Operational risk management (ORM) is a fundamental component of a sound business strategy. After all, the disruption caused by AI, machine learning, global geopolitical uncertainties and energy market fluctuations presents a scenario where the ability to navigate risks determines the difference between surviving and thriving.
Yet, only 16% of organizations are prepared to anticipate and react to external factors, shocks and disruptions. So, what is operational risk management in the context of day-to-day business? How do you navigate uncertainty and protect your organization against operational hazards when executing day-to-day business activities?
Understanding Operational Risk Management
Operational risk management (ORM) is a systematic way to identify, assess, mitigate and report on company risks that could affect your day-to-day operations. Its primary objective is to avoid risk, and if you can’t, respond quickly and appropriately to limit damage.
Why Is Operational Risk Management Important?
While no individual or organization can predict specific risks, operational risk management frameworks can help you prepare for an uncertain and volatile future. The right ORM program will help your business absorb, resist, recover and adapt to business disruptions. It keeps your objectives on course, even in a complex and changing business environment.
Here are a few reasons why ORM is important for organizations:
- It protects your business’s reputation. Product recalls, data breaches or service disruptions erode trust between your company and its customers, partners and investors. Once gone, it’s difficult and costly to repair.
- It minimizes financial losses. Financial losses for incidents may include fines, correction costs, legal fees and indirect costs such as lost productivity or increased insurance premiums.
- It ensures business resiliency. With robust ORM, your organization can prepare for and recover from disruptions faster, minimizing downtime and ensuring that your business’s crucial operations continue functioning.
- It enhances regulatory compliance. Not only does ORM ensure compliance, but a well-documented ORM program demonstrates to regulators that you have done your due diligence and take risk management seriously.
- It improves operational efficiency. ORM doesn’t just protect your company from significant problems like recalls and data breaches—it can also identify clunky processes, unnecessary waste and inefficiencies.
- It supports strategic decision-making. Operational risk insights help your organization make better choices about your products, expansion markets and even your investments.
Objectives of Operational Risk Management
ORM isn’t just a box to tick on your organization’s to-do list to satisfy your legal department. It’s a practice intended to protect your business from costly damage.
The specific objectives of ORM include:
- Helping to control risk
- Minimizing losses
- Improving efficiency and effectiveness
- Establishing business continuity and resilience
- Ensuring regulatory compliance
- Projecting reputation and brand
- Improving decision-making
- Fostering a strong risk culture
- Optimizing resource allocation
What is Operational Risk?
Risk management experts often point toward four main types of operational risk. Your organization should analyze each type of risk for a strong ORM program.
People-Related Risks
People-related risks involve a human factors. Sometimes, these human errors are accidental, such as a data entry mistake that leads to incorrect customer billing or workplace accidents like falls. Others are intentional, such as an employee embezzling funds. Some risks involve broader HR issues, such as employee turnover and inadequate training.
A famous example of a people-related risk is the Enron scandal. A group of executives and an outside accounting firm overvalued assets in earnings reports to bolster their earnings statements. The company went bankrupt in 2001, shareholders lost billions of dollars and the accounting firm it worked with went out of business. Twenty-two people involved were convicted of fraud.
Process-Related Risks
Process-related risks relate to the business workflows companies rely on. Daily business activities can go awry easily. A few examples include:
- A breakdown in the manufacturing process causing defective products.
- A lack of rules, policies or procedures that allow errors to go undetected.
- Poor planning or communication breakdowns that delay projects.
Perhaps the most famous example is Johnson & Johnson’s 1982 Tylenol recall. Someone laced Tylenol capsules with cyanide in packages on store shelves in Chicago, killing seven people. The company recalled 31 million bottles and developed a tamper-evident seal, now an industry standard. While the tampering resulted from an unknown outside party, the inability to see the risk of someone tampering with their product cost the company millions.
Systems-Related Risks
Systems-related risks or technology risks revolve around the systems you have in place. These include any of the following:
- Hardware malfunctions or software bugs
- Ransomware and other cybersecurity threats
- Data loss, whether through accidental deletion, corruption or theft
- System failures or integration errors when adding new software to your tech stack
- Over-reliance on a single system
In 2017, Equifax announced it was the victim of one of the largest cyberattacks in history. More than 148 million Americans had their data compromised, including names, dates of birth and Social Security numbers. The cyberattack cost Equifax $1.4 billion in financial losses.
