Operational risk management (ORM) is part of a growing category of integrated governance, risk and compliance (GRC) concepts focused on supporting a broader enterprise risk management (ERM) program. The research firm Gartner defines true ERM as "the strategic and holistic treatment of all organizational risks, including credit and market risks, as well as operational risks.
Gartner additionally defines operational risks as those risks that "relate to the uncertainty of daily tactical business activities, as well as risk events resulting from inadequate or failed internal processes, people or systems, or from external events." Operational risk management (ORM) allow organizations to aggregate and normalize data from multiple data sources, including operational and financial systems, as well as from external sources such as regulatory alerts and loss event databases.
By providing a better understanding of these risks to business objectives, ORM enables better business performance and capital allocation. ORM solutions also help companies address the increasing pressure from regulators to improve the risk reporting in annual reports, and to improve the board of directors' role in enterprise-wide ORM oversight. ORM solutions usually include functions for risk analytics, as well as risk indicators to support decision making.
The critical capabilities of ORM solutions center on providing business leaders/owners with a more effective means of assessing risk and control effectiveness, identifying operational risk events, managing remediation efforts, and quantifying the associated operational risk exposure across the enterprise.
Risk and Control Documentation/Assessment
Operational risks, and the related controls required to mitigate them to an acceptable level, must be documented sufficiently to satisfy a number of key stakeholders — including regulators, external auditors, business partners/associates and board members — as well as to provide the basis for performing a comprehensive operational risk assessment. Features within this capability include:
Risk-related content, including a risk taxonomy/library, key risk indicator (KRI) catalog, regulatory compliance updates and so on
Risk assessment methodology and calculation capabilities (for example, bow tie risk assessment)
Documentation authoring, versioning and approval
The ability to integrate with purpose-built risk systems, such as business continuity management (BCM) planning, IT risk management (ITRM), IT vendor risk management (VRM), corporate compliance and oversight (CCO), enterprise legal management (ELM), and audit management.
Incident Management/Loss Event Capture and Analysis
A history of operational incidents and/or loss events can be used to inform the risk assessment process and facilitate the identification of event causes. In addition, ORM solutions can integrate with external loss event databases to identify potential risk events based on the experience of peers and other related entities. Features within this capability include:
An external risk event repository
Incident management workflow (review, escalate, investigate, resolve, dispose) and reporting
Root cause analysis/Corrective Actions log
Risk Mitigation Action Planning
When operational risks are assessed to be beyond defined risk tolerance levels, action plans must be developed to ensure that the appropriate mitigation steps are taken to meet the operational risk appetite set by the board of directors or other governance body. ORM solutions can provide support to risk professionals and business leaders in managing the associated risk mitigation efforts. Features within this capability include:
Project management capabilities to track progress on risk-related initiatives or tasks
Risk control testing capabilities, such as continuous control monitoring
Control mapping to risks and business processes
Control mapping to compliance mandates
Business process mapping to IT assets
Key Risk Indicators (KRI) Monitoring/Reporting
To effectively monitor the operational risk levels across the enterprise, companies can utilize ORM solutions to report the risk levels through KRIs. Features within this capability include:
Risk scorecard/dashboard capabilities
The ability to link KRIs to performance metrics
Risk Quantification and Analytics
Beyond the exercise of assessing operational risk from a qualitative perspective, companies in many industries (including banking, insurance and securities) are seeking to measure operational risk on a quantitative basis. Quantitative analysis methods are used to develop more precise predictive models to determine the potential for certain operational risk events, such as fraud or theft. As such, the features within this capability include:
"What if" risk scenario analysis capabilities
Statistical modeling capabilities (for example, Monte Carlo simulation, value at risk, Bayesian statistical inference, etc.)
Fraud detection capabilities.
NIST 800 Series
HIPAA / HITECH / HITRUST
Sarbanes–Oxley Act / SOX
ISO 27000 Series
DIACAP / RMF / eMASS