Because operational risk management includes oversight of many elements and is primarily human-focused, appropriate governance is essential for it to be effective. An organisation’s operational risk management framework must have the necessary processes of measurement.
To ensure that it can be effectively implemented, it needs to cover risk identification, risk assessment, measurement & mitigation, and monitoring & reporting. Risk identification should involve staff at all levels of the business for comprehensive results. Risk assessment should be done qualitatively and quantitatively, and prioritised according to frequency and severity. The organisation can then decide what controls to put in place to mitigate them. Monitoring and reporting is instituted to ensure that the mitigative measures in place are suitable and functioning as intended. This calls for close cooperation between those dealing with operational risk management and internal audit.
Since operational risk relates to an organisation’s internal processes, it inevitably focuses on the risks that have the most impact on the firm, and the staff who are responsible for these risks by virtue of being in their respective positions. The operational risk management governance structure is generally risk-averse and concentrates on protecting the organisation, its assets and value-creating abilities. Business environments are never static; operational risks follow suit. Any significant changes therefore need to be reported to the board and senior management. Operational risk governance enables senior management to guide and direct operational risk strategy.
Operational risk, therefore, has to be managed by the board and senior management, supported by checks and balances set in place through policies, frameworks, processes and procedures which they determine. When done right, operational risk is capable of positioning the organisation to optimise its resources, improve reliability of business operations and reduce losses. It also deals with fraud, thus protecting the firm from damage. Above all, it strengthens the decision-making process of board and management where risk is concerned, and demonstrates to stakeholders that it is just as prepared for crisis and loss, as it is for sustainability, growth and competitiveness.
23 The IERP® Monthly Newsletter September - November 2021