Many techniques and methods used for managing and reducing operational risk have been recommended and written about over the past 20 years. Each one has its benefits and can be used for better understanding operational risk and reducing potential losses. Here are some:
Enterprise risk management (ERM) is an expansion of the original COSO framework as a way to explain management of operational risk. It contains four objectives for a company and for an organization within a company:
1. Strategic. The high-level goals and objectives of the organization.
2. Operations. The appropriate use of an organization’s resources, taking both effectiveness and efficiency into account.
3. Reporting. The reliability of the reporting by the organization, whether it would be internal reporting of a division to corporate headquarters or reporting by the company to its shareholders or regulators.
4. Compliance with applicable laws and regulations. This is especially important for global or U.S. national companies, where regional and local laws are different and need to be adhered to in order to stay in business within that regional or local jurisdiction.
The original COSO framework contained four principles: setting the environment; monitoring the process; active risk management through identification, assessment, and mitigation; and disclosure. Rather than using these four principles, the revised COSO ERM framework employed eight components that work together. These eight components link back to the original four COSO principles and conform to the principles of Basel II and the control principles embraced by SOX 404:
1. Internal environment is how the organization sets the tone and risk appetite of an organization, not different from the original principle of setting the environment.
2. Objective setting is to set up objectives in line with the organization’s risk appetite, not different from, and actually a component of, setting the environment.
3. Event identification refers to identifying both internal and external events that affect the organization’s risk objectives, which is a key component of the active risk management principle.
4. Risk assessment, the next component of the active risk management principle, refers to the analysis and understanding of these events and what risk they present to the organization.
5. Risk response, the third and final component of active risk management, is the decision of what to do about the risk, including actions to take to mitigate or compensate for the risk, or determining ways to reduce or even share the cost of the risk, or perhaps accept the risk within the risk appetite of the organization.
6. Control activities are a component of the risk response, to ensure that there are plans in place to implement whatever response was determined.
7. Information and communication is similar to, and perhaps broader than, the original principle of disclosure, in that it takes into account the communication of valuable instructions or information for people inside and external to the organization with regard to their roles and responsibilities for particular risk objectives and risk responses.
8. Monitoring, just like the original principle of monitoring, is the ongoing process of reviewing and evaluating processes and business activities.
Insurance is a form of risk management used to hedge against a potential loss. Thus, rather than trying to develop and implement an ORM framework, a company could instead purchase insurance for losses from operational risks. One would likely find that the cost of determining how much insurance is needed plus the cost of the actual insurance is greater than the cost of developing and implementing an ORM framework. In addition, the use of risk management information systems (RMISs) is typical in insurance-related businesses. Yet, the concepts can be applied to all businesses—that is, the use of computerized systems to help with the reporting of identified risks, risk assessments, and risk control activities.