Operational risk management

Last updated August 21, 2024

Operational risk management (ORM) is defined as a continual recurring process that includes risk assessment, risk decision making, and the implementation of risk controls, resulting in the acceptance, mitigation, or avoidance of risk.

ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events. Unlike other type of risks (market risk, credit risk, etc.) operational risk had rarely been considered strategically significant by senior management.^[1]

Four principles

The U.S. Department of Defense summarizes the principles of ORM as follows:^[2]

Accept risk when benefits outweigh the cost.
Accept no unnecessary risk.
Anticipate and manage risk by planning.
Make risk decisions in the right time at the right level.

Three levels

In Depth: In depth risk management is used before a project is implemented, when there is plenty of time to plan and prepare. Examples of in depth methods include training, drafting instructions and requirements, and acquiring personal protective equipment.
Deliberate: Deliberate risk management is used at routine periods through the implementation of a project or process. Examples include quality assurance, on-the-job training, safety briefs, performance reviews, and safety checks.
Time Critical: Time critical risk management is used during operational exercises or execution of tasks. It is defined as the effective use of all available resources by individuals, crews, and teams to safely and effectively accomplish the mission or task using risk management concepts when time and resources are limited. Examples of tools used includes execution check-lists and change management. This requires a high degree of situational awareness.^[2]

Process

The International Organization for Standardization defines the risk management process in a four-step model:^[3]

Establish context
Risk assessment
- Risk identification
- Risk analysis
- Risk evaluation
Risk treatment
Monitor and review

This process is cyclic as any changes to the situation (such as operating environment or needs of the unit) requires re-evaluation per step one.

Deliberate

The U.S. Department of Defense summarizes the deliberate level of ORM process in a five-step model:^[2]

Identify hazards
Assess hazards
Make risk decisions
Implement controls
Supervise (and watch for changes)

Time critical

The U.S. Navy summarizes the time-critical risk management process in a four-step model:^[4]

1. Assess the situation.

The three conditions of the Assess step are task loading, additive conditions, and human factors.

Task loading refers to the negative effect of increased tasking on performance of the tasks.
Additive factors refers to having a situational awareness of the cumulative effect of variables (conditions, etc.).
Human factors refers to the limitations of the ability of the human body and mind to adapt to the work environment (e.g. stress, fatigue, impairment, lapses of attention, confusion, and willful violations of regulations).

2. Balance your resources.

This refers to balancing resources in three different ways:

Balancing resources and options available. This means evaluating and leveraging all the informational, labor, equipment, and material resources available.
Balancing Resources versus hazards. This means estimating how well prepared you are to safely accomplish a task and making a judgement call.
Balancing individual versus team effort. This means observing individual risk warning signs. It also means observing how well the team is communicating, knows the roles that each member is supposed to play, and the stress level and participation level of each team member.

3. Communicate risks and intentions.

Communicate hazards and intentions.
Communicate to the right people.
Use the right communication style. Asking questions is a technique to opening the lines of communication. A direct and forceful style of communication gets a specific result from a specific situation.

4. Do and debrief. (Take action and monitor for change.)

This is accomplished in three different phases:

Mission Completion is a point where the exercise can be evaluated and reviewed in full.
Execute and Gauge Risk involves managing change and risk while an exercise is in progress.
Future Performance Improvements refers to preparing a "lessons learned" for the next team that plans or executes a task.

Benefits

Operational Risk Management (ORM) is not just a compliance requirement; it’s a foundation of business strategy that ensures long-term success. Implementing an effective operational risk management framework offers many benefits for businesses including,

Enhanced decision making,
Improved regulatory compliance
Increased operational efficiency
Protection of reputation, and
Financial stability^[5]^[6]

Chief Operational Risk Officer

The role of the Chief Operational Risk Officer (CORO) continues to evolve and gain importance. In addition to being responsible for setting up a robust Operational Risk Management function at companies, the role also plays an important part in increasing awareness of the benefits of sound operational risk management.

Most complex financial institutions have a Chief Operational Risk Officer. The position is also required for Banks that fall into the Basel II Advanced Measurement Approach "mandatory" category.

Software

The impact of the Enron failure and the implementation of the Sarbanes–Oxley Act has caused several software development companies to create enterprise-wide software packages to manage risk. These software systems allow the financial audit to be executed at lower cost.

Forrester Research has identified 115 Governance, Risk and Compliance vendors that cover operational risk management projects. Active Agenda is an open source project dedicated to operational risk management.

Related Research Articles

Project management is the process of supervising the work of a team to achieve all project goals within the given constraints. This information is usually described in project documentation, created at the beginning of the development process. The primary constraints are scope, time, and budget. The secondary challenge is to optimize the allocation of necessary inputs and apply them to meet pre-defined objectives.

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Security management is the identification of an organization's assets i.e. including people, buildings, machines, systems and information assets, followed by the development, documentation, and implementation of policies and procedures for protecting assets.

Risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events. The results of this process may be expressed in a quantitative or qualitative fashion. Risk assessment is an inherent part of a broader risk management strategy to help reduce any potential risk-related consequences.

<span class="mw-page-title-main">Systems development life cycle</span> Systems engineering terms

In systems engineering, information systems and software engineering, the systems development life cycle (SDLC), also referred to as the application development life cycle, is a process for planning, creating, testing, and deploying an information system. The SDLC concept applies to a range of hardware and software configurations, as a system can be composed of hardware only, software only, or a combination of both. There are usually six stages in this cycle: requirement analysis, design, development and testing, implementation, documentation, and evaluation.

Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. Employee errors, criminal activity such as fraud, and physical events are among the factors that can trigger operational risk. The process to manage operational risk is known as operational risk management. The definition of operational risk, adopted by the European Solvency II Directive for insurers, is a variation adopted from the Basel II regulations for banks: "The risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events, differ from the expected losses". The scope of operational risk is then broad, and can also include other classes of risks, such as fraud, security, privacy protection, legal risks, physical or environmental risks. Operational risks similarly may impact broadly, in that they can affect client satisfaction, reputation and shareholder value, all while increasing business volatility.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.

The chief risk officer (CRO), chief risk management officer (CRMO), or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

A hazard analysis is one of many methods that may be used to assess risk. At its core, the process entails describing a system object that intends to conduct some activity. During the performance of that activity, an adverse event may be encountered that could cause or contribute to an occurrence. Finally, that occurrence will result in some outcome that may be measured in terms of the degree of loss or harm. This outcome may be measured on a continuous scale, such as an amount of monetary loss, or the outcomes may be categorized into various levels of severity.

<span class="mw-page-title-main">Internal audit</span> Independent, objective assurance and consulting activity

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

The system safety concept calls for a risk management strategy based on identification, analysis of hazards and application of remedial controls using a systems-based approach. This is different from traditional safety strategies which rely on control of conditions and causes of an accident based either on the epidemiological analysis or as a result of investigation of individual past accidents. The concept of system safety is useful in demonstrating adequacy of technologies when difficulties are faced with probabilistic risk analysis. The underlying principle is one of synergy: a whole is more than sum of its parts. Systems-based approach to safety requires the application of scientific, technical and managerial skills to hazard identification, hazard analysis, and elimination, control, or management of hazards throughout the life-cycle of a system, program, project or an activity or a product. "Hazop" is one of several techniques available for identification of hazards.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

The CAMELS rating is a supervisory rating system originally developed in the U.S. to classify a bank's overall condition. It is applied to every bank and credit union in the U.S. and is also implemented outside the U.S. by various banking supervisory regulators.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

An enterprise planning system covers the methods of planning for the internal and external factors that affect an enterprise.

Strategic risk is the risk that failed business decisions may pose to a company. Strategic risk is often a major factor in determining a company's worth, particularly observable if the company experiences a sharp decline in a short period of time. Due to this and its influence on compliance risk, it is a leading factor in modern risk management.

Electromagnetic compatibility (EMC) with regulations and standards is a global requirement for electrical and electronic devices prior to their commercialization. EMC is essential for ensuring the safety, performance, and quality of electronic devices. However, achieving and maintaining EMC presents a significant challenge due to the rapid development of new products with evolving technologies and features.

References

General

Cited

↑ Yang, Shirley Ou; Hsu, Carol; Sarker, Suprateek; Lee, Allen S. (2017). "Enabling Effective Operational Risk Management in a Financial Institution: An Action Research Study". Journal of Management Information Systems. 34: 727–753. doi:10.1080/07421222.2017.1373006.
1 2 3 "Naval Safety Center ORM". Archived from the original on October 11, 2008. Retrieved November 4, 2008.
↑ "Committee Draft of ISO 31000 Risk management" (PDF). International Organization for Standardization. 2007-06-15. Archived from the original (PDF) on 2009-03-25.
↑ "Operational Risk Management - Time-Critical Risk Management". U.S. Navy. Retrieved 12 July 2009.
↑ Shukla, Narendra (2024-08-20). "What Is Operational Risk Management?". edwiseconsulting.com.au. Retrieved 2024-08-20.{{cite web}}: CS1 maint: url-status (link)
↑ Shukla, Narendra (2024-08-20). "What Is Operational Risk Management?". Edwise Consulting. Retrieved 2024-08-20.{{cite web}}: CS1 maint: url-status (link)

External links

The Institute of Operational Risk The institute provides professional recognition and enables members to maintain competency in the discipline of operational risk.
Operational Risk Institute An association of operational risk training professionals that renders key training on Op Risk related subjects including Business Continuity.
Operational Risk Management Software ^{[ dead link ]} 5 Essential features must incorporate in ORM Software to avoid risks.
Operational Risk Management of U.S. Insurers How well do you understand operational Risk Management.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Yang, Shirley Ou; Hsu, Carol; Sarker, Suprateek; Lee, Allen S. (2017). "Enabling Effective Operational Risk Management in a Financial Institution: An Action Research Study". Journal of Management Information Systems. 34: 727–753. doi:10.1080/07421222.2017.1373006.

[safetycenter-2] 1 2 3 "Naval Safety Center ORM". Archived from the original on October 11, 2008. Retrieved November 4, 2008.

[iso3100-3] "Committee Draft of ISO 31000 Risk management" (PDF). International Organization for Standardization. 2007-06-15. Archived from the original (PDF) on 2009-03-25.

[Navy_E-Learning-4] "Operational Risk Management - Time-Critical Risk Management". U.S. Navy. Retrieved 12 July 2009.

[5] Shukla, Narendra (2024-08-20). "What Is Operational Risk Management?". edwiseconsulting.com.au. Retrieved 2024-08-20.{{cite web}}: CS1 maint: url-status (link)

[6] Shukla, Narendra (2024-08-20). "What Is Operational Risk Management?". Edwise Consulting. Retrieved 2024-08-20.{{cite web}}: CS1 maint: url-status (link)

[1]

[2]

[3]

[4]

[5]

[6]