What is operational risk management (ORM)?
Operational risk management or ORM, as we consider it here, is the management of the business’s ongoing processes (for example the risk that a production line may stop). We are not considering just the traditional operational (financial) risks such as market risk or credit risk as is common in financial institutions.
Improper operational risk management can cause a serious breakdown of business continuity, like the risk of fraud to a bank’s payment system, which can lead to major losses.
Operational risk management is a safeguard that not only works to keep business continuity in check but to protect a business’s reputational risk (how the business is viewed by the public) as well.
Historically, ORM has not been easy to define, and it was only in 2006 that the Basel Committee on Banking Supervision officially referred to it as: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”
ORM includes all risk assessment measures (including self-assessments) of the businesses ongoing processes, event management, risk decision-making, implementation of risk controls, and key risk indicators to find out the inherent risk exposures to the business operations. It can then keep an eye on them and prevent them from happening.
How are ORM risks defined?
Operational risks are characterised by the frequency of risk identification occurrence (how many times a year a component is likely to fail) based on historical data.
Many organisations will also include projects under the heading of operational risk, but this is often not a good idea, as one-off business projects and programmes do not have historical data, due to the “one-off” nature of the project. Operational risks which have implications for wider business strategy are escalated to the strategic level.
Why is operational risk management important?
An operational risk management framework is important because it can lead to informed business and investment decisions. This is especially effective if the ORM is tied to the business’s operational risk appetite. An operational ‘risk appetite’, essentially, is the amount and type of risk that an organisation is willing to take in order to meet its operational objectives.
Inefficient business processes or supply chains inevitably waste money, and even more so if these processes break down. Most organisations rely on having good people with a clear understanding of business processes. Problems can arise if these processes are new or complex; if a key member of the team leaves, or if the specific competencies of a team are in doubt.
Businesses will often respond to situations like this by instigating some generic operational risk management process or operational risk framework. These may be simple or sometimes quite complex, but they all tend to suffer from the same problem – they are all reactive rather than pro-active.
When the financial institutions crashed in 2007-08, one of the driving forces behind the disaster was a lack of ORM. There was too much focus on ‘traditional’ risk management at the expense of operational risk management. This created a climate of decision-making that meant operational risks were not prioritised in the correct way or overlooked entirely. As you might have noticed, the reputation risk damage caused by the financial crash has had a large impact on popular culture. This loss of reputation is also one of the reasons why ORM is growing rapidly in the financial services industry, in an effort to try and limit the crisis from happening again.
Examples of ORM failures
In today’s increasingly connected world targeted and advanced threats are on the rise across all industries, and companies rely on systems that can be misused or breached more than ever. Here are some notable ORM disasters that you may have heard of:
- British Airways — In the last couple of years, BA has suffered multiple operational failures that have resulted in the shutdown of the airline from hours to days. The failures have been traced to ageing systems, systems mismatches and inadequate procedures, all of which could have been avoided with effective operational risk management processes.
- Hewlett Packard — This company was sued by its own shareholders who accused it and its executives and directors of negligence during its takeover of the software company Autonomy Corporation. The result was close to a $9bn write-down. Many more billions were lost when the stock price fell off a cliff, and again later in losses and court fees that had to be paid to the shareholders.
- Target — This popular chain store in the United States was hit by a cybersecurity breach, in which hackers stole over 70 million individual customers’ data. The result was a 46 per cent drop in net income for the 4Q13 period and a loss of over $4bn. After the incident, Standards & Poor downgraded Target, and the CEO had to resign.
- Credit Agricole — A combination of human error, technical problems, and a programming glitch meant that nearly 350,000 double payments totalling $4.6bn were processed and subsequently lost.
- Sony Pictures — Over 77 million network accounts were breached, and millions lost in revenue.
In the case of Sony, it is also worth noticing that persistent threats can even include nation-state sponsored attacks. It is alleged that a North Korean group targeted Sony in revenge for a motion picture film licensed under Sony that made fun of the nation’s former leader, Kim Jung Un.
Why do “traditional” risk processes fail, and why is De-RISK operational risk management better at guiding business decisions?
