All organizations have in place governance arrangements to ensure that they are directed and controlled in a manner consistent with the requirements of their stakeholders (shareholders, creditors, regulators, etc). These governance arrangements will span across all aspects of an organisation’s activities and operations, including strategic and tactical decisions. The management of risk forms a central element of these arrangements. This includes the management of operational risk.

This paper focuses on sound practices for the governance of operational risk. The paper is not intended as a replacement for existing governance codes and standards, such as the UK Corporate Governance Code or the OECD’s Principles of Corporate Governance. Instead, the aim is to highlight practices which may be employed to support the effective and appropriate management of operational risk, as part of the wider governance activities of an organization.

With sound practices for the governance of operational risk management an organization can ensure that its operational risk exposures are kept within appetite, compliance is maintained with applicable laws and regulations (e.g. health and safety, environmental, and financial regulations) and that internal policies and procedures for the management of operational risk are followed. Also, operational risk management should support an organization’s wider corporate governance activity through the control of ‘people risks’, including inappropriate conduct on the part of directors, managers and employees, negligence or criminal activity.