green circle sparkle

Analysis

Operational risk management: The new differentiator

Steps to driving better business decisions and creating competitive advantage

Are you using operational risk management (ORM) as an organizational imperative? Effective management of operational risks will increase C-suite visibility and encourage more informed risk taking. Integrating ORM strategy, tools, and processes into your organizational goals will lead to improved product performance, greater brand recognition, and deliver sustainable financial results.

The risk of doing business

Organizations in industries face operational risk wherever they turn. To the left lie ever-present risks from employee conduct, third parties, data, business processes, and controls. To the right are inherent cultural, moral, and ethical risks. Layered on top are technology risks—which are compounded as organizations embrace new technologies like automation, robotics, and artificial intelligence.

In short, operational risk is the risk of doing business. Small control failures and minimized issues—if left unchecked—can lead to greater risk materialization and firm-wide failures. It’s a chain reaction that can be fatal to a company’s reputation and possibly even to its existence. The maturity of operational risk varies by industry but one constant is a greater awareness and appreciation across boards and C-suite executives to better recognize, manage, and understand operational risk management steps. Despite its pervasive nature, many organizations treat the operational risk process as an obligation, adding more risk to an already risky endeavor.

To prevent an event that could cripple or kill the business, organizations should consider gaining a better understanding of their operational risk profiles as well as their risk appetite and tolerance. Leaders should formulate and adopt their own risk culture in addition to setting a much-needed compass of moral and ethical guidance for their organizations. They also need to prioritize, understand and better articulate the materiality of risks in an effort to make informed decisions that balance organizational needs, client and customer demands, product and service specifications, and shareholder requirements.

With stakes this high, it’s time to make ORM an organizational imperative and recognize the operational risk management process as a critical C-suite tool. Effective management of operational risk management steps can encourage greater risk taking and increased visibility. Well-informed C-suites can then the leverage operational risk management process to drive competitive advantage.

Back to top

Painful lessons, common challenges

For many organizations, ORM is the weakest link to building a sustainable, reliable organization that meets the demands of customers, regulators, shareholders, and internal and external stakeholders. Organizations struggle to support a risk culture that empowers risk accountability, encourages the organization to escalate risks appropriately, and understands operational risk losses. They’re not yet able to promote organizational resilience to build client and consumer trust in the company and its brand. Some continue to operate on “blind faith” when it comes to understanding their control environment and the subsequent material operational risks to which their firms are exposed.

For these reasons, it’s more important than ever for organizations to develop strong ORM programs. Yet, despite the urgency, leaders face a number of ORM-related challenges:

  • The process is varied and complex: Operational risk has become more complex to manage as organizations are driven by advancements in technology, globalization, competition, and shrinking profit margins.
  • The function is hidden: The identity crisis that surrounds operational risk has grown because many organizations incorporate risk management in their compliance, IT, or other functions.
  • Systems and programs are disconnected:  Because ORM grew up as a largely reactive function, many firms find themselves besieged with manual and disjointed systems, over-engineered programs, and metrics that are reported for the sake of regulations or compliance.

For many organizations, ORM is the weakest link to building a sustainable, reliable organization that meets the demands of customers, regulators, shareholders, and internal and external stakeholders.

Back to top

Steps for driving better business decisions

To develop strong ORM programs, organizations should:

  • Establish ORM as an integral function: Establishing ORM as a central function and promoting firm-wide understanding of the program’s responsibilities are key to the ORM program’s value proposition.
  • Leverage technology for change, not simply reporting: Technology can increase ORMs value to the business, the C-suite, and the organization.
  • Let ORM stand alone: One of the main functions within an operational risk program is capturing and aggregating operational risk data.
  • Focus ORM on risk, not rule breaking: ORM functions add real business value when they refrain from testing for violations of the rules and focus on helping the business reduce material risk exposures and extend risk-taking activity where the business benefits outweigh the risks.
  • Position ORM as a partner, not a competitor: The effectiveness of an ORM team is, in part, dependent on its ability to partner with other functions within the organization.

