Risk Management

A Short Introduction to Operational Risk Management

Published February 06, 2024

Nowadays, crisis and business continuity managers don’t only have to worry about external threats to the organization. Internal risks matter just as much. Collectively, these operational risks are the risks of doing business. Too often, though, operational risk management gets short shrift.

How to get it right? Read our short introduction to operational risk management to find out.

How to class operational risks

So, what’s operational risk management all about? Well, operational risk management is the set of processes, encompassing risk assessment, decision making, and implementation of risk controls, targeted at reducing both internal and external threats to acceptable levels.

The threats themselves are operational risks, or the risks inherent in doing business.

This type of risk comes in many types – just think of all the risks businesses face from ineffective or failed internal processes, people, systems, or external events.

However, the five predominant categories of operational risks include:

People risk
Process risk
Systems risk
External events risk
Legal and compliance risk

Developing an appropriate operational risk management framework

The breadth of operational risk can be quite staggering. And potential impacts associated with realized threats can be equally overwhelming.

Companies, therefore, must go about developing appropriate and sound information and information-technology infrastructure to meet their current and projected business requirements and support critical operations and risk management.

How to go about building such a framework? Industry best-practice suggests taking the following steps:

Identify, assess, and manage operational risks with effective internal controls, monitoring, and remediation
Be able to continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP)
Effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements, and robust monitoring

Add to that, the resultant operational risk management framework should be suitable to the size, business mix, and complexity of the business.

The framework, as such, should consist of the following components:

Governance arrangements for the oversight of operational risk
An assessment of your operational risk profile, with a defined risk appetite supported by indicators and limits
Internal controls that are designed and operating effectively for the management of operational risks
Appropriate monitoring, analysis, and reporting of operational risks and escalation processes for operational incidents and events
A regularly tested business continuity plan (BCP) that sets out how you will identify, manage, and respond to a disruption within tolerance levels
Processes for the management of service provider arrangements

People in the operational risk management program

But who makes decisions? Operational risks involve the risks of doing business. It’s natural, then, that business decision makers, i.e. Boards of Directors, should develop, maintain, and review the operational risk management framework and program.

What should be the Board’s specific responsibilities? Statutes, such as APRA CPS 230, have prescribed the following:

Oversee operational risk management and the effectiveness of key internal controls in maintaining operational risk profile within risk appetite. To this end, the Board must receive regular updates on the company’s operational risk profile and then ensure that senior management takes action as required to address any areas of concern.
Approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing, and oversee the execution of any findings
Approve the service provider management policy, and review risk and performance reporting on material service provider arrangements

Of course, overseeing operational risk management means putting in place the best strategies for the enterprise. What are the leading operational risk management best practices and the operational risk management software solutions needed to implement them?

Read our comprehensive article, Key Strategies for How to Manage Operational Risk to find out.

The Brain

Meet Noggin

Business Continuity

Operational Resilience

Crisis Communications

Operational Risk Management

Crisis & Incident Management

Third-Party Risk Management

Emergency Management

Safety Management

Investigations & Case Management

Security Management

The Noggin Platform

Industries

Aviation & Airports

Construction

Counter-Terrorism

Care Services

Education

Financial Services

Healthcare & Hospitals

Manufacturing

Mining, Oil & Gas

Public Safety & Government

Retail & Hospitality

Technology

Transportation

Utilities

Venues & Entertainment

A Resilience Management Software Buyer's Guide

Who We Are

A Short Introduction to Operational Risk Management

Table of Contents

How to class operational risks

Developing an appropriate operational risk management framework

People in the operational risk management program

Keep Reading

Third-Party Risk Management Software vs. Spreadsheets: A cost comparison

4 Strategies to Mitigate Third-Party Cyber Vulnerability

Managing Threats and Business Risk

Understanding Inherent vs. Residual Risk Assessments

Download your copy

Solutions

Platform

Resources

About

Motorola Solutions