Operational risk management

Last updated

Operational risk management (ORM) is defined as a continual recurring process that includes risk assessment, risk decision making, and the implementation of risk controls, resulting in the acceptance, mitigation, or avoidance of risk.

Contents

ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events. Unlike other type of risks (market risk, credit risk, etc.) operational risk had rarely been considered strategically significant by senior management. [1]

Four principles

The U.S. Department of Defense summarizes the principles of ORM as follows: [2]

Three levels

In Depth
In depth risk management is used before a project is implemented, when there is plenty of time to plan and prepare. Examples of in depth methods include training, drafting instructions and requirements, and acquiring personal protective equipment.
Deliberate
Deliberate risk management is used at routine periods through the implementation of a project or process. Examples include quality assurance, on-the-job training, safety briefs, performance reviews, and safety checks.
Time Critical
Time critical risk management is used during operational exercises or execution of tasks. It is defined as the effective use of all available resources by individuals, crews, and teams to safely and effectively accomplish the mission or task using risk management concepts when time and resources are limited. Examples of tools used includes execution check-lists and change management. This requires a high degree of situational awareness. [2]

Process

The International Organization for Standardization defines the risk management process in a four-step model: [3]

  1. Establish context
  2. Risk assessment
    • Risk identification
    • Risk analysis
    • Risk evaluation
  3. Risk treatment
  4. Monitor and review

This process is cyclic as any changes to the situation (such as operating environment or needs of the unit) requires re-evaluation per step one.

Deliberate

Link between deliberate and time critical ORM process ORM Process, link between Time Critical and Deliberate.jpg
Link between deliberate and time critical ORM process

The U.S. Department of Defense summarizes the deliberate level of ORM process in a five-step model: [2]

  1. Identify hazards
  2. Assess hazards
  3. Make risk decisions
  4. Implement controls
  5. Supervise (and watch for changes)

Time critical

The U.S. Navy summarizes the time-critical risk management process in a four-step model: [4]

1. Assess the situation.

The three conditions of the Assess step are task loading, additive conditions, and human factors.

2. Balance your resources.

This refers to balancing resources in three different ways:

3. Communicate risks and intentions.
4. Do and debrief. (Take action and monitor for change.)

This is accomplished in three different phases:

Benefits

  1. Reduction of operational loss.
  2. Lower compliance/auditing costs.
  3. Early detection of unlawful activities.
  4. Reduced exposure to future risks.

Chief Operational Risk Officer

The role of the Chief Operational Risk Officer (CORO) continues to evolve and gain importance. In addition to being responsible for setting up a robust Operational Risk Management function at companies, the role also plays an important part in increasing awareness of the benefits of sound operational risk management.

Most complex financial institutions have a Chief Operational Risk Officer. The position is also required for Banks that fall into the Basel II Advanced Measurement Approach "mandatory" category.

Software

The impact of the Enron failure and the implementation of the Sarbanes–Oxley Act has caused several software development companies to create enterprise-wide software packages to manage risk. These software systems allow the financial audit to be executed at lower cost.

Forrester Research has identified 115 Governance, Risk and Compliance vendors that cover operational risk management projects. Active Agenda is an open source project dedicated to operational risk management.

See also

Related Research Articles

<span class="mw-page-title-main">Risk management</span> Identification, evaluation and control of risks

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Security management is the identification of an organization's assets, followed by the development, documentation, and implementation of policies and procedures for protecting assets.

Risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events. The results of this process may be expressed in a quantitative or qualitative fashion. Risk assessment is an inherent part of a broader risk management strategy to help reduce any potential risk-related consequences.

<span class="mw-page-title-main">Systems development life cycle</span> Systems engineering terms

In systems engineering, information systems and software engineering, the systems development life cycle (SDLC), also referred to as the application development life cycle, is a process for planning, creating, testing, and deploying an information system. The SDLC concept applies to a range of hardware and software configurations, as a system can be composed of hardware only, software only, or a combination of both. There are usually six stages in this cycle: requirement analysis, design, development and testing, implementation, documentation, and evaluation.

Program evaluation is a systematic method for collecting, analyzing, and using information to answer questions about projects, policies and programs, particularly about their effectiveness and efficiency.

Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. Employee errors, criminal activity such as fraud, and physical events are among the factors that can trigger operational risk. The process to manage operational risk is known as operational risk management. The definition of operational risk, adopted by the European Solvency II Directive for insurers, is a variation adopted from the Basel II regulations for banks: "The risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events, differ from the expected losses". The scope of operational risk is then broad, and can also include other classes of risks, such as fraud, security, privacy protection, legal risks, physical or environmental risks. Operational risks similarly may impact broadly, in that they can affect client satisfaction, reputation and shareholder value, all while increasing business volatility.

Reliability engineering is a sub-discipline of systems engineering that emphasizes the ability of equipment to function without failure. Reliability describes the ability of a system or component to function under stated conditions for a specified period of time. Reliability is closely related to availability, which is typically described as the ability of a component or system to function at a specified moment or interval of time.

The chief risk officer (CRO) or chief risk management officer (CRMO) or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.

