Operational risk is defined as the risk of a loss that results from inadequate or failed business processes, people and systems, or from external events.
More simply, operational risk pertains to any uncertainty or threat your organization faces (or might face in the future) during day-to-day business activities. The risk arises from operational disruptions and is likely to result in losses or reputational damage.
Some operational risk is inevitable for every organization. Implementing an operational risk management (ORM) program, however, can strengthen internal processes, minimize risks, and mitigate their impacts.
Operational risk management, which is a subset of enterprise risk management (ERM), is an ongoing set of activities focused on reducing and mitigating key risks related to your organization’s business operations.
This article explores how ORM works and examines its challenges and benefits.
Understanding Operational Risk
What is an Operational Risk?
Operational risk is focused on day-to-day operations within your company. It is affected by procedures and processes that guide, regulate, and manage operations. It can also change based on decisions made by senior management and the board of directors about how the organization functions and what its priorities are.
Examples of Operational Risk
In general, operational risk can arise from disruptions, breakdowns, or errors in:
- Technology
- People
- The regulatory and compliance ecosystem
Failed internal procedures, employee errors, technological disruptions, and cybersecurity events can all create operational risks. So can the evolving regulatory landscape: what were normal operations yesterday might not be permitted tomorrow, if the regulator environment for your business changes.
For example, a data breach can affect your organization’s reputation or result in increased customer churn. A breakdown of internal procedures or process controls may result in costly errors. Unpatched software, misconfigured settings, or missing encryption could leave your company vulnerable to cyberattacks and affect its financial or compliance posture.
Likewise, poorly trained staff may degrade the quality of your output, or a supply chain attack due to software vulnerabilities may impact business continuity. New technologies and poorly planned digital transformation initiatives are operational risks that have the potential to harm your business.
Impact of Operational Risk
Operational risk doesn’t always result in business failures, nor does it always increase costs, decrease production, or affect profitability. The issue, however, is that it can cause those things. Hence it is critical to manage operational risks and minimize their potential impact. Here’s where an operational risk management (ORM) program comes in.
What Is Operational Risk Management?
ORM is an ongoing, systematic process that involves multiple steps to manage operational risk:
- Risk identification
- Risk assessment
- Risk measurement
- Risk mitigation and controls implementation
- Risk monitoring and reporting
Each step is described in more detail in this section about how operational risk management works.
ORM is often discussed in the context of financial institutions, particularly after the Basel Committee on Banking Supervision (BCBS) published a series of papers from 1999 to 2001. The need for ORM, however, isn’t limited to the financial services industry. Every organization should implement ORM to mitigate potentially disastrous operational risks.
The Evolution of ORM
In the past, most organizations had a narrow view of ORM. Many considered it a requirement to simply meet regulatory and compliance needs rather than a formal business function that can deliver relevant, ongoing, and quantifiable value to the organization.
In recent years, the meaning of ORM has changed, along with ORM methodologies and processes. Where traditional ORM encompassed risks that were difficult to quantify and manage, modern ORM involves standardizing the evaluation of operational risks and internal controls.
As McKinsey states in this article, the BCBS papers elevated operational risk to a “distinct and controllable risk category requiring its own tools and organization.” Moreover, regulators, institutional investor groups, stock exchanges, credit rating agencies, and other stakeholders now demand greater assurance that organizations have effective controls in place to mitigate operational risks. It’s impossible to provide this assurance without a well-functioning ORM program.
In addition, other developments such as the release of COSO’s internal control framework and the Sarbanes-Oxley Compliance Act (SOX) both increased awareness about the importance of ORM programs, particularly:
- Processes around risk identification and risk assessment
- Risk management capabilities
- Controls and control-testing processes
Benefits of Operational Risk Management
An effective ORM program focuses on protecting the organization. It is more risk-averse than the broader traditional ERM program that seeks to balance risk with reward. Its primary goal is to minimize any possible fallout if risks come to fruition. This fallout could include:
- Operational disruptions
- Financial losses
- Non-compliance issues
- Reputational damage
ORM is a business-critical organizational function that delivers a wide range of benefits.
Understand and Improve Operating Processes
ORM provides insight into the strength of operational processes. It enables risk managers and senior leadership to understand key aspects of operations, such as:
- Do our processes deliver consistent outcomes and positive customer experiences?
- Do our processes operate reliably and consistently in all kinds of conditions (normal and stress)?
- Can we prevent disruptions with methods within our change management process?
- Does our operating model effectively limit risk from bad actors?
Such understanding is critical to launching improvements, and ORM provides that knowledge.
Improve Operating Resilience
While traditional ORM focused on detecting and reporting nonfinancial risks, its scope has expanded in today’s environment. It can help your company develop second-line oversight to support your operating model and improve resilience. Such strength and stability can assure business continuity and drive operational excellence.
Implement Effective Controls
Robust controls are essential to monitor and evaluate process resilience. When controls are reliant on manual activities, however, they may not always work (nevermind prevent disruptions or reputational damage).
ORM can help your organization implement effective controls and management strategies to evaluate business resilience and prioritize necessary interventions. These strategies and controls are essential to:
- Monitor the risk environment and address critical risks
- Map inherent risks and controls to business processes
- Connect enterprise resource planning to processes and associated risks
- Reinforce expected or required risk-averse behaviors
- Perform root cause analyses
- Establish feedback loops to identify and flag potential issues
ORM can strengthen your risk management capabilities and improve business decision-making. Ultimately, it enhances business continuity and sustainability to create a more secure and profitable enterprise.
How Does Operational Risk Management Work
An ORM program typically includes five risk management processes that work together to help organizations reduce and mitigate the effects of operational risk.
