Operational risk deals with the uncertainties the organisation faces in its day-to-day business activities. This may include a range of happenings spanning equipment breakdown, insubordinate staff and non-compliance with internal procedures; to problems that are the result of external events, such as natural disasters; to political unrest in neighbouring countries that affects the supply chain; to actual death and disease brought on by pandemics. It is part of the macro risk picture that could result in greater risk if it is overlooked, and can result in organisational failure that ultimately affects the company’s bottom line.
Considering the implications of all this, there is certainly a lot riding on the correct management of operational risk. Operational risk management (ORM) focuses on the risks that impact most significantly on the organisation. ORM methodologies and strategies are geared towards identifying the circumstances or changes in the firm’s operating environment that will affect its risk levels, organisational efficiency, effectiveness and prevent it from optimising its value creating potential. ORM is really essential for any organisation which wants to avoid potential damage. Considerable skill is needed for all this; there are a limited number of professional certification programmes for those wishing to specialise in the field.
Correctly applied, ORM improves business operations, identifies problem areas, and reduces losses and compliance costs. But like all matters pertaining to risk management, it starts with a comprehensive understanding of the technicalities and requirements/options of ORM. Following this, a thorough understanding of the business is required as no two businesses are alike even if they are in the same industry. An organisation’s strategy for its ORM needs to be customised; it will be tied to the requirements of the operations and the dynamics of the organisation and the environment it functions in. Understanding the firm’s requirements means understanding the risks which are specific to the business as well as potential risks, emerging risks and one-off events which may be disruptive.
Risks are identified so that they can be controlled, but not all of them can be controlled; some may be completely beyond the organisation’s control. Also, it may not be worth the organisation’s while to control some risks, or too many resources may be deployed without commensurate benefits. Stringent risk assessment thus needs to be applied to prioritise these risks. The firm can then decide how to mitigate them, and insert a monitoring function to see if the plans work. Monitoring is necessary for feedback and improvement as well as to identify, to a certain extent, what kind of risk- control skills the organisation will have to look for when it comes to ORM.
Ideally, ORM should be embedded in the organisation, but this doesn’t always happen. Even with training, management and staff may have trouble determining if taking a risk or steering clear of it may better benefit the organisation, for instance; or risks may be wrongly anticipated, and the wrong decision is taken. As part of their ORM program, the organisation may opt to implement Risk and Control Self-Assessments (RCSA) to better understand the nature of its operational risks. RCSAs require careful documentation of operational risks and their related controls and processes. They support consistent methodologies to measure and assess risk, and develop a comprehensive view of risks and controls so that risk patterns can be identified.
They are a good reference for further training and development of risk awareness among different organisational levels. The extent of an organisation’s operational risk depends on the actions of its employees and the decisions they make while running the business. The ORM professional therefore has to have more than an operations management skillset, to be effective. The use of robotics, artificial intelligence and advanced technology, for instance, may require knowledge of areas relating to, amongst others, digitisation risk and cybersecurity risks. The scope of ORM is growing as businesses become more complex. ORM itself may have to be divided into different categories like technology, regulatory & compliance, and human resource/OSH risks.
The ORM professional’s skills may need to extend beyond operational risk analyst skills, to encompass a wider range of knowledge, skills, automation and techniques, as responsibilities increase in tandem. The ever-increasing scope and complexity of operations notwithstanding, the aim of ORM is still to reduce the risk, control or mitigate it so that it does as little damage to the firm as possible. While ORM is viewed by many industries as a professional area of its own, and is highly prized as such, it is one of the areas also subsumed into Enterprise Risk Management (ERM). Many of the activities and objectives of ORM relate to that of ERM, such as risk identification and assessment, and mitigation.
Both ERM and ORM address risks in the same areas, except that they do it from different perspectives. ORM capability is a skillset in the ERM arsenal. The ability to identify, assess and mitigate risk, implement control and conduct monitoring activities that are the basis of ORM, applies equally in ERM. Regardless of whether it is considered as a profession on its own or as a subset of ERM, robust ORM is an asset for any organisation. It effectively demonstrates that the firm is prepared to weather the vagaries of operations, and signals competent, professional management that is knowledgeable and thoroughly engaged with the business.