Situational awareness or situation awareness (SA) is the understanding of an environment, its elements, and how it changes with respect to time or other factors. Situational awareness is important for effective decision making in many environments. It is formally defined as:

“the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future”.

A hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of different types of hazards. A hazard is a potential condition and exists or not. It may, in single existence or in combination with other hazards and conditions, become an actual Functional Failure or Accident (Mishap). The way this exactly happens in one particular sequence is called a scenario. This scenario has a probability of occurrence. Often a system has many potential failure scenarios. It also is assigned a classification, based on the worst case severity of the end condition. Risk is the combination of probability and severity. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction (verification) and acceptance of risk is determined in the risk assessment (analysis). The main goal of both is to provide the best selection of means of controlling or eliminating the risk. The term is used in several engineering specialties, including avionics, chemical process safety, safety engineering, reliability engineering and food safety.

Competence is the set of demonstrable characteristics and skills that enable and improve the efficiency or performance of a job. Competency is a series of knowledge, abilities, skills, experiences and behaviors, which leads to effective performance in an individual's activities. Competency is measurable and can be developed through training. The term "competence" first appeared in an article authored by R.W. White in 1959 as a concept for performance motivation. In 1970, Craig C. Lundberg defined this concept as "Planning the Executive Development Program". The term gained traction in 1973 when David McClelland wrote a seminal paper entitled, "Testing for Competence Rather Than for Intelligence". The term, created by McClelland, was commissioned by the State Department to explain characteristics common to high-performing agents of embassy, as well as help them in recruitment and development. It has since been popularized by Richard Boyatzis, and many others including T.F. Gilbert (1978), who used the concept in performance improvement. Its uses vary widely, which has led to considerable misunderstanding.

The system safety concept calls for a risk management strategy based on identification, analysis of hazards and application of remedial controls using a systems-based approach. This is different from traditional safety strategies which rely on control of conditions and causes of an accident based either on the epidemiological analysis or as a result of investigation of individual past accidents. The concept of system safety is useful in demonstrating adequacy of technologies when difficulties are faced with probabilistic risk analysis. The underlying principle is one of synergy: a whole is more than sum of its parts. Systems-based approach to safety requires the application of scientific, technical and managerial skills to hazard identification, hazard analysis, and elimination, control, or management of hazards throughout the life-cycle of a system, program, project or an activity or a product. "Hazop" is one of several techniques available for identification of hazards.

A job safety analysis (JSA) is a procedure which helps integrate accepted safety and health principles and practices into a particular task or job operation. In a JSA, each basic step of the job is to identify potential hazards and to recommend the safest way to do the job. Other terms used to describe this procedure are job hazard analysis (JHA), hazardous task analysis (HTA) and job hazard breakdown.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

Capability management is a high-level management function, with particular application in the context of defense.

<span class="mw-page-title-main">Project management triangle</span> Model of the constraints of project management

The project management triangle is a model of the constraints of project management. While its origins are unclear, it has been used since at least the 1950s. It contends that:

  1. The quality of work is constrained by the project's budget, deadlines and scope (features).
  2. The project manager can trade between constraints.
  3. Changes in one constraint necessitate changes in others to compensate or quality will suffer.

Risk IT Framework, published in 2009 by ISACA, provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Small-scale project management is the specific type of project management of small-scale projects. These projects are characterised by factors such as short duration; low person hours; small team; size of the budget and the balance between the time committed to delivering the project itself and the time committed to managing the project. They are otherwise unique, time delineated and require the delivery of a final output in the same way as large-scale projects.

Human factors are the physical or cognitive properties of individuals, or social behavior which is specific to humans, and influence functioning of technological systems as well as human-environment equilibria. The safety of underwater diving operations can be improved by reducing the frequency of human error and the consequences when it does occur. Human error can be defined as an individual's deviation from acceptable or desirable practice which culminates in undesirable or unexpected results.

Dive safety is primarily a function of four factors: the environment, equipment, individual diver performance and dive team performance. The water is a harsh and alien environment which can impose severe physical and psychological stress on a diver. The remaining factors must be controlled and coordinated so the diver can overcome the stresses imposed by the underwater environment and work safely. Diving equipment is crucial because it provides life support to the diver, but the majority of dive accidents are caused by individual diver panic and an associated degradation of the individual diver's performance. - M.A. Blumenberg, 1996

References

General

Cited

  1. Yang, Shirley Ou; Hsu, Carol; Sarker, Suprateek; Lee, Allen S. (2017). "Enabling Effective Operational Risk Management in a Financial Institution: An Action Research Study". Journal of Management Information Systems. 34: 727–753. doi:10.1080/07421222.2017.1373006.
  2. 1 2 3 "Naval Safety Center ORM". Archived from the original on October 11, 2008. Retrieved November 4, 2008.
  3. "Committee Draft of ISO 31000 Risk management" (PDF). International Organization for Standardization. 2007-06-15. Archived from the original (PDF) on 2009-03-25.
  4. "Operational Risk Management - Time-Critical Risk Management". U.S. Navy. Retrieved 12 July 2009.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.