Operational Risk Management
What is Operational Risk Management?
Operational risk encompasses all risks faced by an organization during the course of its daily business functions. There are 5 main buckets of the root cause source of all operational risks:
- External – threats from people, entities, and environments outside the business, like financial markets and cyber attackers
- Processes – risks associated with flawed/failed internal processes and operations
- People – risks related to employees of the organization
- Relationships – vulnerabilities related to relationships with vendors, customers, etc.
- Systems – disruptions in technology or data, resulting from either failed or misused systems
Operational risk management is the series of activities and processes an organization undertakes in order to mitigate the risks mentioned above. Some organizations, particularly banks, tend to classify enterprise-wide risks under “operational risk,” making ORM synonymous with enterprise risk management (ERM).
Who is Vulnerable to Operational Risk?
Operational risk is inherent to all processes: product development, daily facilities maintenance, systems upkeep and upgrades, etc. Financial institutions like banks and bank holding companies (BHCs – corporations that control one or more banks) experience heightened operational risk through financial risks and tools such as financial models, discussed below.
However individual organizations choose to understand operational risk (as synonymous to enterprise risk or as focused mostly on processes, people and systems risks), it is always a very broad category. Since every business has daily operations, every business is vulnerable to operational risk. By extension, every organization should also have a sound operational risk management program.
As mentioned above, financial institutions must manage an additional subset of operational risk that organizations in other industries don’t: model risk.
Model risk results from the possibility that financial models (which simulate and test for a variety of financial situations and market conditions) stop functioning correctly. For more detailed information about model risk and how to mitigate it, view our other plugin, Model Risk Management.
Risk and Control Self-Assessments (RCSAs)
Formalized operational risk management is often known within organizations (particularly financial institutions) as a “risk and control self-assessment,” or RCSA.
An RCSA is an internal process by which management and staff – at all levels and across all silos – identify risks, evaluate their impact and likelihood, and monitor associated controls (mitigation activities).
The RCSA process covers the entire risk management spectrum, beginning with the identification and assessment of risks, followed by the design of risk mitigation strategies and controls, the collection of risk management metrics, and finally the longer-term usage of risk dashboards and reports.
Risk Management Software Tools
Streamline operational risk management (ORM).
Risk management software provides tools and resources designed to improve the entire ORM process, from pushing out risk assessments and using pre-built, configurable content to tracking key metrics and customizing reports for various stakeholders.
The LogicManager Platform Provides:
The platform’s Taxonomy library contains built-in content and templates and allows for easy customization/additions. It allows departments to connect operational risk events, determining common root causes and tailoring the mitigation process.
Maintain centralized repositories of all organizational elements, including:
- Risks (both outstanding & mitigated)
- Regulatory Requirements and frameworks
- Relationships with vendors & other third parties
- Application & IT asset management
- Physical assets and facilities
- Policy management software
- Organizational performance objectives
The system also offers:
- Pre-built, configurable content
- Industry-specific risk libraries
- Risk assessment templates
- Best-practice questionnaires
- Metrics tracking, testing, and monitoring
- Templates for both key risk indicators (KRIs) and key performance indicators (KPIs)
- Set risk tolerances and track trends to uncover divergences before they have an impact
- Powerful risk management software
- Cascading fields
- Automatic alerts, notifications, and forward-looking metrics
- Integration capabilities: API integration, LDAP, easy data upload functionalities, SSO technology
- Robust reports and dashboards
- Prebuilt reports
- A powerful, intuitive reporting engine for custom reports