In recent years, the risk forecast for companies has darkened appreciably. But companies don’t just face external risks that might jeopardize their operations. Internal risks matter just as much.
That’s why companies must establish a set of processes that encompass risk assessment, decision making, and implementation of risk control, to reduce both internal and external threats to acceptable levels.
Altogether these processes constitute a company’s operational risk management program.
However, these programs often get short shrift. And so, we’ve written this article laying out the strategies for effective operational risk management to ensure you’re leveraging operational risk management as an organizational imperative.
What is operational risk?
At the bottom of operational risk management are operational risks.
Operational risks are the risks of doing business; these are the risks businesses face from ineffective or failed internal processes, people, systems, or external events. Five categories of operational risks include:
- People risk
- Process risk
- Systems risk
- External events risk
- Legal and compliance risk
All companies face these types of risks to varying degrees. The variation will, of course, depend on what that company does, how many people work there, what industry that company is in, and numerous other factors.
Irrespective of these factors, operational risks, if realized, can lead to serious losses, including the following:
- Enterprise-wide interruption, disruption, or failure
- Loss of systems control or data
- Financial loss
- Safety hazards
- Reputational damage
- IT infrastructure damage
- Customer churn
- Employee churn
- Legal liability or regulatory fines for harm caused by employees intentionally or negligently
- Legal liability or regulatory fines for harm caused by external bad actors
- Competitive disadvantage
Types of operational risk management intervention
Despite the potential impacts of certain risks, operational risk management isn’t necessarily about the elimination of all risk entirely. In fact, that strategy might be too costly or otherwise ill advised.
Businesses will have to examine their operational risks in the context of existing systems and processes, with the types of operational risk management intervention including the following:
Risk avoidance
The elimination of hazards, activities, and exposures that can negatively affect an organization and its assets.
Risk acceptance
The acknowledging of the possibility for small or infrequent risks without taking steps to hedge.
Risk transfer
The process of formally or informally shifting the financial consequences of particular risks from one party to another.
Risk reduction
The mitigation of impact of potential losses by reducing the likelihood and severity of a possible loss.
Risk retention
The planned acceptance of potential losses.
An appropriate framework for operational risk
Given that, organizations should maintain appropriate and sound information and information-technology infrastructure to meet current and projected business requirements and support critical operations and risk management.
How to go about doing that? We recommend taking the following steps:
- Identify, assess, and manage operational risks with effective internal controls, monitoring, and remediation
- Be able to continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP)
- Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring
We also recommend that organizations develop and maintain an operational risk management framework. But not any framework will do for managing operational risk.
To be deemed appropriate, the framework should be suitable to the size, business mix, and complexity of your business.
Essential components of such an operational risk management framework include:
- Governance arrangements for the oversight of operational risk
- An assessment of your operational risk profile, with a defined risk appetite supported by indicators and limits
- Internal controls that are designed and operating effectively for the management of operational risks
- Appropriate monitoring, analysis, and reporting of operational risks and escalation processes for operational incidents and events
- A regularly tested business continuity plan (BCP) that sets out how you will identify, manage, and respond to a disruption within tolerance levels
- Processes for the management of service provider arrangements
Roles and responsibilities in effective operational risk management
Who then is responsible for putting this framework in place? That would be the company’s Board.
Indeed, for purposes of compliance, the Board might even be considered accountable for the oversight of operational risk management, as well as business continuity, and the management of service provider arrangements.
The Board, therefore, has its work cut out. It will likely have to ensure that the organization sets clear roles and responsibilities for senior managers relating to operational risk management.
Those senior managers, in turn, will be responsible for the day-to-day execution of operational risk management, across end-to-end processes for all business operations.
Nevertheless, senior managers will have to provide information to the Board on the expected impacts on critical operations. And then, the Board must make decisions affecting the resilience of said operations.
