Operational Risk Management is a methodology for organizations looking to put into place real oversight and strategy when it comes to managing risks. Every business faces circumstances or fundamental changes in their situation that can be seen as presenting varying levels of risk to that business, from minor inconveniences to potentially putting its very existence in jeopardy.
The Basel Committee on Banking Supervision has described operational risk as: “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. As such, operational risk captures business continuity plans, environmental risk, crisis management, process systems, and operations risk, people related risks and health and safety, and information technology risks.”
All of these risks need to be managed and the more sophisticated the approach to risk management, the more chance the business has to thrive and grow.
The Benefits Of Operational Risk Management
Before you decide whether or not you want to investigate how Operational Risk Management works and what you need to do to implement it, you will want to know what the potential benefits of it are.
These will help to convince those with sign-off on the decision that it is the right move for your organization, so here are the main benefits of Operational Risk Management:
- Improving the reliability of business operations
- Improving the effectiveness of the risk management operations
- Strengthening the decision-making process where risks are involved
- Reduction in losses caused by poorly-identified risks
- Early identification of unlawful activities
- Lower compliance costs
- Reduction in potential damage from future risks
There are plenty more benefits as well as a few challenges, as with any major business process, but Operational Risk Management is an essential step for every company that is looking to avoid potentially damaging issues.
How Does Operational Risk Management Work?
The first stage of any Operational Risk Management strategy is of course to understand the nature of your business and the particular risks associated with it. If you manage a company that runs water ski lessons, there will be risks your business will face that are very different to a company that creates technology for vending machines. Spending time worrying about risks that are nothing to do with you is just wasting time.
There are three levels of Operational Risk Management that you can choose to embark upon, and these are as follows:
- In-depth: As the name suggests, this is the kind of risk management that we would all be undertaking in an ideal world, as it will deliver the best results and practically make risk a thing of the past (not completely, of course, as not every risk is foreseeable). We don’t live in an ideal world, but there are still many situations when you can take the time to plan for a new project or business venture with in-depth Operational Risk Management, which can include staff training or and the implementation of new policies and procedures.
- Deliberate: This is still not ‘panic stations’ in the world of risk management but is undertaken at various stages during the life cycle of a project or a business and can come in the form of routine safety checks or performance reviews.
- Time-Critical: This kind of Operational Risk Management involves more urgency as it is usually done in the midst of operational change when there is only a limited amount of time for it to be done before the potential consequences of any non-identified risks might start to be felt. The US Navy has the following processes for time-critical ORM: Assess the situation; Balance your resources: Communicate risks and intentions; and do and debrief.
Stages Of Operational Risk Management
Those were the stages the Navy uses for time-critical Operational Risk Management, but for a more standard risk management process these are the usual stages you will need to undertake:
- Risk Identification: As mentioned earlier, understanding the risks specific to your business is key, but there are also many potential risks that affect any kind of business and you need to identify all of them, both those that are recurring and those that can be one-off events. The identification process needs to involve staff from all levels of the business if possible, bringing a variety of backgrounds and experiences to make a cohesive result. Risks that can be identified by work floor staff will be very different and no less critical than those identified from the boardroom.
- Risk Assessment: Once the risks have been identified, they need to be assessed. This needs to be done from both a quantitative and qualitative perspective and factors like the frequency and severity of occurrence need to be taken into consideration. The assessment needs to prioritize the management of these risks in relation to those factors.
- Measurement and Mitigation: Mitigating these risks (if not actually eliminating them altogether) is the next stage, with controls put in place that should limit the company’s exposure to the risks and the potential damage caused by them.
- Monitoring and Reporting: Any Operational Risk Management plan must have something in place for the ongoing monitoring and reporting of these risks if only to demonstrate how effective the plan has been. Most of all, it’s to ensure that the solutions put in place are continuing to be effective and doing their job in managing the risks.
There are other processes and models out there, particularly in the banking world, but most follow similar approaches to the one listed above. As long as you are picking an approach that suits your specific needs and situation, you will be on the way to a successful Operational Risk Management strategy.
The US Department of Defence has drilled down Operational Risk Management into four key principles, which are as follows:
- Accept risk when benefits outweigh the cost
- Accept no unnecessary risk
- Anticipate and manage risk by planning
- Make risk decisions at the right level
Taking those principles together with the approaches demonstrated above should ensure that Operational Risk Management is embedded within your organization and you can start reaping the benefits.