External Event Risks
External event risks are those that originate outside of your organization. These can be:
- Natural disasters
- Market risk, like economic downturns
- Regulatory changes
- Supply chain disruptions
- Pandemics and public health crises
As we learned with the COVID-19 pandemic, these often overlap. For example, your company may have experienced a limited workforce during the pandemic, impacting your ability to deliver goods or services to your customers. You also probably had a harder time getting the necessary supplies due to supply chain disruptions.
You won’t be able to avoid these types of risks entirely since they are outside your control, but you can have contingency plans to minimize the risk to your organization. And while ORM can’t prevent these risks from occurring 100% of the time, it can significantly reduce their likelihood or impact.
How to Manage Operational Risk
Managing operational risk starts with building a strong foundation in your organization. This involves creating clear processes and leveraging the right tools to identify, assess and mitigate potential hazards proactively.
Build a Strong Culture Built Around Risk Management
Buy-in at the leadership level is essential to building a strong risk culture. Have the CEO regularly communicate the importance of risk management in company-wide meetings or emails and engage senior leaders in risk reviews and discussions. Share regular updates on key risks and the effectiveness of risk management programs with the C-suite and board of directors.
Every member of your organization should uphold the risk management process every day, not treat it as a separate activity people do once or twice a year to check a box. Include risk assessments in project planning and new product development, and discuss risk considerations when making decisions. Ensure open and honest communication so everyone is comfortable raising concerns without fear of reprisal, and include it in internal audits and reviews.
Define the Scope and Objectives of Your Program
Clearly define what areas of your business are included in your risk management system to ensure the appropriate use of resources. For example, maybe you want to focus initial efforts on the manufacturing portion of your business, and then you’ll move into sales and marketing later.
Specify what levels the ORM program will impact. Ideally, you’ll address all levels of your organization, but sometimes it’s best to focus on one specific area at a time by prioritizing the level with the most risks.
You may also want to initially focus on a specific type of operational risk based on its potential impact or relevance to the organization. For example, prioritizing financial and IT risks before focusing on reputational risks may make the most sense for your organization.
Once you’ve decided on scope, set clear objectives for what you hope to accomplish. Example objectives include:
- Reduce operational losses due to fraud by 15% within the next two years.
- Ensure 100% compliance with all relevant regulatory requirements.
- Develop and implement a robust business continuity plan to minimize downtime in the event of a disaster.
Establish a Robust Framework for ORM
An operational risk management framework is a set of principles, processes and guidelines that provides a structured approach to managing risks. These frameworks include everything from governance and oversight information to the steps of the ORM internal process.
You can develop your own framework tailored to your specific needs, but most organizations choose to adopt or adapt established frameworks such as:
- ISO 31000: An international framework for risk management.
- COSO Enterprise Risk Management Framework: A framework that addresses multiple types of risk, including operational risks.
- Basel Accords: A set of regulations governing international banking.
Which framework you choose depends on the size and complexity of your organization, its industry and its regulatory environment.
Using a framework provides a structured and consistent approach to risk management, whether you start from scratch or use one of the established frameworks.
Stages of Operational Risk Management
While there are distinct stages of operational risk management, the process is cyclical rather than a one-and-done event. The steps are interrelated and should be performed multiple times to ensure success.
1. Risk Identification
The goal of risk identification is to identify all potential risks that might impact your organization’s objectives. Activities at this stage include:
- Brainstorming with a diverse group of people in your organization
- Analyzing incident reports, near misses, audit findings or customer complaints for historical data
- Reviewing industry reports
- Gathering input from stakeholders such as employees, investors and customers through surveys, interviews, focus groups, etc.
By the end of this stage, you should have an inventory of all identified risks, even unintentional risk.
2. Risk Assessment
Risk assessment aims to understand the potential impact of the risks you identify so you can prioritize them for mitigation. Through structured assessments, you can align your risk management efforts with strategic goals. Here’s how to conduct a detailed risk assessment, incorporating terms like RCSA and risk assessment process.
