management (ORM) perspective is more risk-averse, and focuses on protecting the organization. Get an in-depth overview of Operational Risk Management, including the 5 steps of the ORM process.
What Is Operational Risk Management?
Operational risk is the risk of loss resulting from ineffective or failed internal processes, people, systems, or external events that can disrupt the flow of business operations. The losses can be directly or indirectly financial. For example, a poorly trained employee may lose a sales opportunity, or indirectly a company’s reputation can suffer from poor customer service. Operational risk can refer to both the risk in operating an organization and the processes management uses when implementing, training, and enforcing policies. Operational risk can be viewed as part of a chain reaction: overlooked issues and control failures — whether small or large — lead to greater risk materialization, which may result in an organizational failure that can harm a company’s bottom line and reputation. While operational risk management is considered a subset of enterprise risk management, it excludes strategic, reputational, and financial risk.
What Are Examples of Operational Risk?
Operational risk permeates every organization and every internal process. The goal in the operational risk management function is to focus on the risks that have the most impact on the organization and to hold accountable employees who manage operational risk.
Examples of operational risk include:
- Employee conduct and employee error
- Breach of private data resulting from cybersecurity attacks
- Technology risks tied to automation, robotics, and artificial intelligence
- Business processes and controls
- Physical events that can disrupt a business, such as natural catastrophes
- Internal and external fraud
History of Operational Risk
Over the last two decades, the methodology for evaluating internal controls and risks has become more and more standardized. The standardization has been in response to government regulators, credit-rating agencies, stock exchanges, and institutional investor groups demanding greater levels of insight and assurance over risks and the effectiveness of controls in place to mitigate them. The release of COSO’s Internal Control-Integrated Framework in 1992 and the Sarbanes-Oxley Compliance Act of 2002, fueled by financial frauds at WorldCom and Enron, have led to increased pressure on the need for organizations to have an effective operational risk management discipline in place. In the U.S. the greatest pressure for increased involvement of senior executives in risk oversight comes from the audit committee. More recently, COSO released an Enterprise Risk Management Framework. After working with the frameworks for several years, risk managers have moved to an operational risk management process.
How Does Operational Risk Management Work?
When dealing with operational risk, the organization has to consider every aspect of all its objectives. Since operational risk is so pervasive, the goal is to reduce and control all risks to an acceptable level. Operational Risk Management attempts to reduce risks through risk identification, risk assessment, measurement and mitigation, and monitoring and reporting while determining who manages operational risk.
These stages are guided by four principles:
- Accept risk when benefits outweigh the cost.
- Accept no unnecessary risk.
- Anticipate and manage risk by planning.
- Make risk decisions at the right level.
Operational Risk Management begins with identifying what can go wrong. As a best practice, a control framework should be used or developed to ensure completeness.
Once the risks are identified, the risks are assessed using an impact and likelihood scale.
Measurement and Mitigation
In the risk assessment, the risks are measured against a consistent scale to allow the risks to be prioritized and ranked comparative to one another. The measurement also considers the cost of controlling the risk related to the potential exposure.
Monitoring and Reporting
Risks are monitored through an ongoing risk assessment to determine any changes over time. The risks and any changes are reported to senior management and the board to facilitate decision-making processes.
What Is the Primary Objective of Operational Risk Management?
As the name suggests, the primary objective of Operational Risk Management is to mitigate risks related to the daily operations of an organization. The practice of Operational Risk Management focuses on operations and excludes other risk areas such as strategic risks and financial risks. While other risk disciplines, such as ERM, emphasize optimizing risk appetites to balance risk-taking and potential rewards, ORM processes primarily focus on controls and eliminating risk. The ORM framework starts with risks and deciding on a mitigation scenario.
Operational Risk Management proactively seeks to protect the organization by eliminating or minimizing risk.
Depending on the organization, operational risk could have a very large scope. Under the topic of operations, some organizations might categorize fraud risk, technology risks, as well as the daily operations of financial teams like accounting and finance. The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an institution’s business functions.” Given this viewpoint, the scope of operational risk management will encompass cybersecurity, fraud, and nearly all internal control activities.
Applying a control framework, whether a formal framework or an internally developed model, will help when designing the internal control processes. One approach to understanding how ORM processes look in your organization is by organizing operational risks into categories like people risks, technology risks, and regulatory risks.
The people category includes employees, customers, vendors and other stakeholders. Employee risk includes human error and intentional wrongdoing, such as in cases of fraud. Risks include breach of policy, insufficient guidance, poor training, bed decision making, or fraudulent behavior. Outside of the organization, there are several operational risks that include people. Employees, customers, and vendors all pose a risk with social media. Monitoring and controlling the people aspect of operation risk is one of the broadest areas for coverage.
