Introduction
In a world fraught with externalities, as well as internal risks, an organisation’s overall resilience to such risks is defined by its Operational Risk Management. Operational Risk Management is relevant and essential for all organisations across all sectors and industries, as operational risks can fundamentally impact any organisation’s growth, financial stability, employee safety and core processes. Depending on the quantum of risk, these can result in anything from minor inconvenience of daily operations to severe disruptions to an organisation’s long-term operations and revenue. Operational Risk Management (ORM) includes the broad range of methods, internal policies and strategies that companies undertake to mitigate such risks, minimise damage, and ensure business continuity.
Navigating this complex risk landscape requires robust and adaptable solutions. Operational risk management platforms empower organizations to proactively manage risks by centralizing data, automating workflows, and leveraging advanced analytics. These platforms go beyond traditional, siloed approaches by facilitating:
Operational Risks
Operational Risks have various definitions, but essentially mean any set of risks that can impact the people, processes, and systems of an organisation, that can affect its business continuity and undermine its ability of value creation. Operational Risks can be both internal and external.
Some internal risks include:
- Employee Conduct
- Employee Error
- Internal Fraud
- On-site Physical Safety
- Internal Breaches of Privacy
Some external risks include:
- Natural Disasters
- Breach of Privacy due to External Cyber Attacks
- Regulatory Changes that affect Business Practises
- Civil Unrest/Extremism that affects Physical Safety of Sites and Employees
What is Operational Risk Management
ORM is the robust and continuous methodology, consisting of various processes and frameworks, that an organisation implements in order to minimise operational risks and the impact thereof. It streamlines the organisation’s people, processes and core systems in order to protect business continuity, improve business resilience and mitigate losses, financial and otherwise. There are various stages of ORM, as follows:
- Risk Identification: Broadly understanding the sector or industry and its risks, as well as specific operational risks to the organisation.
- Risk Assessment: Assessing operational risks from quantitative and qualitative perspectives, so as to prioritise the level of risk based on factors such as likelihood and impact. The first two stages allow organisations to minimise their exposure to operational risks, especially those that are avoidable.
- Risk Measures and Risk Mitigation: Measurement of operational risk entails further metrics and indicators of risk depending on factors such as likelihood and impact. This is followed by mitigation measures, which are the robust set of protocols taken by the organisation to safeguard its people, processes, and systems against unavoidable risks.
- Risk Monitoring and Risk Reporting: The process of ORM must be constant and ongoing, for which organisations establish real-time as well as monitoring and reporting measures. These processes also allow for long-term operational risk forecasting.
To exemplify the functioning of these stages, let us consider the example of a natural disaster, such as flooding. The identification process for broader risks will entail research into how flooding impacts the operations of a given industry, how it disrupts production processes and output. For identifying the risk to the organisation, research will be undertaken into propensity of floods at physical sites, or how floods may affect the employees. In the assessment stage, further research will be done about impending floods, the quantum of risk they may possess et al., based on meteorological predictions and historical data. In the third stage of measures and mitigation, the organisation may decide to mitigate avoidable risks to employee safety, by suspending physical operations ahead of an impending flood, and safeguarding the physical site. At the same time, it may take additional mitigation measures for unavoidable damages that the flood may cause. In the final stage, the organisation will monitor the flood in real-time and keep a chain of internal reporting so that all employees and processes are streamlined to respond accordingly in real-time. Furthermore, monitoring and reporting will also help the organisation with forecasting and long-term mitigation measures for floods in that particular region, and at that particular site.
What is Operational Risk Management in Banks?
ORM originated as a risk mitigation strategy used by banks and financial institutions, that has since been absorbed into other organisations. The banking industry has always faced complex operational risks with each of its segment of its operations. To address these challenges, banks employ comprehensive ORM frameworks, that incorporate risk identification, assessment, mitigation, and monitoring processes, for each segment such as credit operations, market activities, asset management, and regulatory compliance. The Basel Committee on Banking Supervision (BCBS) has made a comprehensively categorisation of risks. One such example of an operational risk category in banks, “fraud” – it includes internal fraud such as theft and unauthorised activity by bank employees, as well as external fraud, such as credit card fraud by third parties. The BCBS has also devised best practices for ORM in banking, which are similar to the stages of ORM mentioned hitherto.
The Importance and Future of ORM
ORM is assuming a greater importance in business operations on account of several factors, most significantly, the increased diversity and multiplicity of risks being faced by organisations. In the past five years, with black swan events such as the COVID-19 pandemic, the Russia-Ukraine war, the Israel-Gaza conflict have demonstrated that global health and geopolitical events present significant external operational risks. Organisations have also witnessed increased internal risks on account of emerging trends of corporate espionage and increased vulnerabilities in internal processes. At the same time, the frameworks of ORM have also been greatly strengthened, and emerged as critical components of business operations. ORM is being enhanced by digital, data, and artificial intelligence (AI)- driven tools. As global operations move towards sustainability, and attempt to strengthen their measures of compliance, there is also an increased integration being seen between corporate processes of ORM and compliance, in what are known as governance, risk and compliance (GRC) frameworks. ORM will thus be an increasingly critical part of business operations, given current and future business climates.