Traditional risk processes are not as reliable as ABCD operational risk management and tend to fail for the following reasons:
- The generic risk statements they produce communicate little information so that teams and risk managers tend to misunderstand potential risks.
- The inability to “force” communication means that the operational risks are fully understood by the collective team but this knowledge is not harnessed effectively.
- They can “over-analyse” — often this takes the form of using unsubstantiated quantified data that makes for distracting scenario analyses.
- They can also “under-analyse” — using High/Medium/Low (HML) type scales or pseudo-numerical “soft-scoring” that can give totally misleading prioritisations.
- Traditional risk management can also inappropriately prioritise op risks leading to poor business decision making.
Traditional risk management can also fail to get team members or employees to act proactively on risks so that action only takes place when they have become major issues.
The three levels of operational risk management
There are three types of ORM, which are part of an overall enterprise risk management process: ‘In-depth’, ‘Deliberate’, and ‘Time-Critical’.
- In-depth is the most encompassing type, which includes far-in-advance planning, staff training, and the implementation of new policies and procedures.
- Deliberate ORM is undertaken at various stages in the life cycle of a project, as a sort of pulse-checker. ‘Deliberate’ ORM can take the form of safety checks and performance reviews.
- Time-Critical operational risk management is used when there is precious little time during operation changes to implement a framework. The time-critical method is a great way of identifying and moving against risk events quickly when there are many demands for management’s attention. For this reason, the Time-Critical method is commonly used in the Armed Forces.
The potential challenges of operational risk management programs
It is common for senior management and risk managers to have questions about ORM, including: “What is the strategic management of operational risk that my firm should adopt?”. Here are some of the potential challenges that ORM brings to the table:
- Increased compliance and regulatory requirements. ORM models can be complicated and take a lot of time. (Although some claim that compliance costs actually fall with proper implementation.)
- ORM requires the development of ‘loss databases’. This means a well-structured risk framework must be completed to capture operational risk losses. Compliance organisations such as Basel require a minimum of three years of data for initial implementations and five years for more advanced measurement approaches. It is this historical data requirement that challenges many businesses.
- Meeting the requirements can be difficult. Such as getting the necessary operational risk capital. A lot of organisations are measuring risk, but actually are not meeting the quantification requirements of the regulatory risk and compliance bodies.
- There needs to be an operational risk appetite at the top. If some members of senior management fail to appreciate or understand ORM, then this lack of support could have consequences for its implementation and success.
What to think about when building a framework for operational risk
An operational risk management framework must be able to identify, assess, monitor and report any of the risks that the organisation may be exposed to both now and in the future, and any subsequent business continuity plans. It should lay the foundations for internal controls (and therefore a control environment) to keep any risks at bay, and at acceptable levels. Once implemented, it should occupy a place at the heart and centre of the risk management practices and risk culture of the business.
There’s no perfect ORM framework for every business — as every organisation is different. But all ORM frameworks should aim at improving the general risk culture — they should also be cohesive, consistently applied, and well-embedded into the business practices.
“Embedding” is the process of ensuring that all business line actions and all decisions are demonstrably influenced by the information gleaned from risk management considerations. In larger organisations, the overall framework may have to be managed in different parts and even by different teams. In all such cases, cross-communication is key.
How De-Risk can help you and your risk managers with their operational risk profile
Risk management by nature is a bit of a negative occupation. It can make people think too negatively.
In our experience, assumption-based risk management processes are the most effective way of identifying, analysing and managing the underlying risks to any business process. Our approach brings with it a number of benefits:
- The ABCD (Assumption Based Communication Dynamics) method focuses on ‘assumptions’ and not ‘risks’, this removes any of the negative psychology from the framework.
- By focusing on assumptions (ie what needs to happen in order for the business to be successful), people are more likely to think ahead, and therefore potential problems are anticipated rather than ignored.
- Assumptions are the root-cause of any risk and are therefore easier to manage than the symptoms and effects of the risk itself.
- ABCD implements a meaningful analysis that provides a true insight into how your team perceives its business processes.
- ABCD provides clear prioritisation at all levels in the business, along with clear routes for risk escalation to mitigate operational loss.
- The process also ensures follow through on actions via simple but effective governance structures and processes. This also helps to deal with residual risk.