Operational risk management (ORM) is a discipline that enables financial institutions to proactively monitor, manage, and control the operational and financial risks that they face. ORM includes an evaluation of the institution’s risk profile, risk mitigation strategies, and risk-adjusted capital requirements. It also provides tools to improve the control and monitoring of risks across the enterprise and to help the institution identify its most significant risks, including itself, before it is too late.
ORM consists of a framework of risk management disciplines, processes, and procedures that focuses on the financial and reputational risk associated with the institution’s operations and exposures. This framework consists of major elements that includes: risk assessment, risk management policies and procedures, risk monitoring, risk communication, risk governance, and risk elimination. Each firm has its own distinct risk hierarchy, risk assessment framework, and risk control framework, which are used to assess, understand, and manage risk in its operations.
In this article, we provide an executive summary on the operational risk management in banking. We begin with an overview of operational risk categories and the measures taken by banking regulators to address them.
One of the most important elements of risk management is the ability to act swiftly when an unexpected event occurs. This can be achieved by building a risk culture, which is a broad set of risk and security controls, in which all employees are aware of potential threats and how to respond to them.
Operational risk management in banking focuses on the prevention of losses, as well as the reduction of the likelihood of such losses, by using various risk mitigation and management controls. This risk mitigation and management controls focus on the following: preventing fraud and/or theft, preventing financial loss due to theft, protecting assets from loss due to fraud, maintaining the sound financial health of the firm, and complying with regulations and laws.
The first step in the operational risk management process is to identify the risks that exist. This is typically done through a risk assessment, a process that analyzes potential risks to determine which ones pose the greatest risk to the firm, and which ones can be mitigated. The risk assessment process also determines which risk categories, such as operational and financial, are the most significant to the firm. Once the risks have been identified, the next step is to determine how the firm will respond to the risks. This is typically done through the creation of a risk management plan, which defines the steps the firm will take to mitigate the risks, and a risk monitoring plan, which defines the steps the firm will take to detect and respond to the risks. This process also reveals the frequency of the risks, their seriousness, their origins, their likelihood and their impact. This risk assessment process is typically performed by a team consisting of internal and external stakeholders. The internal stakeholders include the chief risk officer and the chief compliance officer, while the external stakeholders include regulators, auditors, and the board of directors.
The second step in the operational risk management process is to determine the measures that are necessary to reduce the risks that have been identified. This is typically done through the use of risk mitigation and management controls, which are defined as measures that reduce the likelihood or the impact of a risk. Examples of risk mitigation and management controls include processes to screen applicants for fraud, secure assets from theft, and implement policies to prevent fraud. Often, risk mitigation and management controls are grouped into categories, such as internal controls and external controls. Internal controls are measures that are taken by an organization to prevent or detect fraud within the organization. External controls are measures that are taken by an organization to prevent fraud related to its activities outside of the organization.
The third step in the operational risk management process is to implement the measures that were determined to be necessary to reduce the risks that were identified. This is typically done through the use of controls, which are defined as measures that reduce the likelihood or the impact of a risk.
The fourth step in the operational risk management process is to measure the effectiveness of the risk mitigation and management controls that have been implemented. This is typically done through the use of control measurements, which are defined as measures that determine the effectiveness of a control. Control measurements are broadly categorized as process measurements and outcome measurements. Process measurements are used to determine the effectiveness of internal controls. Outcome measurements are used to determine the effectiveness of external controls. Control measurements help organizations prioritize which controls to focus on next, and which controls to remove, based on the risks that are being managed. They also provide objective input into the risk management process, which is often used to make decisions about the allocation of capital and the selection of personnel.
The fifth and final step in the operational risk management process is to communicate the results of the risk assessment and risk management controls to senior management. This enables senior management to quickly identify which controls will have the greatest positive impact on reducing risk and to prioritize the development of new controls. This part of the process also enables management to make decisions about the allocation of capital and the selection of personnel, which is often used to make decisions about the operation of the firm. This part of the process also enables the firm to comply with regulations and laws.
The operational risk management process is intended to help management identify and control those risks that are important to the firm, and to help the firm continue to manage those risks in a world that changes quickly. As such, the operational risk management process is a continuous one. Management will continue to conduct risk assessments, to monitor the effectiveness of its risk mitigation and management controls, to evaluate its policies and procedures, and to make improvements when appropriate. Therefore, the operational risk management process is not intended to provide an exhaustive review of the firm’s risk profile, nor is it intended to be a static process. The process will be adapted with changing conditions and revised as needed with the goal of continuously improving risk management.