What is operational risk management? And why is operational risk important? Simply defined, operational risk management is a continual process performed to identify and manage the risks inherent to running a business. Risk is fundamental to operating a business, and all businesses have to manage risk of all types, ranging from financial to operational to reputational. Today we are going to talk specifically about operational risk and how to manage it.
Operational risk is pervasive in a company, and it results from ineffective policies, systems, and people or when internal processes and controls are not properly managed. It is the risk of failed business operations due to the inadequacy of the people, processes, and technology that are responsible for operating the business. In turn, operational risk management is the management of such risks: instituting effective processes and protocols to continually identify, assess, and manage those risks.
What are the Four Main Types of Operational Risk?
I always say that risk management is subjective. There are many different risk management theories and frameworks. Different people use different definitions and categories to facilitate their risk management program. That being said, operational risk can generally be classified using the following categories:
Starting with these main types or categories can aid in developing your operational risk management program. Using these four categories as a starting point, you can then start to identify the business objectives and risk scenarios within each category that are relevant to your company.
What is the Purpose of Operational Risk Management (ORM)?
While risk is inherent in running a business, the purpose of operational risk management is to manage or mitigate such risks to an acceptable level. A key pillar of a functional risk management program is to first define the acceptable level of risk within the organization. Management should perform an analysis to determine what risks, and how much risk, they are willing to take on in the pursuit of the company’s objectives. Some level of risk is always necessary, but it’s important to weigh risk against the potential benefit.
The purpose of operational risk management is to aid in such an analysis. We have previously discussed how to evaluate and mitigate risk, and the process is the same for operational risk. Management should start by identifying the “what could go wrong” scenarios relative to the company’s people, internal processes, systems, and external factors. Some examples of operational risk include the following:
- The risk that employees are not properly qualified to adequately perform their job
- The risk that employees are not adequately trained in the company’s policies
- The risk that control ownership is lacking or that controls are not understood by the people accountable to them
- The risk that policies are not in line with current compliance, audit, or contractual requirements
- The risk that processes are highly manual and therefore time-consuming and prone to human error
- The risk that stakeholders are unaware of or not trained in security incident response protocols
- The risk that technologies are outdated/not in line with business objectives
- The risk that aging infrastructure leaves the organization susceptible to security threats/data compromise
- The risk that system development is not consistently or securely managed
- The risk of supply chain or third-party vendor disruptions
- The risk that the company does not have a sufficient business continuity or disaster recovery strategy to protect against natural or man-made disasters
- The risk that changing economic factors may negatively impact the company’s ability to meet sales targets
Note that it is likely that management would identify more specific risk scenarios for each of the above risk statements. Once these “what could go wrong” scenarios (i.e., risks) have been identified, management can then perform an analysis of the likelihood and impact of each risk scenario to determine what risk treatment strategies (accept, transfer, mitigate, avoid) are needed. Unacceptable risks identified in this process are then managed until the risk is at a more acceptable level.
You may be wondering who is responsible for operational risk. Given the nature of operational risk, in that it’s pervasive throughout the organization, stakeholders across the business should be engaged and held responsible for managing operational risk. Operational risk is a key component of enterprise risk management or organizational risk. In an optimal risk management function, leaders from each function in the organization should be involved in risk identification and mitigation to ensure operational risks across the organization are accounted for.
How Does Operational Risk Management Relate to SOC 2?
The SOC 2 Trust Services Criteria include criteria for risk assessment and risk mitigation, so it’s important to understand how strengthening your company’s operational risk management program aligns with and strengthens your SOC 2 compliance. Whenever I talk to clients about the SOC 2 requirements for assessing and mitigating risks, the conversation naturally shifts from a security risk-focused mentality to a broader risk management strategy. The reason for this is that the SOC 2 criteria for Risk Assessment are intentionally broader than security risk; it was designed to force organizations to take an enterprise-wide approach, including using operationally focused metrics to assess and manage risk.
Risk Assessment Criteria
Here are the relevant criteria and points of focus for the Risk Assessment criteria, per COSO.org:
- CC3.1 (COSO Principle 6): “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.”
- CC3.2 (COSO Principle 7): “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”
- CC3.3 (COSO Principle 8): “The entity considers the potential for fraud in assessing risks to the achievement of objectives.”
- CC3.4 (COSO Principle 9): “The entity identifies and assesses changes that could significantly impact the system of internal control.”
As you can see, the criteria do not focus solely on IT security risk; rather, the criteria are far-ranging and are meant to address risk across the enterprise. Check out our related article “How the COSO Principles & Trust Services Criteria Align” to learn more.
Risk Assessment Points of Focus
Breaking the criteria down further into the points of focus (i.e. – guidelines or recommendations for achieving the criteria), you see that the SOC 2 Risk Assessment criteria and scenarios span across a number of objectives. Some highlights from the points of focus are noted below, per the AICPA TSP Section 100:
- “Includes Operations and Financial Performance Goals”
- “External Financial Reporting Objectives”
- “Reflects External Laws and Regulations”
- “Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels”
- “Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities”
- “Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties”
- “Considers Various Types of Fraud”
- “Considers the Risks Related to the Use of IT and Access to Information”
- “Assesses Changes in the External Environment”
- “Assesses Changes in the Business Model”
- “Assesses Changes in Leadership”
- “Assess Changes in Systems and Technology”
As I stated above, risk management is subjective, and there are many different frameworks and templates that can be used to guide your risk management function. If you are struggling to identify the right operational risk management framework, I suggest using the SOC 2 criteria as your guide. For one, the SOC 2 criteria address a range of operational risk areas. It was built off the COSO framework, which is a broadly accepted framework for managing the components of internal control. It will also help your organization satisfy the SOC 2 requirements for assessing and mitigating risk, which gets you one step closer to SOC 2 compliance.
What are the Main Benefits of Operational Risk Management?
It can be easy to think of risk management simply as a compliance checkbox, but proactively managing operational risk has many benefits. A strong operational risk management program should:
- Enable management to embrace a healthy level of risk in the pursuit of the organization’s objectives.
- Inform decision makers where additional resources are needed to address potential threats to the organization’s operations.
- Strengthen the reliability of business operations and the company’s ability to achieve its objectives.
- Mitigate against or reduce loss.
- Identify where opportunities for efficiency can be realized.
- Hold stakeholders accountable by proactively identifying risks that may compromise their ability to achieve the company’s goals.
Knowledge is power. Designed properly, your operational risk management program should give insight through metric-driven data that enables the organization to operate more efficiently and effectively.
Are you still not sure where to start or what steps to take in your ORM process? Do you feel your organization could benefit from implementing a stronger risk management program? Keep in mind that risk management is a continuous process, and one that you can build over time. For more information on how to strengthen your enterprise risk management program or to initiate an operational risk assessment, I recommend the following articles:
- Information Security Risk Management: A Comprehensive Guide
- Vendor/Third-Party Risk Management: Best Practices
- Considerations for Fraud Risk Assessment: COSO Principle 8
- When, How, And Why To Use A Risk Matrix
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.