Critical Capabilities for Operational Risk Management
Operational risk management is a crucial part of successfully running any organisation.
We live in an era of dramatic, improbable events that adversely affect the economy, the environment, the fate of household name companies and people’s welfare and health. At least, they seem improbable until they happen. Then they can appear inevitable. Complexity makes them hard to predict: failed banks, industrial accidents, large scale regulatory breaches, corruption and law-breaking, poor governance and corporate collapses. As these calamities pile up on news desks, one begins to realise that situational awareness involves a greater effort than some organisations are capable of and sometimes the battle for control is simply lost.
To put it aptly: The inability to predict outliers implies the inability to predict the course of history.” - Nassim Nicholas Taleb, The Black Swan: The Impact of the Highly Improbable
The term operational risk management (ORM) is used by the Basel Committee on Banking Supervision to cover risks that are intrinsic to the operation of any business:
- Internal and external fraud
- Employee behaviour and workplace safety
- Market manipulation
- Product quality problems
- Fiduciary breaches
- Asset integrity
- Business disruption and systems failures
- Poor governance
- Process errors
The Basel Committee’s use of the term operational risk is very apt and probably the most useful definition. It can then be understood that enterprise risk management is a strategy that seeks to take a holistic or organisation-wide view of operational risks. For my money, the terms ERM, GRC and integrated risk management are interchangeable as all three imply a global strategy for ORM.
The risk management journey
It is rare, and arguably unwise, for an organisation to go straight from ad hoc or no risk management to a complete ERM strategy. A more common journey is to move from ad hoc, fragmented systems to a more integrated and agile approach to risk that delivers lean resilience. Thoughtful, managed investment in information management systems is critical. What then are the basics?
According to Gartner, an IT industry analyst, there a number of critical capabilities that need to be taken into consideration for operational risk management. An organisation needs to have the ability to assess and document risks, preferably in a risk register. This is essentially a big list of undesirable events, their potential causes and consequences and the plans to mitigate them. Incident reporting tools that allow staff to raise the alarm at the earliest sign that something is wrong is also important.
In addition, there should be real-time monitoring of lead indicators, response automation tools that execute pre-planned activities when a risk threshold is breached and, lastly, the ability to quantify, analyse and report on risk so that the board and senior management has visibility of their risk exposure today. Are all the lights green? If not, why not?
The application of risk management software
Organisations that take risk seriously make great efforts to model and simulate the what-ifs. They provide staff with easy tools for raising alarms and expressing concerns, they monitor continuously for early warning signs and they are geared up to automatically respond to trouble. If that sounds like a whole different culture from the one you inhabit in your work, it might well be. Should you do something about this? Definitely.
In the risk management software industry we talk about operational maturity. Just because you’re not aware of a problem doesn’t mean that it isn’t your responsibility. Organisations that invest in operation risk management software do so primarily to protect the public and their own people as well as their finances and reputations from the threat of unforeseen, improbable damaging events. The payoff is that doing so makes them more efficient: safety and efficiency are two sides of the same coin. Anyone who’s ever tripped over in an untidy workshop knows that.
Being proactive about risk means never feeling comfortable again. But then surely that degree of bother is preferable to causing harm and ending up on the front pages or worse?
At Ideagen, we provide robust software solutions for managing and improving operational risk. Our products are designed to evidence governance and compliance while improving your operational processes. Find out more about how our software can take your operational risk management to the next level.