Of course, no one wants bad things to happen to their company, their employees, or their clients. Every bad story is something one wants to avoid. Yet, total avoidance or 100% extinguishing of operational risk is a foolish goal. It would be very expensive, if not impossible. For example, one could totally avoid market risk by totally avoiding the market. The result of this strategy would mean no investments in securities, property, or any product that has a “market.” Likewise, one could avoid credit risk by not being in the business of extending credit. The same is true for operational risk. A company could totally avoid operational risk by not having employees, not having processes, and not having clients. That would mean not being in business—a foolish goal for a company.
The management of risk is smarter and more effective. Both COSO and the Basel Committee have issued similar principles with respect to the management of operational risk. While COSO has expanded these principles into objectives and components within its ERM framework, the Basel Committee refers to these concepts as “sound practices.” In any event, these ORM principles from these and other public risk management frameworks fall into four broad categories in the following order:
1. Setting the environment
2. Active management (identify, assess, mitigate)
3. Ongoing monitoring
1) A company’s risk control environment sets the tone for the organization. It is the foundation for all other risk management activities. If a company’s board of directors does not worry about the management of risk, then rest assured that the management and employees will not worry about it either. The board of directors and senior management are responsible for setting the appropriate tone for the rest of the company, including integrity, ethical values, and competence, and for approving an ORM framework to be consistently implemented throughout the organization so that all levels of employees know and understand their responsibilities with respect to managing operational risk.
2) Active operational risk management ensures that an organization has in place the means to carry out a comprehensive program to (1) identify risks existing in its processes, systems, and other activities; (2) assess or evaluate the risks identified so that the impact on the organization is fully understood; and (3) mitigate or control the risks, especially those with significant impact, so that the risks are eliminated or reduced to an acceptable level. Vital elements of an ORM program are policies and procedures that address numerous and common control activities, such as authorization, verification, performance review, and segregation of duties.
3) Ongoing monitoring of operational risk is just as important as the monitoring of performance or the monitoring of quality. It should be conducted as a separate activity and should be part of everyday management and supervision. The company’s ORM framework needs to be monitored to ensure that active management is properly working to identify, assess, and reduce risk. Additionally, a company’s risk appetite will change over time and, as a result, the environment and framework would need to be adjusted accordingly.
4) Finally, the disclosure of operational risk information would enable people to carry out their responsibilities. The reporting to senior management of risks identified, assessed, and mitigated would help management determine the potential benefits and costs of changing risk appetites or funding additional control systems or processes. Conversely, the effective communication from senior management to all personnel with regard to a company’s operational risk environment would ensure a clear and consistent message that each person’s role and responsibility for managing operational risk should be taken seriously.
To ensure a more robust anticipatory framework, four changes to the commonly used operational risk framework are necessary:
1. Reorder the Elements and Expand the Function of Monitoring. Active monitoring should take place before active management. One should be monitoring business processes, not only the operational risk framework, as a routine function and not as a result of the identification, assessment, and mitigation of operational risks.
2. Add a New Element to Determine Potential Risks with a Feedback Loop to the Risk Environment. To be proactive, one needs to examine what could occur and not just react to what has occurred. Potential risks should be identified and assessed in order to then determine whether the risk environment needs to be changed.
3. Add Four New Features to the Active Management Element. Managing the risks not only comprises identification, assessment, and mitigation as suggested in the commonly used frameworks. Additional measures include a cost assessment; deciding whether to live with a risk; validating that the risk was indeed mitigated, if risk mitigation was the chosen option; and reporting the risk, status, and validation to senior management.
4. Remove Disclosure as a Single Element and Instead Include It in All Elements. The concept of disclosing or reporting of information is key to risk management. This should occur not only once the active management and monitoring are completed, but during the entire process.