Operational risk management
Encyclopedia
The term Operational Risk Management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk
, including the risk
of loss resulting from inadequate or failed internal processes and systems; human factors
; or external events.
Deliberate: Deliberate risk management is used at routine periods through the implementation of a project or process. Examples include quality assurance, on-the-job training, safety briefs, performance reviews, and safety checks.
Time Critical: Time critical risk management is used during operational exercises or execution of tasks. It is defined as the effective use of all available resources by individuals, crews, and teams to safely and effectively accomplish the mission or task using risk management concepts when time and resources are limited. Examples of tools used includes execution check-lists and change management
. This requires a high degree of situational awareness.
defines the risk management process in a four-step model:
This process is cyclic as any changes to the situation (such as operating environment or needs of the unit) requires re-evaluation per step one.
1. Assess the situation.:
The three conditions of the Assess step are task loading
, additive conditions, and human factors
.
2. Balance your resources.:
This refers to balancing resources in three different ways:
3. Communicate risks and intentions.:
4. Do and debrief. (Take action and monitor for change.):
This is accomplished in three different phases:
Most complex financial institutions have a Chief Operational Risk Officer. The position is also required for Banks that fall into the Basel II Advanced Measurement Approach "mandatory" category.
failure and the implementation of the Sarbanes-Oxley Act
has caused several software development companies to create enterprise-wide software packages to manage risk. These software systems allow the financial audit
to be executed at lower cost.
Forrester Research
has identified 115 Governance, Risk and Compliance vendors that cover operational risk management projects. Active Agenda
is an open source
project dedicated to operational risk management.
Operational risk
An operational risk is, as the name suggests, a risk arising from execution of a company's business functions. It is a very broad concept which focuses on the risks arising from the people, systems and processes through which a company operates...
, including the risk
Risk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
of loss resulting from inadequate or failed internal processes and systems; human factors
Human factors
Human factors science or human factors technologies is a multidisciplinary field incorporating contributions from psychology, engineering, industrial design, statistics, operations research and anthropometry...
; or external events.
Four Principles of ORM
The U.S. Department of Defense summarizes the principles of ORM as follows:- Accept risk when benefits outweigh the cost.
- Accept no unnecessary risk.
- Anticipate and manage risk by planning.
- Make risk decisions at the right level.
Three Levels of ORM
In Depth: In depth risk management is used before a project is implemented, when there is plenty of time to plan and prepare. Examples of in depth methods include training, drafting instructions and requirements, and acquiring personal protective equipment.Deliberate: Deliberate risk management is used at routine periods through the implementation of a project or process. Examples include quality assurance, on-the-job training, safety briefs, performance reviews, and safety checks.
Time Critical: Time critical risk management is used during operational exercises or execution of tasks. It is defined as the effective use of all available resources by individuals, crews, and teams to safely and effectively accomplish the mission or task using risk management concepts when time and resources are limited. Examples of tools used includes execution check-lists and change management
Change management
Change management is a structured approach to shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at helping employees to accept and embrace changes in their current business environment....
. This requires a high degree of situational awareness.
In Depth
The International Organization for StandardizationInternational Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
defines the risk management process in a four-step model:
- Establish context
- Risk assessment
- Risk identification
- Risk analysis
- Risk evaluation
- Risk treatment
- Monitor and review
This process is cyclic as any changes to the situation (such as operating environment or needs of the unit) requires re-evaluation per step one.
Deliberate
The U.S. Department of Defense summarizes the deliberate level of ORM process in a five-step model:- Identify hazards
- Assess hazards
- Make risk decisions
- Implement controls
- Supervise (and watch for changes)
Time Critical
The U.S. Navy summarizes the time critical risk management process in a four-step model:1. Assess the situation.:
The three conditions of the Assess step are task loading
Task loading
Task loading in Scuba diving is a term used to refer to a multiplicity of responsibilities leading to an increased risk failure on the part of the diver to undertake some key basic function which would normally be routine for safety underwater....
, additive conditions, and human factors
Human factors
Human factors science or human factors technologies is a multidisciplinary field incorporating contributions from psychology, engineering, industrial design, statistics, operations research and anthropometry...
.
- Task loading refers to the negative effect of increased tasking on performance of the tasks.
- Additive factors refers to having a situational awareness of the cumulative effect of variables (conditions, etc.).
- Human factors refers to the limitations of the ability of the human body and mind to adapt to the work environment (e.g. stress, fatigue, impairment, lapses of attention, confusion, and willful violations of regulations).