Risk Identification
To manage operational risks, first identify them in the context of your organization’s business practices, operating model, objectives, and goals. By identifying the relevant risks, you can then start taking steps to mitigate and reduce them.
For example, if many of your operating processes are automated, the risk of employee carelessness causing costly process errors may be low. On the other hand, the risk of data breaches may be high if these processes involve sensitive data.
Risk Assessment
Not all risks are created equal. Some are more likely to occur, and others have a more significant impact on operational continuity and resilience. That’s why, after identifying all operational risks, you should assess them based on potential impact and probability of occurrence.
A risk heat map is a valuable risk assessment tool. For instance, a pharmaceutical company can visualize whether the risk of non-compliance with current good manufacturing practices (CGMP) is high. Likewise, if you have factories situated in places prone to earthquakes, it can help you quantify that risk and how a quake might affect business continuity.
Such risk assessments are vital because they will help you understand which risks are the most critical to operational resilience, and therefore should be prioritized for mitigation or prevention.
Risk Measurement
At this stage, you should compare risks to determine the order of prioritization. Make sure to compare the cost of risk control to the cost of potential risk exposure.
Based on your risk assessment (say, by using the heat map), you may have identified risks that are:
- High probability and high impact
- Low probability and high impact
- High probability and low impact
- Low probability and low impact
This exercise will help you evaluate risks by their seriousness and guide the implementation of controls.
Risk Mitigation and Control Implementation
The controls you implement to mitigate or minimize identified risks will depend on how you decide to treat the risk:
- Transfer it to another organization
- Avoid it by implementing strong internal controls
- Control it to decrease its potential impacts
- Accept it if doing so yields significant potential benefits, such as faster growth
For example, you can mitigate the risk of a cyber attack by purchasing cyber insurance. This is a type of risk transfer strategy. On the other hand, you can avoid the risk of inventory theft by installing security cameras or security guards. You can also control the risk of phishing and social engineering by implementing a cyber-hygiene awareness program for employees.
Risk Monitoring and Reporting
Operational risks can and do change over time, so it’s crucial to monitor the risk environment regularly using the right metrics. This way, you can determine if changes to the risk type, occurrence, and expected severity should drive an adjustment to your ORM controls.
ORM tools such as real-time risk indicators, analytics, and risk management software will help you to monitor risks, manage controls, and document mitigation strategies.
All the above ORM processes are guided by four fundamental principles that can strengthen the organization’s ability to correctly identify and deal with operational risks:
- Accept no unnecessary risk
- Accept risk only when the benefits outweigh the costs
- Make all risk decisions at the appropriate level
- Anticipate and manage risk continuously and consistently
Common Challenges to Operational Risk Management
Operational risk is one of the most crucial business risks that organizations must quantify and manage. That said, many companies face common challenges that prevent them from harnessing the benefits of ORM.
Aligning ORM Strategy With the Overall ERM Strategy
The ORM strategy must fit into the larger ERM strategy to assure that the organization effectively manages all kinds of risks. Moreover, the ERM strategy should serve as an overarching guideline when setting up the ORM strategy and structure. Many organizations struggle with maintaining consistency in this relationship.
Failure to Detect New Risks
Most operational risk management programs detect existing or known risks. More challenging, however, is discovering and acting upon new or emerging risks that may arise from:
- Adoption of new technology
- Entry into a new market or area of business
- Introduction of new products
- An evolving competitive or regulatory environment
It’s essential to implement technology-based tools that can identify, measure, and mitigate all kinds of existing and emerging risks.
Continued Use of Legacy Technologies and Applications
Many organizations rely on inflexible, legacy technology and applications for specific business areas.
Legacy tools limit companies’ agility, preventing them from adapting to changes in the market and the market risk environment. They also create data silos causing unnecessary efforts and data duplication. As a result, it is harder to identify, control, and mitigate operational risks.
Replacing these applications with new technology can help strengthen the ORM program. If complete replacements are not possible, a feasible solution is to combine re-engineering with partial replacement, based on the criticality of these applications, as well as technology availability and business strategy.
Lack of Resources and Poor Communication
ORM requires proficient and knowledgeable risk experts. Not all organizations have these resources in place to establish, run, and maintain their ORM programs. Poor communication about risks and a lack of common “ORM language” are also challenges.
It’s critical to invest in the right resources – both human and technological – to assure ORM success. It’s also vital to educate everyone in every business unit about the importance of ORM and the possible consequences of operational disruptions and failures. Senior management must understand ORM objectives and strategies to assure that the program is adequately resourced, runs well, and achieves its stated objectives.
Other ORM Challenges
Your ORM program should provide an accurate picture of your risk profile. However, a lack of consistent methodologies to assess and measure operational risk can prevent the program from doing so. Further, when ORM is a function that simply reacts to regulations and compliance, it can become disjointed, manual, and ineffective.
To avoid such issues, establish policies and frameworks that align with regulatory requirements along with your company’s practices and growth strategies. Leverage technology and automation to accommodate a variety of risk information, enable your ORM framework, and ensure efficient operational risk control.
Include ZenGRC in Your ORM Plans
A solid and proactive ORM program can help your organization minimize, or at least mitigate, operational risk. It can also assure business continuity and support your strategic objectives. But to achieve all these benefits, you need a world-class and intuitive risk management platform such as ZenGRC.
ZenGRC is an integrated tool for risk management, audits, governance, and compliance. Its heat maps, dashboards, and other features reveal your organization’s operational risks and threats. It will even show you where these risks are changing, so you can update your mitigation strategies as required.
It is a single source of truth. With ZenGRC, you can aggregate all records, reports, policies, procedures, and controls to streamline your ORM program. Workflow management features offer easy tracking, automated reminders, and audit trails.
Want to include ZenGRC in your ORM plans? Contact the Reciprocity team to schedule a free demo.