top of page
Artboard 1 copy 13_4x_edited_edited.jpg

Operational risk management 101

Learn why operational risk management is a fundamental element in your organisation's risk profile and management.

What is operational risk?

Operational risk is a relatively new niche within the business GRC environment. Operational risk was set out as its own distinct category between 1999-2001 when the Basel Committee on Banking Supervision (BCBS) released a series of papers on the subject (which have been updated as of 2021). Of course banks, financial institutions, and many other organisations have been aware of risks associated with operational activities for far longer. And operational risk management in financial institutions is a vital part of their ongoing strategy.

 

Today operational risk is a fundamental part of all organisations’ risk profile and management. However, because it is still a developing discipline, losses from operational risks often remain high. In addition, increased losses post the 2008 financial crisis continue today.

 

It’s vital that your operational risk management processes are designed to keep up with the dynamic environment of operational risk in order to protect your organisation now and into the future.

Definition of operational risk

The BCBS’ operational risk definition is, “The risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.”

​

As you can see from this definition, there is a vast array of potential operational risks, and they can (and will) occur at every level of organisation. The problem exists that many of the individual risks are very small – such as a loss from a minor human mistake – which makes them less visible and more difficult to manage.

​

On the other hand, sometimes the risk may be very large – such as bankruptcy from fraud. Managing these competing risks can make operational risk management a tricky business.

What is the objective of operational
risk management?

The primary objective of operational risk management is quite simple – to mitigate the risks that could possibly or probably arise from the day-to-day operations of the organisation.

Five main types of operational risks

1. People risks

These are errors, mistakes, omissions, failures, or even unethical or fraudulent actions taken by employees or external people that lead to financial losses or negative performance. It also includes an organisation’s ability to attract, manage, develop, engage, and retain competent human resources with the right array of capabilities.

2. Process risks

These are failed internal business processes (such as product design flaws) across every part of an organisation that lead to financial loss or negative performance.

3. Systems risks
4. External events risks

External events risks are typically outside of an organisation’s control, but lead to business disruption, financial losses and negative performance. They can include pandemics, natural disasters such as flooding or earthquakes, and man-made events, such as terrorist attacks.

5. Legal and compliance risks

These risks include all those that relate to non-compliance with required laws, regulations, and even internal requirements, and that lead to the risk of financial loss and negative organisational performance.

​

Learn more: Compliance Management

These risks relate to failed internal systems, such as IT, which result in financial losses and negative performance outcomes. This includes a wide range of systems, such as power backup systems, information management, communications, and more.

Examples of operational risk

 

  • Business disruption

  • Product failures

  • Supply chain disruption

  • Employee or capability loss

  • Litigation

  • Failure of internal systems – such as IT

  • Fraud or unethical behaviour

  • Health and safety

  • Natural disasters

  • Non-compliance with regulations

Op Res mockup.png

What is operational risk management?

Operational risk management is simply the process of understanding and managing the risks that your organisation might be exposed to in the process of operating towards its objectives.

 

For our purposes, we see these risks in the categories set above – people, process, systems, external, and compliance risks. So, in general, we look to manage each of these general categories.

Approaches to identifying operational risks

The first step is, of course, identifying your operational risks. This can be done via a top-down level of risk identification which begins with the most senior management. Or it can be done via the bottom-up approach which is usually handled by supervisors or mid-level management.

​

In the first case, senior management will collaborate on scenario generation exercises where they brainstorm possible or probable risks and the response that the organisation would then take.​​​

​In the second approach, process mapping and interviews (among other things) may be undertaken to understand the operations at a granular level and conceptualise ways to strengthen the operations where they are most vulnerable.

​

Both approaches strive to identify the most common threats to the organisation. However, the top-down approach is focused primarily on macro risks, while bottom-up is focused primarily on micro risks. Both are important and to truly manage operational risk well, both need to be understood and identified.

​

Once your operational risks are identified, you are able to move onto operational risk management best practices for overseeing them.

What is best practice in operational risk management?

