Operational Risk Management Awareness

Operational risk management is the process of managing, controlling and mitigating operational risks. It is best understood as an ongoing activity that requires work across a range of disciplines including finance, internal audit, information security and corporate governance. The key element to operational risk management is identifying and addressing what could potentially go wrong in a business by using methods such as planning, monitoring and reviewing performance measures.

In order to manage this process effectively we need people who are well-versed in all aspects of the day-to-day working environment: Finance Officers; Internal Audit Specialists; Information Security Professionals; Risk Managers and Business Continuity Professionals. In addition to these diverse disciplines we need people who have the aptitude to see the bigger picture, including business owners and senior managers. This paper will introduce the basics of operational risk management and explore the types of roles that are needed in order to support a sound approach.

Operational Risk Management (ORM) is an important part of organisations that are looking to ensure their overall financial health and address operational risks that may present themselves. ORM is a constant process, meaning it requires continual attention over time. There are different ways of managing ORM: through planning, monitoring or reviewing performance measures. All require various types of specialists with varied skill sets who can best contribute towards its success. However, ORM is more than just financial metrics and reports; it must also take into consideration other factors such as risk allocation, industry and country regulations.

While there are many aspects of ORM that need careful consideration, this paper will only focus on the finance aspect of the function. This covers what types of insurance products are available to cover operational risks, how to construct a budget for this and when it should be reviewed. For example, insurance should usually not be used in situations where the risk is too great or where an ability to recover from the event is unlikely.

There are three main types of risk that strain an organisation: political, environmental and operational. These are key points to consider when looking at ORM:

The political risk is usually a consequence of a threat from terrorists, guerrilla warfare and civil unrest. Terrorism, for example, is considered to be a threat to IT systems or the physical assets which can lead to financial losses due to theft and damage.

The environmental risk refers to natural disasters such as earthquakes or flooding. Natural disasters can also disrupt supply chains, significantly impacting on the performance of manufacturing and service companies dependent on imported raw materials or components.

Operational risks are usually identified as unpredictable events affecting an organisation's ability to function normally in the short term and long term. For example a disruption of a production line due to an issue with a component may be considered a high-risk event. An unexpected delay in shipping raw materials may be considered an operational risk that could result in financial losses.

The time and cost involved in managing the ORM function are substantial. The ORM function is the first line of defence for protecting the organisation and preventing financial loss or damage to reputation or goodwill. However, having good risk management and controls does not guarantee that your business will not suffer financially, it does however give you a much higher chance of avoiding this happening, which is why it's so important to involve various business stakeholders in the process if possible. It is crucial to remember that the earlier you identify risks, the easier and less costly it is to rectify them.

The following are some of the key roles needed in an ORM function:

Fundamental to ORM is the need for strategic thinking and planning. Risk management strategies should be prepared upfront, which means early identification of specific risk triggers that may impact a business, followed by a sober assessment of appropriate responses. Planning is needed so businesses are able to address issues before they arise as well as after they occur. A framework for continuous improvement should be established and maintained through various risk-based audits, processes and training programs.

There are six key steps in the ORM process:

It is important to distinguish between operational and financial risks when looking at business strategy. This will help organisations to make better operational choices so they can improve their financial performance. Financial risks arise as a result of uncertainty in the business environment, whereas operational risks are determined by within-business processes or behaviour. A good example of this is Target's recent data breach that occurred during the 2013 holiday season. The company had been experiencing problems with its supply-chain management system before it was hacked, triggering huge losses for the company and affected stakeholders 

A mature ORM function will not only address these issues but also create a strategy that allows an organisation to position itself for success.

There are various ways to reduce the burden of the ORM function. Operations risk management can be done by using a risk-based budgeting tool, like Value Line's Business Risk Management Software. This approach involves identifying business risks in an ongoing way and integrating them into the budget. This allows companies to have an in-depth understanding of their financial risks and also help determine ways to manage these potential costs.

In addition, organisations can increase operational efficiency by looking at training programs that could help employees become more alert to potential problems in their workplace. Through such training programs, employees will learn how to seek out information regarding possible threats or events that may impact on profitability, customer service and other key metrics defined by an organisation's strategic plan.

Finance department is also important in management of the ORM function. An auditing team evaluates the effectiveness of the company's risk management system by looking at different areas such as risk assessment and risk communication. The studies also examine the organisation's financial results, comparing them to actual incidents to determine whether each event was properly managed.

Businesses must balance various factors when it comes to preparing their budget for ORM. One of these is an organisation's ability to recover from an event, which can be measured using insurance coverage and deductibles. Since insurance is a form of financial protection, it can also influence your budget for ORM as it becomes increasingly more expensive for companies with a high demand for coverage. In addition, businesses need a method to identify the financial impact of an event to help them determine priorities. This is why a well-designed risk assessment tool is highly beneficial.

There are three main steps in the creation of risk assessments:

The ORM function strives to achieve many goals at once and should avoid trying to take on too many responsibilities. Therefore, it's important that employees also have access to supporting information and resources, including training courses that will help them perform their ORM role more effectively. As always, it's important for businesses to assign this function appropriately within the organization so they do not fall victim to potential issues.

Bibliography

"How Risk Management Can Help Your Company Grow".

Conclusion

As we can see, ORM is the process by which companies manage the various risks they face in their business. For many companies, this is their first line of defence against potential financial harm. However, in order to be effective, an ORM function should have strong collaborative partnerships with other departments in the business. This idea was also touched upon earlier as it's important for an ORM team to have access to proper IT and procurement resources, as well as being able to effectively communicate with employees and stakeholders about ongoing threats or risks.