What is Operational risk management?
Operational risk management (ORM) is a continual recurring process that includes risk assessment, risk decision making, and the implementation of risk controls, resulting in the acceptance, mitigation, or avoidance of risk.
(ORM) is a way to get a holistic view of a company’s risk footprint throughout the supply chain—and everyone across the organization has a role to play in making an organization’s safety culture the best it can be.
Every organization faces circumstances or fundamental changes in its situation that can present varying levels of risk to that business, from minor inconveniences to a situation that could put the entire company at risk.
Examples of operational risk include:
- Employee conduct and employee error
- Breach of personal data due to cybersecurity attacks
- IT disruption
- Business processes and controls
- Physical events that can disrupt a business, such as natural disasters
- Internal and external fraud
- Talent Retention
- Organizational change
The Basel Committee on Banking Supervision has described the operational risk as: “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. As such, operational risk captures business continuity plans, environmental risk, crisis management, process systems, and operations risk, people-related risks and health and safety, and information technology risks.”
Operational Risk Management: Best Practices
Even though ORM is a compelling idea, several barriers make it challenging to manage operational risk: competing priorities, a lack of awareness, difficulty allocating resources, and an inability to perceive value in the operational risk framework.
The unavailability of standardized risk assessment processes and measurement methodologies, as well as complex ORM programs, can also hinder organizations’ ability to manage operational risk.
Regardless, by following these five best practices, organizations can begin to effectively manage operational risk and ensure business continuity:
Implement Risk Accountability
Every employee must be held accountable for risk management, although the extent can vary. Enterprise-wide accountability helps incorporate risk-based thinking into day-to-day activities and promotes a beneficial risk-aware culture.
Push ORM From the Top
Senior management must champion the risk management program for it to be truly effective.
Conduct Risk Assessments on a Regular Basis
Regular risk assessments help keep the enterprise risk profile up-to-date and allow ORM leaders to incorporate relevant changes without unnecessary delays.
Quantify and Prioritize Risks
All operational risks must be quantified in their probability, severity, and mitigation costs.
Implement Strong Controls
Controls and metrics help with the ongoing management and active mitigation of identified priority risks. Automation and artificial intelligence tools can perform continuous monitoring to reduce manual work.
These best practices provide a base for all businesses to start their ORM. Different industries may have additional considerations, whether a bank is trying to reduce operational risk, or a manufacturing facility is looking to maintain production continuity.
ORM Challenges
In a business environment defined by sustained market volatility and ever-increasing regulations, companies need the ability to integrate enterprise-wide risk management processes and multiple regulations. Firms are witnessing a dramatic increase in active first-line users—sometimes tens of thousands—scattered across the organization and using tools with inconsistent capabilities. These users require solutions that integrate the power of artificial intelligence (AI) with enhanced user experience to empower the first line, and all others within the organization.
IBM OpenPages Operational Risk Management (ORM)
OpenPages is a software solution that automates the process of identifying, measuring, monitoring, analyzing, and managing operational risk. The solution enables businesses to integrate risk data within a single environment. Examples of risk data include risk and control assessments, internal and external loss events, key risk indicators, and issue, action plan management.