Time to embed your Operational Risk Management Framework as a business imperative

Posted on February 12, 2021.

  1. Data, business controls, employee conduct, ethics, new technologies… operational risks can bombard organizations in many guises and from all directions. These risks can be pervasive, and if left unmanaged can soon become detrimental, reputationally and in terms of business needs, customer or client demands or shareholder value.

    “Organizations need to better understand and address operational risks in order to make informed business decisions and keep the requirements of all stakeholders in check,” says Jenny Ritson-Smith of Sword GRC. “Operational risk management should be prioritised, and while many organizations have an operational risk management framework (ORMF) in place, without embedding it effectively and aligning it closely to business processes, it will not achieve its potential for driving competitive advantage.”

    But where to begin? How can risk professionals implement an ORMF that benefits both users of the framework itself and is advantageous to the organization? And what does ‘embedding’ really mean when even the term is open to interpretation?

    A good starting point is ‘Embedding an Operational Risk Management Framework’ Operational Risk Sound Practice Guidance, published by the Institute of Operational Risk (IOR and available as a free download here.

    The objective of the paper is to:

    • Explain how to design and implement a robust ORMF
    • Demonstrate the value of effective operational risk management
    • Reflect the experiences of risk professionals, including the challenges faced in developing and rolling out an ORMF

    In it together

    “The paper is particularly useful in highlighting critical success factors. A key one is how no risk function within a business can in isolation, embed an effective ORMF,” says Ritson-Smith. “The wider business needs to be involved. This can be achieved by enlisting department or function managers as ‘risk owners’ – including as necessary, senior managers in the case of strategic level operational risks – to ensure the ORMF is correctly applied, so that risk and control assessments are undertaken promptly and action taken to address any control weaknesses or an uplift in risk exposure.

    “Some organizations might like to consider creating the roles of ‘risk champions’ – individuals tasked with promoting and supporting ORMF adherence within their area, so they may be involved in training on ORMF operation, or advising on whether to introduce or remove a control or explaining the value of an ORMF to their own line management.

    “Interestingly, the organization’s operational risk culture (a topic in its own right which you can learn about in a separate download) will have a great influence on whether the workforce believes in the value of operational risk management. The paper also outlines strategies that can be used to develop trust and minimise opposition.”

    Another key takeaway is that the embeddedness of an ORMF should be regularly assessed in order to comply with corporate governance codes and risk management regulations.

    Commenting on how this can be evidenced, Ritson-Smith points out, “There’s a chapter focussing on the various techniques that can be used to assess how well an ORMF is embedded and I think risk professionals will be keen to learn (or remind themselves) of key assessment steps that apply to any of the techniques suggested.

    “The guidance rounds off with details of how indicators can be used to monitor embeddedness. The list provided is illustrative and provides examples of both quantitative metrics and indicators that require qualitative evaluation.”

    When, as the white paper concludes, ‘… even a technically perfect ORMF will fail if it is not valued by its users or is viewed as overly complex’, then getting embeddedness right is a business imperative.

    Start as you mean to go on, by downloading your copy of ‘Embedding an Operational Risk Management Framework now.