The Risk Assessment Process
A thorough risk assessment process involves several key steps:
1. Risk and Control Self-Assessment (RCSA): What is RCSA? RCSA allows teams particularly in the financial services industry, to identify and evaluate risks actively. By involving employees from different levels, it ensures a broad perspective on potential threats.
How to Implement RCSA:
Engage cross-functional teams in workshops.
Use facilitated sessions to identify and categorize risks.
Assign likelihood and impact ratings collaboratively.
2. Qualitative and Quantitative Assessments
Use descriptive scales (e.g., “low,” “medium,” “high”) to estimate risk likelihood and impact.
Encourage discussions to capture nuanced views and subjective insights.
Utilize numerical values and statistical models.
Collect historical data to support probabilistic evaluations.
Example: Assess a risk as having a 10% chance of occurrence with a $500,000 potential impact.
3. Creating a Prioritized Risk List
- After gathering data, organize risks by priority based on their assessed impact and likelihood.
- High-impact, high-likelihood risks should be the primary focus for mitigation efforts.
4. Risk Assessment Matrix and Heat Map
- Use a risk assessment matrix to visualize and prioritize risks efficiently.
- A heat map provides a graphical representation of where risks congregate on a likelihood-impact scale, helping teams to focus on critical areas.
Tips for Effective Risk Assessment
Engage Stakeholders
• Include diverse voices to capture a comprehensive view of risks.
• Regularly communicate findings and updates to ensure alignment and transparency.
Leverage Technology
• Utilize operational risk management software to streamline documentation and analysis.
• Automate data collection for more comprehensive quantitative assessments. This kind of software can provide real-time insights, helping your team make more informed decisions and respond swiftly to emerging threats.
Foster a Risk-Aware Culture
• Encourage ongoing risk discussions to identify emerging threats promptly.
• Integrate risk assessments into everyday decision-making processes.
By following these steps, you can conduct a robust risk assessment that not only identifies and prioritizes risks but also aligns with your organization’s strategic objectives.
3. Risk Response or Mitigation
“Risk response” and “risk mitigation” are often used interchangeably to describe managing risks but differ slightly. Risk response refers to the overall strategy, while risk mitigation refers to the steps your organization takes to reduce a risk.
The best way to manage risk depends on the risk itself. Risk responses include:
- Avoiding the risk altogether. Risk avoidance is the most common goal in risk management programs. For example, if the risk is data loss related to outdated software, your organization could prevent the risk by switching to a cloud-based solution with automatic backups.
- Reducing the risk as much as possible. For example, if the risk is a data breach, your organization could implement strong access controls like passwords and multi-factored authentication to reduce the likelihood of a data breach.
- Transferring the risk by shifting the financial burden of the risk to a third party, such as an insurance company. For example, your organization could purchase cyber liability insurance to cover the costs associated with a data breach.
- Accepting the risk by taking no action. Risk acceptance is simply part of being in business. For example, it might make more financial sense to accept the risk of minor office supply shortages if the cost of implementing an inventory management system is more than the cost of any potential delays.
Once you decide how to respond to the risks, develop action plans with specific actions, responsibilities, timelines, resources and metrics to guide the organization through the risk response. Create a documentation plan for who will document the actions taken and when and how. Allocate resources as needed to accomplish these tasks.
Once approved by stakeholders, put your action plans to work.
4. Risk Monitoring and Reporting
Once your plans are in place, monitor their effectiveness and identify new or emerging risks.
Craft key risk indicators (KRIs), which are metrics used to track the level of risk. They should be measurable, relevant, timely and actionable. Examples include:
- Number of security incidents
- Percentage of employees completing risk management training
- Number of customer complaints caused by service disruptions
Track the risk mitigation strategies to ensure they work as intended, and share your findings in monthly, quarterly or annual reports. Reporting gives management and other stakeholders the information they need about risk mitigation strategies to make informed decisions.
Regularly review the risks you’ve identified, your assessment of them and the steps in place to mitigate them. These reviews should involve key stakeholders and occur throughout the year on a timeline that makes sense for your organization. Regularly analyze your data to identify trends and patterns that may indicate new emerging risks and revisit the entire process as needed.
Learn More About ORM with Onspring
The ORM process can be overwhelming and complicated, but it doesn’t have to be. Software such as Onspring’s GRC Suite can make the process easier. Schedule a personalized demo today.