Your organisation’s risk appetite will be unique, and this provides the overarching framework for your operational risk management. Your appetite will be influenced by the size and type of organisation, ability to exploit opportunities, capacity for risk overall, and ability to stand disruptions and shocks.  Learn more: Operational Resilience

​

When creating your organisation’s unique operational risk management processes, there are best practice stages to undertake, outlined below.

01

Risk identification

Understanding your organisation’s risks is the first, most vital step, to managing them. How you gather this information may be highly dependent on your structure and risks, but in general it needs to involve staff from all levels of the business, and with different understanding and experiences. This will give you the most opportunity to identify risks from a micro to macro level.

02

Risk assessment

Once your risks have been identified, they must be assessed. You will need to understand the likelihood and frequency of occurrence, the possible or probable severity, the impact on the business operations, and more. This needs to end with a prioritisation of those risks based on the factors you uncovered.

03

Mitigation

At this stage your risk managers will need to determine the controls that should be put into place to mitigate your organisation’s risk exposure. In almost all cases, you won’t be able to eliminate risk exposure completely. However, the better the controls, the less risk of potential financial loss or operational disruption.

04

Monitoring & reporting

Ongoing monitoring and reporting is a vital part of your risk management plan. This is where you ensure that all risk activities are being undertaken and accomplished and can see where there are gaps that may leave your organisation vulnerable.

​

Learn more: Operational Risk Strategy

Best-practice elements of
operational risk management

When it’s time to implement the processes, you should consider the needs of each of the main types of operational risk – people, processes, systems, external events, and compliance – and implement processes and systems to support those areas.

​

  • People risk management. This includes formalising a set of policies and procedures to manage people risk, such as creating job descriptions for all staff and setting transparent remuneration policies.

  • Processes risk management. This includes formalising a set of policies and procedures to manage process risks, including risk-tracking, insurance, reporting, and self-assessments.

  • Systems risk management. This includes formalising a set of policies and procedures to manage systems risk, including integrated information systems, mapping of risks, quarterly checks, and more.

  • External events risk management. This includes formalising a set of policies and procedures to manage external risk events, including your outsourcing policy, security, and business continuity plan.

  • Legal and compliance risk management. This includes formalising a set of policies and procedures to manage legal and compliance risk, including a code of ethical conduct, complaint handling, anti-money laundering policy, and a whistleblower policy.

Risk dashboard_Macbook.png
2024_08_grc_productshot_risk-mgmt-dash1_2x.png

Strong operational risk systems provide huge value to an organisation, by:

​

  • Improving the reliability, effectiveness, and performance of business operations.

  • Enhancing your ability to make risk-based decisions.

  • Improving the risk management capabilities across the organisation.

  • Providing confidence on future investment opportunities or growth.

The value of operational risk systems

How to develop an operational
risk management program

Leading organisations today are discarding what we can think of as a “rearview mirror” approach to operational risk management. Instead they are looking to implement operational risk systems that focus on business resilience, critical vulnerabilities, data-driven risk measurement, and real-time monitoring. Your operational risk management software (or GRC risk management software) should be able to accomplish the following for you:
 

3. Gap analysis
1. Seamless integration

Your solution must be able to be seamlessly integrated and implemented within your current organisation. Great solutions like Drova have the flexibility to build you a completely new operational risk program, or automate and update your existing one, in order to ensure that your risk vulnerabilities are managed, and managed well.

2. Risk analysis

This includes creating an identification and assessment matrix (sometimes called an impact matrix) that brings together all operational risks into one integrated system.

Ensure that all policies and procedures that you’ve implemented within the organisation are optimal, and monitoring, reporting, training and education are all in place within the system

4. Collaborate & communicate

Your integrated operational risk management platform must allow for easy information access by the right stakeholders to ensure that there’s a level of granularity that allows users to be proficient in their roles with minimal downtime.

Take control of your operational risk management

Connect data points across your entire organisation to eliminate risk silos and
improve operational risk management and resilience with Drova.

bottom of page