Technology risk from an operational standpoint includes hardware, software, privacy, and security. Technology risk also spans across the entire organization and the people category described above. Hardware limitations can hinder productivity, especially when in a remote work environment. Software too can reduce productivity when applications do increase efficiency or employees lack training. Software can also impact customers as they interact with your organization. External threats exist as hackers attempt to steal information or hijack networks. This can lead to leaked customer information and data privacy concerns.
Risk for non-compliance to regulation exists in some form in nearly every organization. Some industries are more highly regulated than others, but all regulations come down to operationalizing internal controls. Over the past decade, the number and complexity of rules have increased and the penalties have become more severe.
Understanding the sources of risk will help determine who manages operational risk. Enterprise Risk Management and Operational Risk Management both address risks in the same areas but from different perspectives. In an effort to consolidate these disciplines, some organizations have implemented Integrated Risk Management or IRM. IRM addresses risk from a cultural point of view. Depending on the objective of the particular risk practice, the organization can implement technology with different parameters for teams like ERM and ORM.
How Many Steps Are in the ORM Process?
While there are different versions of the ORM process steps, Operational Risk Management is generally applied as a five-step process. All five steps are critical, and all steps should be implemented.
Step 1: Risk Identification
Risks must be identified so these can be controlled. Risk identification starts with understanding the organization’s objectives. Risks are anything that prevents the organization from attaining its objectives.
Step 2: Risk Assessment
Risk assessment is a systematic process for rating risks on likelihood and impact. The outcome from the risk assessment is a prioritized listing of known risks. The risk assessment process may look similar to the risk assessment done by internal audit.
Step 3: Risk Mitigation
The risk mitigation step involves choosing a path for controlling the specific risks. In the Operational Risk Management process, there are four options for risk mitigation: transfer, avoid, accept, and control.
Transfer: Transferring shifts the risk to another organization. The two most often means for transferring are outsourcing and insuring. When outsourcing, management cannot completely transfer the responsibility for controlling risk. Insuring against the risk ultimately transfers some of the financial impact of the risk to the insurance company. A good example of transferring risk occurs with cloud-based software companies. When a company purchases cloud-based software, the contract usually includes a clause for data breach insurance. The purchaser is ensuring the vendor can pay for damages in the event of a data breach. At the same time, the vendor will also have their data center provide SOC reports that show there are sufficient controls in place to minimize the likelihood of a data breach.
Avoid: Avoidance prevents the organization from entering into the risk situation. For example, when choosing a vendor for a service, the organization could choose to accept a vendor with a higher-priced bid if the lower-cost vendor does not have adequate references.
Accept: Based on the comparison of the risk to the cost of control, management could accept the risk and move forward with the risky choice. As an example, there is a risk that an employee will burn themselves if the company installs new coffee makers in the breakroom. The benefit of employee satisfaction from new coffee makers outweighs the risk of an employee accidentally burning themselves on a hot cup of coffee, so management accepts the risk and installs the new appliance.
Control: Controls are processes the organization puts in place to decrease the impact of the risk if it occurs or to increase the likelihood of meeting the objective. For example, installing software behind a firewall reduces the likelihood of hackers gaining access, while backing up the network decreases the impact of a compromised network since it can be restored to a safe point.
Step 4: Control Implementation
Once the risk mitigation choice decisions are made, the next step is implementation. The controls are designed specifically to meet the risk in question. The control rationale, objective, and activity should be clearly documented so the controls can be clearly communicated and executed.The controls implemented should focus preventive control activities over policies
Step 5: Monitoring
Since the controls may be performed by people who make mistakes, or the environment could change, the controls should be monitored. Control monitoring involves testing the control for appropriateness of design, implementation, and operating effectiveness. Any exceptions or issues should be raised to management with action plans established.
Within the monitoring step in Operational Risk Management, some organizations, especially in the financial industry, have adopted continuous monitoring/early warning systems built around key risk indicators (KRIs). Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise. KRIs designed around ratios that are monitored by business intelligence applications are how banks can manage operational risk, but the concept can be applied across all industries. KRIs can be designed to monitor nearly any potential risk and send a notification. As an example, a company could design a key risk indicator around customer satisfaction scores. Falling customer satisfaction scores could indicate that customer service representatives are not being trained or that the training is ineffective.
State of Operational Risk Management
In the last five years, U.S. organizations have experienced significant increases in the volume and complexity of risks, with 32% of companies experiencing an operational surprise in that time period (see figure above). As organizations grow and evolve, so do the complexity, frequency, and impact of risks that are poorly managed. Losses from failure to properly manage operational risk have led to the downfall of many financial institutions — with over 100 reported losses exceeding $100 million in recent years. Moreover, growing pressure from the board for increased risk oversight also points to the importance of having a strong operational risk management practice in place. But how many organizations actually do?