Further Board responsibilities include:
- Oversee operational risk management and the effectiveness of key internal controls in maintaining operational risk profile within risk appetite. To this end, the Board must receive regular updates on the company’s operational risk profile and then ensure that senior management takes action as required to address any areas of concern.
- Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing, and oversee the execution of any findings
- Approve the service provider management policy, and review risk and performance reporting on material service provider arrangements.
Six leading operational risk management practices
Overseeing operational risk management entails putting in place the best strategies for your enterprise. What might such strategies look like? Here is a list of leading operational risk management best practices:
1. Assess the impact
Assess the impact of business and strategic decisions on your operational risk profile and operational resilience as part of your business and strategic planning processes. This should include an assessment of the impact of new products, services, geographies, and technologies on your operational risk profile.
2. Understand your operational risk profile
Maintain a comprehensive assessment of your operational risk profile. This should include maintaining appropriate and effective information systems to monitor operational risk, compile and analyze operational risk data, and facilitate reporting.
3. Identify and document resources needed
Identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data, and controls.
4. Undertake scenario analysis
Undertake a scenario analysis to identify and assess the potential impact of severe operational risk events, test operational resilience, and identify the need for new or amended controls and other mitigation strategies.
5. Conduct a comprehensive risk assessment
Conduct a comprehensive risk assessment before providing a material service to another party. In fact, certain regulators may require regulated entities to review and strengthen internal controls or processes where the regulator considers there to be heightened risks.
6. Put controls in place
Design, implement, and embed internal controls to mitigate operational risks in line with your risk appetite and to meet any compliance obligations.
- Regularly monitor, review, and test controls for design and operating effectiveness, the frequency of which should be commensurate with the materiality of the risks being controlled
- The results of testing must be reported to senior management and any gaps or deficiencies in the control environment must be rectified in a timely manner
- Remediate material weaknesses in your operational risk management, including control gaps, weaknesses, and failures. This remediation must be supported by clear accountabilities and assurance and address the root causes of weaknesses in a timely manner.
Digital technology for effective operational risk management
If that sounds like a lot, it doesn’t have to.
Operational risk management software can, in fact, help organizations proactively identify, assess, and mitigate potential risks that could cause operational failures or disruptions to their normal operations.
What capabilities matter, though? We recommend:
Objectives
Align risk management initiatives with organizational objectives to ensure risks are managed in a way that aligns with your objectives so you can effectively manage threats and capitalize on opportunities.
Obligations
Keep track of your compliance obligations with ease using a centralized register that enables you to monitor breaches and collaborate with your team to ensure compliance throughout your organization.
Risk & Controls Library
Get a head start with a pre-existing library of potential operational risks and corresponding control measures, inspired by the best industry practices to save time in recognizing and recording operational risks.
Risk assessments
Proactively identify, assess, and manage operational risks through a centralized workspace that provides a holistic view of risks, and streamlines risk assessment processes while fostering effective stakeholder collaboration and communication.
Audits
Gain oversight into the ongoing management of risk controls as they are implemented and maintained in your operational environment, using scheduled audits that personnel can complete from anywhere, on any device.
Document management
Streamline the risk document management process by leveraging centralized document management functionality to ensure personnel have the right information at their fingertips.
Reporting
Create custom reports that summarize historical data with charts, recommendations, and sign-offs. Export these as PDF or Word documents and share with stakeholders and executives to enable them to make informed decisions, manage threats, and benefit from opportunities.
Analytics
Consolidate data to gain valuable insights and visualize it through interactive dashboards, charts, risk matrices, and maps in real-time, from any device.
Finally, operational risk is on the rise, and companies aren’t doing enough to get their operational risk management in order.
However, following our strategies for effective operational risk management should help. Meanwhile, implementing operational risk management software like Noggin will provide a holistic view of risks, streamline operational risk-related processes, and foster effective stakeholder collaboration and communication.
But don’t just take our word for it. Request a demonstration to see how Noggin can improve Operational Risk Management at your organization.
.svg)
.svg)
.svg)