Operational risk is the risk of loss resulting from ineffective or failed internal processes, people and systems, or external events that can disrupt the flow of business operations. Operational risk can refer to both the risk in operating a company and the strategies management employs in implementing corporate policies.1 Operational risk can be viewed as part of a chain reaction: overlooked issues and control failures - whether small or large - lead to greater risk materialization, which may result in organizational failure that can harm a company’s bottom line and reputation.2 While operational risk management is considered a subset of enterprise risk management, it excludes strategic, reputational and financial risk.
Examples of operational risk include:
- Employee conduct and employee error
- Breach of private data resulting from cybersecurity attacks
- Technology risks tied to automation, robotics, and artificial intelligence
- Business processes and controls
- Physical events that can disrupt a business, such as natural catastrophes
- Internal and external fraud
Over the last two decades, the methodology for evaluating internal controls and risks has become more and more standardized. This has been in response to government regulators, credit-rating agencies, stock exchanges and institutional investor groups demanding greater levels of insight and assurance over risks and the effectiveness of controls in place to mitigate them. The release of COSO’s Internal Control Integrated Framework in 1992 and the Sarbanes-Oxley Compliance Act of 2002, fueled by financial frauds at WorldCom and Enron, have led to increased pressure on the need for organizations to have an effective operational risk management discipline in place. In the U.S. the greatest pressure for increased involvement of senior executives in risk oversight comes from the audit committee.
State of Operational Risk Management
In the last five years, U.S. organizations have experienced significant increases in the volume and complexity of risks, with 32% of companies experiencing an operational surprise in that time period (see figure above). As organizations grow and evolve, so do the complexity, frequency, and impact of risks that are poorly managed. Losses from failure to properly manage operational risk have led to the downfall of many financial institutions - with over 100 reported losses exceeding $100 million in recent years.3 Moreover, growing pressure from the board for increased risk oversight also points to the importance of having a strong operational risk management practice in place. But how many organizations actually do?
According to a 2017 ERM Initiative study commissioned by the Association of International Certified Professional Accountants, risk management practices around the world are relatively immature: less than 30% of global organizations have “complete” enterprise risk management processes in place. This may suggest that there is a disconnect between operational and enterprise risk management and strategy execution in organizations.
Challenges and Shortcomings
In many organizations, operational risk management is one of the most tenuous links in their ability to meet the demands of customers and stakeholders. While operational risk management is a subset of enterprise risk management, similar challenges like competing priorities and lack of perceived value affect proper development among both programs. Some common challenges include:
- A common perception that organizations do not have sufficient resources to invest in operational risk management or ERM
- Need for greater communication and education around the importance of operational risk management and the consequences of operational failures on a company’s bottom line
- Need for increased awareness and appreciation across boards and C-suite executives to better understand operational risk management steps
- Lack of consistent methodologies to measure and assess risk is an area of concern when it comes to providing an accurate portrait of an organization’s risk profile
- Establishing standard risk terminology that will be used moving forward, which is conducive to successful Risk and Control Self-Assessments (RCSAs)
- The process is varied and complex due to changes in technology
- The function is oftentimes lumped in with other functions such as compliance and IT which is why it does not receive significant attention
- Operational Risk Management (ORM) programs can be manual, disjointed, and over-complicated. This is largely because ORM developed as a reactive function in response to regulations and compliance. 4
Benefits of a Strong Operational Risk Management Program
Establishing an effective operational risk management program is helpful for achieving an organization’s strategic objectives while ensuring business continuity in the event of disruptions to operations. Having a strong ORM also demonstrates to clients that the company is prepared for crisis and loss. Organizations that can effectively implement a strong ORM program can experience improved competitive advantages, including:
- Better C-suite visibility
- Better informed business risk taking
- Improved product performance and better brand recognition
- Stronger relationships with customers and stakeholders
- Greater investor confidence
- Better performance reporting
- More sustainable financial forecasting
Developing an Operational Risk Management Program
As organizations begin the process of creating an operational risk framework and program, some areas that the risk management team should focus on include:
- Promoting organization-wide understanding of the program’s value and function
- Leveraging technology to implement an automated approach to monitoring and collecting risk data
- Establishing an effective method for evaluating and identifying principal risks in the organization and a way to continuously identify and update those risks and associated measures
- Focus on helping the organization reduce material risk exposures while encouraging activities where the potential business benefits outweigh the risks
- Focus on partnering ORM with other functions in the organization to better embed best practices into the organization
The Risk and Control Self-Assessment
Developing an operational risk program begins with risk management teams engaging with business process owners in identifying the risks and controls in the organization. While every organization will approach measuring operational risk differently, one of the first steps to understanding the nature of operational risks in your organization is through a Risk and Control Self-Assessment (RCSA).
The RCSA is a framework that provides an enterprise view of operational risk and can be used to perform operational risk assessments, analyze your organization’s operational risk profile, and chart a course for managing risk. The RCSA forms an important part of an organization’s overall operational risk framework. An RCSA requires documentation of risks, identifying the risk levels by estimating frequency and impact of risks, and documenting the controls and processes related to those risks. A general best practice for organizing the assessment approach is by conducting the RCSA at the business-unit level.
The RCSA should be developed to serve as a reference for your organization’s risk initiatives. Below are several leading industry best practices for developing your Risk and Control Self-Assessment:
- Integrate Risk and Control Self-Assessment programs into your operational risk initiatives
- Establish a standard risk terminology and consistent methodologies to measure and assess risk
- Develop a complete view of risks and controls - this will be important for later analysis
- Incorporate a trend analysis methodology into your RCSA that can identify patterns in risk as well as potential control failures
- Incorporate a method for identifying non-financial risks that may have impacts that can harm your bottom line
- Use your RCSA to budget for operational risk management initiatives
Operational Risk Management Tools and Resources
Establishing effective risk management capabilities is an important part of driving better business decisions and is an important tool that the C-suite can leverage for competitive advantage. A strong operational risk management program can help drive your operational audits and risk library, as well as your SOX and Cybersecurity compliance programs. Find out how AuditBoard can help you manage, automate, and streamline your operational risk management program, and help you turn your operational risks into opportunities to gain competitive advantage.