Critical Capabilities for Operational Risk Management

Operational risk management is a crucial part of successfully running any organisation.

We live in an era of dramatic, improbable events that adversely affect the economy, the environment, the fate of household name companies and people’s welfare and health. At least, they seem improbable until they happen. Then they can appear inevitable.  Complexity makes them hard to predict: failed banks, industrial accidents, large scale regulatory breaches, corruption and law-breaking, poor governance and corporate collapses. As these calamities pile up on news desks, one begins to realise that situational awareness involves a greater effort than some organisations are capable of and sometimes the battle for control is simply lost. 

To put it aptly: The inability to predict outliers implies the inability to predict the course of history.” - Nassim Nicholas Taleb, The Black Swan: The Impact of the Highly Improbable

The term operational risk management (ORM) is used by the Basel Committee on Banking Supervision to cover risks that are intrinsic to the operation of any business:

• Internal and external fraud
• Employee behaviour and workplace safety
• Market manipulation
• Product quality problems
• Fiduciary breaches
• Asset integrity
• Business disruption and systems failures
• Poor governance
• Process errors

The Basel Committee’s use of the term operational risk is very apt and probably the most useful definition. It can then be understood that enterprise risk management is a strategy that seeks to take a holistic or organisation-wide view of operational risks. For my money, the terms ERM, GRC and integrated risk management are interchangeable as all three imply a global strategy for ORM. 

The risk management journey

It is rare, and arguably unwise, for an organisation to go straight from ad hoc or no risk management to a complete ERM strategy. A more common journey is to move from ad hoc, fragmented systems to a more integrated and agile approach to risk that delivers lean resilience. Thoughtful, managed investment in information management systems is critical. What then are the basics?

According to Gartner, an IT industry analyst, there a number of critical capabilities that need to be taken into consideration for operational risk management. An organisation needs to have the ability to assess and document risks, preferably in a risk register. This is essentially a big list of undesirable events, their potential causes and consequences and the plans to mitigate them. Incident reporting tools that allow staff to raise the alarm at the earliest sign that something is wrong is also important.

In addition, there should be real-time monitoring of lead indicators, response automation tools that execute pre-planned activities when a risk threshold is breached and, lastly, the ability to quantify, analyse and report on risk so that the board and senior management has visibility of their risk exposure today. Are all the lights green? If not, why not?

The application of risk management software

Organisations that take risk seriously make great efforts to model and simulate the what-ifs. They provide staff with easy tools for raising alarms and expressing concerns, they monitor continuously for early warning signs and they are geared up to automatically respond to trouble. If that sounds like a whole different culture from the one you inhabit in your work, it might well be. Should you do something about this? Definitely.