Operational Risk Management
Operational Risk Management Operational Risk Management, otherwise known as ORM, is defined as a continual recurring process which includes risk assessment, risk decision making, and execution of risk controls, which results in acceptance, mitigation, or avoidance of risk. It is the oversight of operation risk, which is a risk arising from execution of a company’s business functions. It is a very wide concept which focuses on the risks arising from the people, systems and processes through which a company operates.
It also includes other categories like fraud risks, legal risks, physical or environmental risks. As for ORM, some include the risk of loss resulting from insufficient or failed internal processes and systems; human factors; or external events. There are different factors and/or processes that need to be taken into consideration when talking about the ORM process, which may influence the outcome, and the input needed to balance it in a positive way. Our first factor that comes into play is known as “risk”, and it is simply made up of two main components, which may be known as loss and probability.
When combining these two together, they may indicate how much we can expect to suffer as a result of unwanted or unplanned events, also known as exposure to risks. Loss is just but a reflection of financial loss arising from an incident. Financial loss may include but not limited to credit, lost of opportunity, fines, penalties, and restrictions. Loss can also be in qualitative measures like reputation, image, morale, loyalty, confidence, credibility. Probability on the other hand, is a qualitative measure of likelihood and is frequently applied due to the lack of statistical data.
Our next factor is known as “risk profile”, and is defined by three elements, each is uniquely characteristic of the organization and substantially defines the execution and cost of its ORM plan. The first element is known as threat profile and it reflects the importance of hazards due to environments, working practices, business sector, etc. In second comes loss profile and it reflects how it feels pain following a disruptive event. Las but not least, gap profile, which reflects the condition of its defenses, identifying where holes and over lapses exist.
The next factor that comes into play is what we know as “causes” or “causes of disruption” which always arise from a point beyond our regular operational control. Also known as threats or hazards, and there are many to consider. They may also include natural events like lightning strike as well as human errors, arson, sabotage, and terrorism. There is also the factor known as “dependency”, which is simply the dependability that one has on his resources available, and planning for an ORM to go according to plan.
Another factor we may know as “scenarios” which are the gathering of effects that have spread right through the business as a result of one or more threats occurring. And because they are cumulative they may concurrently take many different forms. For example, the network goes down, it may cause one’s ability to communicate with other departments or make it that much more difficult to do so. Scenarios can be complex, and very difficult to predict. Scenarios are the outward manifestation that leads to loss, and/or completing the cycle.
In addition we have the “ORM life cycle and process”. To manage operational risk we must devise ways of measuring, prioritizing, monitoring and thoroughly reduce our exposure. The ORM life cycle offers an illustration of the concepts explained in this section. Then we have “impact analysis”, which is the technique used to determine the organization’s tolerance and characteristic pattern of loss arising from disruption. The resulting priority and time-frame data is used to determine loss arising from specific incidents and is used in risk assessment.
It is also used to establish the time-frames for recovering functions, processes and systems in continuity planning. We also have something called “risk assessment” which involves the collection of data in relation to people, processes, systems and environmental circumstances, concluding in a threat profile and a gap profile. It is an expressive list of the threats that currently affect the organization with estimates of probability. The latter identifies weaknesses in the business that allow threats to spread with great disruptive effect.
The assessment combines impact analysis and probability data to prioritize the plugging of gaps, proposing, cost-justifying and comparing strategies for improvement. Then we have what is called “continuity planning” which offers the ultimate backstop where risk improvement measures have known to be unsuccessful or were unsuitable and the organization faces great disaster. It identifies what people, processes, systems, and other structures must be provided to the firm in good time to guarantee and preserve its ability to exist.
Last but not least, we have “assurance”, which is nothing but a set of activities that help guarantee that your continuity provisions work. Training encourages staff to build up a consistent understanding of risk and continuity issues , building familiarity with aspects that could affect them. Periodic review or audit ensures your continuity provisions still reflect the needs of the business. Preparation and testing offer controlled means of simulating real incidents, ironing out problems under safe conditions In addition to this, both the U. S.
Department of Defense and the U. S. Navy have come up with different types of risk management tools and processes that have become useful and part of their every day routine. The U. S. Department of Defense has come up with four principles for ORM: Accept risk when benefits outweigh the cost Accept no unnecessary risk Anticipate and manage risk by planning Make risk decisions at the right level There are three levels when talking about ORM: In Dept, Deliberate, and Time Critical. With these comes different processes that each one has to go through before being approved.
In dept risk management is used before a project is implemented, when there is plenty of time to plan and prepare. Some examples may include training, drafting instructions and requirements, and acquiring personal protective equipment. For in dept risk management, the International Organization for Standardization defines the risk management process in a four-step model: Establish context Risk assessment Risk identification Risk analysis Risk evaluation 3. Risk treatment 4. Monitor and review This process is cyclic as any changes to the situation requires re-evaluation per step one.
Deliberate risk management is used at routine periods through the implementation of a project or process. Some examples may include quality assurance, on-the-job training, safety briefs, performance reviews, and safety checks. For deliberate risk management, the U. S. Department of Defense has come up with a five-step process: Identify hazards Assess hazards Make risk decisions Implement controls Supervise and watch for changes Time critical risk management is used during operational exercises or execution of tasks.
It is defined as the effected use of all available resources by individuals, crews, and teams to safely and effectively accomplish the mission or task using risk management concepts when time and resources are limited. Some examples may include execution check-list and change management. This type of risk management process requires a high level of situational awareness. For time critical risk management, the U. S. Navy has come up with a five-step process: Assess the situation The three conditions of the Assess step are task loading, additive conditions, and human factors.
Task loading refers to the negative effect of increased tasking on performance of the tasks. Additive factors refers to having a situational awareness of the cumulative effect of variables or conditions. Human factors refers to the limitations of ability of the human body and mind to adapt to the work environment like stress, fatigue, confusion, etc. Balance your resources The three ways to balance resources are balancing resources and options available, balancing resources verses hazards, and balancing individual verses team effort. Balancing resources and options available means valuating and leveraging all the informational, labor, equipment, and material resources available. Balancing resources verses hazards means estimating how well prepared one is to safely accomplish a task and making a judgment call. Balancing individual verses team effort means observing individual risk warning signs. As well as observing how well the team is communicating, knows the roles that each member is supposed to play, and the stress level and participation level of each team member. Communicate risks and intentions, communicate to the right people. In order to do this, the right use of communication style needs to be applied.
These include asking questions as a technique to opening the lines of communication, and a direct and forceful style of communication gets a specific result from a specific situation. Do an brief, which simply means to take action and monitor for change. This step is accomplished in three different phases. First, mission completion, which is a point where the exercise can be evaluated and review in full. Second, execute and gauge, which involves managing change and risk while an exercise is in progress. Last, future performance improvements, which refers to preparing a “lessons learned” for the next team that plans or executes a task.
In addition to all that has been discussed, there is a role that continues to evolve and gain importance in the ORM process, this role is that of a Chief Operational Risk Officer. Not only is this individual responsible for setting up a robust Operational Risk Management function at companies, but also plays an important part in increasing awareness of the benefits of sound operational risk management. The Marine Corps Communication and Electronics School requires us as students to complete and submit an ORM in any case of leave that we may request, before departing from base.