2. Balance your resources.:
This refers to balancing resources in three different ways:
- Balancing resources and options available. This means evaluating and leveraging all the informational, labor, equipment, and material resources available.
- Balancing Resources verses hazards. This means estimating how well prepared you are to safely accomplish a task and making a judgement call.
- Balancing individual verses team effort. This means observing individual risk warning signs. It also means observing how well the team is communicating, knows the roles that each member is supposed to play, and the stress level and participation level of each team member.
3. Communicate risks and intentions.:
- Communicate hazards and intentions.
- Communicate to the right people.
- Use the right communication style. Asking questions is a technique to opening the lines of communication. A direct and forceful style of communication gets a specific result from a specific situation.
4. Do and debrief. (Take action and monitor for change.):
This is accomplished in three different phases:
- Mission Completion is a point where the exercise can be evaluated and reviewed in full.
- Execute and Gauge Risk involves managing change and risk while an exercise is in progess.
- Future Performance Improvements refers to preparing a "lessons learned" for the next team that plans or executes a task.
Benefits of ORM
- Reduction of operational loss.
- Lower compliance/auditing costs.
- Early detection of unlawful activities.
- Reduced exposure to future risks.
Chief Operational Risk Officer
The role of the Chief Operational Risk Officer (CORO) continues to evolve and gain importance. In addition to being responsible for setting up a robust Operational Risk Management function at companies, the role also plays an important part in increasing awareness of the benefits of sound operational risk management.Most complex financial institutions have a Chief Operational Risk Officer. The position is also required for Banks that fall into the Basel II Advanced Measurement Approach "mandatory" category.
ORM Software
The impact of the EnronEnron
Enron Corporation was an American energy, commodities, and services company based in Houston, Texas. Before its bankruptcy on December 2, 2001, Enron employed approximately 22,000 staff and was one of the world's leading electricity, natural gas, communications, and pulp and paper companies, with...
failure and the implementation of the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
has caused several software development companies to create enterprise-wide software packages to manage risk. These software systems allow the financial audit
Financial audit
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion...
to be executed at lower cost.
Forrester Research
Forrester Research
Forrester Research is an independent technology and market research company that provides its clients with advice about technology's impact on business and consumers. Forrester Research has five research centers in the US: Cambridge, Massachusetts; New York, New York; San Francisco, California;...
has identified 115 Governance, Risk and Compliance vendors that cover operational risk management projects. Active Agenda
Active Agenda
Active Agenda is an open source risk management tool.Active Agenda is designed to support operational risk management in organizations and is optimized for high reliability organizations. It is a browser-based multi-user enabled software...
is an open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
project dedicated to operational risk management.
See also
- Benefit risk
- Cost risk
- Operational riskOperational riskAn operational risk is, as the name suggests, a risk arising from execution of a company's business functions. It is a very broad concept which focuses on the risks arising from the people, systems and processes through which a company operates...
- Optimism biasOptimism biasOptimism bias is the demonstrated systematic tendency for people to be overly optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. Along with the illusion of control and illusory...
- RiskRiskRisk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
- Risk managementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
- Risk management toolsRisk management toolsRisk Management is a non-intuitive field of study, where the most simple of models consist of a probability multiplied by an impact. Even understanding individual risks is difficult as multiple probabilities can contribute to Risk total probability, and impacts can be "units" of cost, time, events...
- Tactical Risk ManagementTactical Risk Management- Introduction :PAS 55 describes the Optimal management of physical assets and is typically relevant to gas, electricity and water utilities, road, air and rail transport systems, public facilities, process, manufacturing and natural resource industries....
- Fuel price risk managementFuel price risk managementA specialization of both financial risk management and oil price analysis – and similar to conventional risk management practice – fuel price risk management is a continual cyclic process that includes risk assessment, risk decision making, and the implementation of risk controls...
- Basel IIBasel IIBasel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision...
- Key Risk IndicatorKey Risk IndicatorA Key Risk Indicator, also known as a KRI, is a measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future...
s - Solvency IISolvency IIThe Solvency II Directive is an EU Directive that codifies and harmonises the EU insurance regulation. Primarily this concerns the amount of capital that EU insurance companies must hold to reduce the risk of insolvency....
- Data governanceData governanceData governance is an emerging discipline with an evolving definition. The discipline embodies a convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in an organization...
General
- OPNAVINST 3500.39B OPERATIONAL RISK MANAGEMENT (ORM)
- MARINE CORPS ORDER 3500.27B OPERATIONAL RISK MANAGEMENT (ORM)
External links
- The Institute of Operational Risk The institute provides professional recognition and enables members to maintain competency in the discipline of operational risk.