Back to top

Using operational risk management as a competitive differentiator

  • Change the perception of operational risk from risk prevention to calculated risk enabler: Embrace the value of strong ORM intelligence to encourage better risk taking and improve competitive advantage. 
  • Align the maturity of the risk framework to the complexity of organization’s strategic objectives: Choose ORM tools necessary to support the organization's strategic objectives.
  • Embed ORM into the fabric of the organization: By integrating ORM governance, oversight and challenge functions in all aspects of the business lifecycle, organizations can take advantage of an independent view without retribution. 
  • Develop automated approaches to monitor and collect control behavior data aligned to material risks in the firm: Build, buy or leverage systems and programs to gather, aggregate and interpret information to ensure compliance with employee ethical behavior.
  • Empower boards and C-suite to hold the organization accountable for decisions that generate heightened risks, control failures, and losses: Information is power, by using the power of the information that ORM provides boards and C-suite executives can create the “tone at the top” message that resonates with the organization. 
  • Provide flexibility to meet regulatory changes and expectations: Develop a broad ORM framework that considers regulatory requirements now and into the future. 
  • Achieve transparency within the product lifecycle: Build awareness of operational risks from product development through product end of life to make better product decisions. 
  • Support strong assurance relationships to develop a results-driven culture: Partnering ORM and the businesses encourage a culture focused on organizational success.

Back to top

More prepared, more effective

Organizations that successfully implement a strong ORM program can realize big benefits. Here are some of the advantages:

  • Better investments
  • Stronger brands
  • More effective performance reporting
  • Greater customer loyalty and relationship confidence

ORM earns client respect by demonstrating the company’s preparedness to handle loss or crisis events.

Back to top

What’s the right size?

When executives look at ORM programs, they should strive to build the strongest, best function for their company. For executives to build the strongest ORM programs, they should think about the limited resources they have and “right-size” them to help meet their most pressing business objectives. This includes leveraging resources, technology, and program management.

For example, from a personnel and human resources perspective, companies may be able to execute the ORM program by making modifications to existing resources. Looking across the technology landscape, organizations might consider using a united technology platform to aggregate the technology solutions that support different operational risk components (including risk control selfassessments, key risks, performance, control, and loss scenario analysis). As for the operational risk program itself, depending on regulatory requirements and rationales for certain components, organizations may look to reduce unnecessary components and re-prioritize risks to identify and build a comprehensive approach to managing material risks.

Considering these factors—with an eye toward rightsizing—is an important component of ORM program success. With the correct tools, talent, and support, the ORM function can build and sustain the value proposition that they advance as an integral corporate function.

Back to top

How Deloitte can help

Deloitte Risk and Financial Advisory helps organizations turn critical and complex operational risks into opportunities for growth, resilience, and long-term advantage. We challenge conventional thinking regarding ORM by reshaping or tailoring the design, focus, and capabilities of the typical operational risk framework. 

The result? Organizations that partner with Deloitte to implement ORM programs are often better positioned to gain competitive advantage, a stronger brand reputation, and sustainable financial returns. Learn more about Deloitte's solutions to operational risk management.

Back to top

Predictive risk intelligence—a risk monitoring strategy

Boards, shareholders, regulators, customers, and business partners alike not only request transparency, but also demand that companies demonstrate the ability to execute on risk management decisions using established and emerging risk intelligence methods and technologies. By introducing the concept of predictive risk intelligence, Deloitte can help clients think proactively about how risk monitoring occurs throughout the management lifecycle.

This paper introduces the concept of PRi, defines three strategies of risk monitoring, and describes how implementing a PRi program can apply a forward-looking lens on upcoming risks, with information on potential losses and trends that could affect your organization.

By understanding how risk occurs, organizations can become better equipped in not only preventing it but handling it if it does occur. This can be divided into three categories:

  • Reactive risk monitoring: This is the initial monitoring mechanism where the organization tracks and reports loss events after they happen. Process plan and the ability to prevent recurrence of similar events in the future.
  • Integrated risk monitoring: The next stage of monitoring that utilizes passive and active risk, performance, compliance, and control indicators to objectively report on risk performance thresholds periodically, or in near real-time. Its primary emphasis is the timely report-out on risks given identified assessment criteria, the status of established benchmarks, and interpretation of risks deviating from performance standards such as organizational risk appetites.
  • Predictive risk monitoring: A technique that helps organizations discover potential risks and threats, including types of risk not covered by existing risk indicators.

To learn more visit our Predictive risk intelligence landing page.

Back to top

Globe
Did you find this useful?