When you’re completing a jigsaw puzzle, it is a lot easier to grasp how the pieces fit together if you have a picture of the completed puzzle to go by.
By the same token, it would be easier for an organization to implement a program to manage operational risk if it had access to an overview of just what such a program would look like.
In today’s post, I am going to provide just such an overview, in the form of a high-level description of the Operational Risk Management (ORM) lifecycle.
I hope this nudges your organization toward considering implementing a program to manage operational risk, if you do not have one already.
Before we begin, here are a few basics about operational risk, in case the topic is new to you or you need to refresh your memory.
Operational Risk, Defined
Operational risk is the possibility that things might go wrong as your organization goes about its business. It reflects the unavoidable fact that assets, processes, and people can fail. Such failures can lead to consequences for the business ranging from negligible to sizable to catastrophic.
Here are a few examples of operational risk:
- One of your organization’s computers might fail, costing a day’s work for the employee using it and necessitating overtime to catch up.
- A manager responsible for estimating the time and resources needed to complete a task might underestimate the task’s complexity, leading to project overruns.
- One of your buildings might experience a problem that leads to its being declared unsafe, requiring the occupants to evacuate.
(Operational risk is often seen as being relevant only to banks and the financial industry, but as you can see from the above examples, such risk and the importance of managing it are not limited to those sectors.)
ORM is the process of managing all elements that fall within the business operational responsibility. These include:
- Process and procedural robustness and integrity
- People, skills, and training
- Insurance and self-insurance
- The supply chain, outsourcing, and inherent risk
- Infrastructure, systems, and telecommunications
- Physical and information security
Note: Operational risk is recognized as being distinct from market risk and credit or trade risks.
So how do we manage operational risk? In short, we must figure out a way to measure, prioritize, monitor, and reduce our exposure to potential negative events.
The ORM lifecycle is divided into five stages. So if your organization were to implement an operational risk management program, you would be looking to create a program which encompassed all of those stages.
ORM is a potentially significant undertaking, one demanding a high level of control, backing, structure, and overall program design in order to ensure success. Careful program design is important to make sure the measures you implement are in alignment with your other corporate initiatives.
The Business Impact Analysis (BIA) is a tool used to determine the organization’s tolerance and characteristic pattern of loss arising from a disruption to specific processes. The resulting data establishes timeframes for recovering functions, processes, and systems and is also used in risk assessment. (For more on BIAs, see this recent post.)
Risk Assessment involves the collecting of data relating to people, processes, systems, and environmental circumstances. The assessment combines BIA and probability data to prioritize the plugging of gaps, the justifying of costs, and the search for mitigation strategies.
The Business Continuity Plan (BCP) provides the ultimate backstop where risk mitigation measures have failed or were inappropriate and the organization faces a potential disaster. The BCP identifies what people, processes, systems, and other structures must be provided to the company in a timely fashion to ensure its survival.
Assurance is a set of activities that help ensure that your continuity provisions work. One of these is training that encourages the organization’s staff to deepen their understanding of risk and continuity issues and to increase their familiarity with aspects of risk that could affect them. Another Assurance activity is periodic reviews or audits which ensure that your continuity provisions still reflect the needs of the business. Additionally, rehearsal and testing provide controlled means of simulating real incidents, enabling you to find and fix problems under safe conditions.
This concludes our brief introduction to operational risk management and the ORM lifecycle.
Consider this blog post the picture on the cover of the jigsaw puzzle box, which can help your organization quickly comprehend the basics of an ORM program and begin envisioning and implementing one, if you do not have one already.