According to a 2017 ERM Initiative study commissioned by the Association of International Certified Professional Accountants, risk management practices around the world are relatively immature: less than 30% of global organizations have “complete” enterprise risk management processes in place. This may suggest that there is a disconnect between operational and enterprise risk management and strategy execution in organizations.
What Are the Challenges and Shortcomings of Operational Risk Management?
In many organizations, operational risk management is one of the most tenuous links in their ability to meet the demands of customers and stakeholders. While operational risk management is a subset of enterprise risk management, similar challenges like competing priorities and lack of perceived value affect proper development among both programs. Some common challenges include:
- A common perception that organizations do not have sufficient resources to invest in operational risk management or ERM.
- Need for greater communication and education around the importance of operational risk management and the consequences of operational failures on a company’s bottom line.
- Need for increased awareness and appreciation across boards and C-suite executives to better understand operational risk management steps.
- Lack of consistent methodologies to measure and assess risk is an area of concern when it comes to providing an accurate portrait of an organization’s risk profile.
- Establishing standard risk terminology that will be used moving forward, which is conducive to successful Risk and Control Self-Assessments (RCSAs).
- The process is varied and complex due to changes in technology.
- The function is oftentimes lumped in with other functions such as compliance and IT which is why it does not receive significant attention.
- Operational Risk Management programs can be manual, disjointed, and over-complicated, mostly because ORM developed as a reactive function in response to regulations and compliance.
What Are the Benefits of a Strong Operational Risk Management Program?
Establishing an effective operational risk management program is helpful for achieving an organization’s strategic objectives while ensuring business continuity in the event of disruptions to operations. Having a strong ORM also demonstrates to clients that the company is prepared for crisis and loss. Organizations that can effectively implement a strong ORM program can experience improved competitive advantages, including:
- Better C-suite visibility.
- Better informed business risk-taking.
- Improved product performance and better brand recognition.
- Stronger relationships with customers and stakeholders.
- Greater investor confidence.
- Better performance reporting.
- More sustainable financial forecasting.
How to Develop an Operational Risk Management Program?
As organizations begin the process of creating an operational risk framework and program, some areas that the risk management team should focus on include:
- Promoting an organization-wide understanding of the program’s value and function.
- Leveraging technology to implement an automated approach to monitoring and collecting risk data.
- Establishing an effective method for evaluating and identifying principal risks in the organization and a way to continuously identify and update those risks and associated measures.
- Focus on helping the organization reduce material risk exposures while encouraging activities where the potential business benefits outweigh the risks.
- Focus on partnering ORM with other functions in the organization to better embed best practices into the organization.
The Risk and Control Self-Assessment
Developing an operational risk program begins with risk management teams engaging with business process owners in identifying the risks and controls in the organization. While every organization will approach measuring operational risk differently, one of the first steps to understanding the nature of operational risks in your organization is through a Risk and Control Self-Assessment (RCSA).
The RCSA is a framework that provides an enterprise view of operational risk and can be used to perform operational risk assessments, analyze your organization’s operational risk profile, and chart a course for managing risk. The RCSA forms an important part of an organization’s overall operational risk framework. An RCSA requires documentation of risks, identifying the risk levels by estimating the frequency and impact of risks and documenting the controls and processes related to those risks. A general best practice for organizing the assessment approach is by conducting the RCSA at the business-unit level.
The RCSA should be developed to serve as a reference for your organization’s risk initiatives. Below are several leading industry best practices for developing your Risk and Control Self-Assessment:
- Integrate Risk and Control Self-Assessment programs into your operational risk initiatives.
- Establish a standard risk terminology and consistent methodologies to measure and assess risk.
- Develop a complete view of risks and controls — this will be important for later analysis.
- Incorporate a trend analysis methodology into your RCSA that can identify patterns in risk as well as potential control failures.
- Incorporate a method for identifying non-financial risks that may have impacts that can harm your bottom line.
- Use your RCSA to budget for operational risk management initiatives.
Operational Risk Management Tools and Resources
Technology enablement increases the value Operational Risk Management brings to the organization. When planning the Operational Risk Management function, consider building the library of risks and controls and the risk assessment process into a risk management application. Establishing effective risk management capabilities is an important part of driving better business decisions and is an important tool the C-suite leverages for competitive advantage. Embedding the processes with technology ensures these are applied consistently. A strong Operational Risk Management program can help drive your operational audits and risk library, as well as your SOX and Cybersecurity compliance programs. Find out how AuditBoard can help you manage, automate, and streamline your operational risk management program, and help you turn your operational risks into opportunities to gain a competitive advantage. Get Started with OpsAuditToday.