Operational Risk Management 101

Operational risk is a relatively new niche within the business GRC environment. Operational risk was set out as its own distinct category between 1999-2001 when the Basel Committee on Banking Supervision (BCBS) released a series of papers on the subject (which have been updated as of 2021). Of course banks, financial institutions, and many other organizations have been aware of risks associated with operational activities for far longer. And operational risk management in financial institutions is a vital part of their ongoing strategy.

Today operational risk is a fundamental part of all organizations’ risk profile and management. However, because it is still a developing discipline, losses from operational risks often remain high. In addition, increased losses post the 2008 financial crisis continue today. 

It’s vital that your operational risk management processes are designed to keep up with the dynamic environment of operational risk in order to protect your organization now and into the future. 
 

What is operational risk?

The BCBS’ operational risk definition is, “The risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” 

As you can see from this definition, there is a vast array of potential operational risks, and they can (and will) occur at every level of organization. The problem exists that many of the individual risks are very small – such as a loss from a minor human mistake – which makes them less visible and more difficult to manage. 

On the other hand, sometimes the risk may be very large – such as bankruptcy from fraud. Managing these competing risks can make operational risk management a tricky business. 

What is the primary objective of operational risk management?

The primary objective of operational risk management is quite simple – to mitigate the risks that could possibly or probably arise from the day-to-day operations of the organization.

Let’s get stuck into the types of operational risks your organization may face.

Five main types of operational risks

1. People risks 

These are errors, mistakes, omissions, failures, or even unethical or fraudulent actions taken by employees or external people that lead to financial losses or negative performance. It also includes an organization’s ability to attract, manage, develop, engage, and retain competent human resources with the right array of capabilities. 
 

2. Process risks

These are failed internal business processes (such as product design flaws) across every part of an organization that lead to financial loss or negative performance. 

3. Systems risks

These risks relate to failed internal systems, such as IT, which result in financial losses and negative performance outcomes. This includes a wide range of systems, such as power backup systems, information management, communications, and more.

4. External events risks 

External events risks are typically outside of an organization’s control, but lead to business disruption, financial losses and negative performance. They can include pandemics, natural disasters such as flooding or earthquakes, and man-made events, such as terrorist attacks. 

5. Legal and compliance risks 

These risks include all those that relate to non-compliance with required laws, regulations, and even internal requirements, and that lead to the risk of financial loss and negative organizational performance. 

Learn more: Compliance Management

Examples of operational risk

• Business disruption
• Product failures
• Supply chain disruption
• Employee or capability loss
• Litigation
• Failure of internal systems – such as IT
• Fraud or unethical behavior
• Health and safety
• Natural disasters
• Non-compliance with regulations

What is operational risk management? 

Operational risk management is simply the process of understanding and managing the risks that your organization might be exposed to in the process of operating towards its objectives. For our purposes, we see these risks in the categories set above – people, process, systems, external, and compliance risks. So, in general, we look to manage each of these general categories. 

Approaches to identifying operational risks

The first step is, of course, identifying your operational risks. This can be done via a top-down level of risk identification which begins with the most senior management. Or it can be done via the bottom-up approach which is usually handled by supervisors or mid-level management. 

In the first case, senior management will collaborate on scenario generation exercises where they brainstorm possible or probable risks and the response that the organization would then take. 

In the second approach, process mapping and interviews (among other things) may be undertaken to understand the operations at a granular level and conceptualize ways to strengthen the operations where they are most vulnerable. 

Both approaches strive to identify the most common threats to the organization. However, the top-down approach is focused primarily on macro risks, while bottom-up is focused primarily on micro risks. Both are important and to truly manage operational risk well, both need to be understood and identified. 

Once your operational risks are identified, you are able to move onto operational risk management best practices for overseeing them.

What is best practice in operational risk management?

Your organization’s risk appetite will be unique, and this provides the overarching framework for your operational risk management. Your appetite will be influenced by the size and type of organization, ability to exploit opportunities, capacity for risk overall, and ability to stand disruptions and shocks.

Learn more: Operational Resilience
 

Best-practice stages of operational risk management

When creating your organization’s unique operational risk management processes, there are best practice stages to undertake.

1. Risk identification

As discussed earlier, understanding your organization’s risks is the first, most vital step, to managing them. How you gather this information may be highly dependent on your structure and risks, but in general it needs to involve staff from all levels of the business, and with different understanding and experiences. This will give you the most opportunity to identify risks from a micro to macro level.

2. Risk assessment

Once your risks have been identified, they must be assessed. You will need to understand the likelihood and frequency of occurrence, the possible or probable severity, the impact on the business operations, and more. This needs to end with a prioritization of those risks based on the factors you uncovered.

3. Mitigation

At this stage your risk managers will need to determine the controls that should be put into place to mitigate your organization’s risk exposure. In almost all cases, you won’t be able to eliminate risk exposure completely. However, the better the controls, the less risk of potential financial loss or operational disruption.

4. Monitoring and reporting

Ongoing monitoring and reporting is a vital part of your risk management plan. This is where you ensure that all risk activities are being undertaken and accomplished and can see where there are gaps that may leave your organization vulnerable.

Learn more: Operational Risk Strategy

The best-practice elements of operational risk management

When it’s time to implement the processes, you should consider the needs of each of the main types of operational risk – people, processes, systems, external events, and compliance – and implement processes and systems to support those areas.
 

• People risk management. This includes formalizing a set of policies and procedures to manage people risk, such as creating job descriptions for all staff and setting transparent remuneration policies.
• Processes risk management. This includes formalizing a set of policies and procedures to manage process risks, including risk-tracking, insurance, reporting, and self-assessments. 
• Systems risk management. This includes formalizing a set of policies and procedures to manage systems risk, including integrated information systems, mapping of risks, quarterly checks, and more.
• External events risk management. This includes formalizing a set of policies and procedures to manage external risk events, including your outsourcing policy, security, and business continuity plan.
• Legal and compliance risk management. This includes formalizing a set of policies and procedures to manage legal and compliance risk, including a code of ethical conduct, complaint handling, anti-money laundering policy, and a whistleblower policy.

The value of operational risk systems

Strong operational risk systems provide huge value to an organization, by: 

• Improving the reliability, effectiveness, and performance of business operations.
• Enhancing your ability to make risk-based decisions.
• Improving the risk management capabilities across the organization.
• Providing confidence on future investment opportunities or growth.
   

How to develop an operational risk management program
 

Leading organizations today are discarding what we can think of as a “rearview mirror” approach to operational risk management. Instead they are looking to implement operational risk systems that focus on business resilience, critical vulnerabilities, data-driven risk measurement, and real-time monitoring. 
 
Your operational risk management software (or GRC risk management software) should be able to accomplish the following for you:

1. Seamless integration

Your solution must be able to be seamlessly integrated and implemented within your current organization. Great solutions, such as TriLine GRC by Ansarada have the flexibility to build you a completely new operational risk program, or automate and update your existing one, in order to ensure that your risk vulnerabilities are managed, and managed well. 

2. Risk analysis

This includes creating an identification and assessment matrix (sometimes called an impact matrix) that brings together all operational risks into one integrated system.

3. Gap analysis

Ensure that all policies and procedures that you’ve implemented within the organization are optimal, and monitoring, reporting, training and education are all in place within the system. 

4. Collaborate and Communicate

Your integrated operational risk management platform must allow for easy information access by the right stakeholders to ensure that there’s a level of granularity that allows users to be proficient in their roles with minimal downtime.