Operational Risk Management (ORM)
The term Operational Risk Management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events. Unlike other type of risks (market risk, credit risk, etc.) operational risk had rarely been considered strategically significant by senior management.
- Risk Identification: As mentioned earlier, understanding the risks specific to your business is key, but there are also many potential risks that affect any kind of business and you need to identify all of them, both those that are recurring and those that can be one-off events. The identification process needs to involve staff from all levels of the business if possible, bringing a variety of backgrounds and experiences to make a cohesive result. Risks that can be identified by work floor staff will be very different and no less critical than those identified from the boardroom.
- Risk Assessment: Once the risks have been identified, they need to be assessed. This needs to be done from both a quantitative and qualitative perspective and factors like the frequency and severity of occurrence need to be taken into consideration. The assessment needs to prioritize the management of these risks in relation to those factors.
- Measurement and Mitigation: Mitigating these risks (if not actually eliminating them altogether) is the next stage, with controls put in place that should limit the company’s exposure to the risks and the potential damage caused by them.
- Monitoring and Reporting: Any Operational Risk Management plan must have something in place for the ongoing monitoring and reporting of these risks if only to demonstrate how effective the plan has been. Most of all, it’s to ensure that the solutions put in place are continuing to be effective and doing their job in managing the risks.
Challenges of Managing Operational Risk
The discipline of operational risk is at a crossroads. Despite the industry's efforts to control operational risk, institutions still have much work to do. Risk Managers are grappling with questions like, ‘How does the discipline add value to my organization?’; ‘What does the advanced measurement approach’s (AMA) modeling techniques say about the operational risks my firm is facing?’; ‘What is the strategic role of operational risk my firm should adopt?’. Let’s take a look at some of the unique challenges that ORM brings:
- Rising Costs of Compliance: Development of an ORM model as part of a regulatory and economic capital framework is complex and takes time. There is a general agreement that the major ORM challenge is escalating cost of compliance.
- Access to Appropriate Information and Reporting: Effective management of operational risk requires diverse information from a variety of sources-including, for example, risk reports, risk and control profiles, operational risk incidents, key risk indicators, risk heat maps, and rules and definitions for regulatory capital and economic capital reporting.
- Development of Loss Databases: A well-structured operational risk framework requires development of business-line databases to capture loss events attributable to various categories of operational risk. Basel II specifically requires a minimum of three years of data for initial implementation and ultimately five years for the Advanced Measurement Approaches (AMA). The need for historical data (including external data) has been a cause for concern for many enterprises.
- Lack of Systematic Measurement of Operational Risk: Many enterprises hold that their institutions are measuring operational risk. However, very few of them have been able to complete the Basel II quantification requirements, or yet to formalize the measurement process around the Basel II framework.
- Implementing ORM Systems: Amid regulatory efforts to re-vamp the industry’s immunity to operational risk, and its implications on efficient financial intermediation, many organizations are looking to go beyond traditional siloed approaches and implement a consolidated ORM framework across entire value chain. Development of an ORM model as part of a regulatory and economic capital framework, however, is complex and takes time. Factors like lack of understanding of upcoming technology regarding operational risk management, failure to get the top management to focus on the benefits of the program, improved productivity and quality, as well as on loss reduction, and lack of meaningful and timely data across business unit and product lines make the implementation of an ORM system all the more formidable.
- Tone at the Top: Effective risk management program starts with “The Tone at the Top”- driven by the top management and adhered by the bottom line. However, if bank’s top leaders perceive operational risk management solely as a regulatory mandate, rather than as an important means of enhancing competitiveness and performance, they may tend to be less supportive of such efforts. Management and the board must understand the importance of operational risk, demonstrate their support for its management, and designate an appropriate managing entity and framework - one that is part of the bank’s overall corporate governance framework.