Damage Control: Best Practices for Operational Risk Management


Most companies know there will be some internal problems due to worker errors, system failures, fraud and other problems that disrupt business. As scary as that sounds, there are specific ways to handle operational risks, or even prevent them to minimize the damage to the reputation of your business.

According to, Riliance Software Limited, operational risk is due to a company’s own internal activities. The risks can also include inadequate or procedural risks, as well as system or policy failure risks. They recommend creating an operational risk management (ORM) plan starting by evaluating your risks. Once you know what they are, you can then go ahead with your ORM plan.

    1. Navigating Your Risks: Mapping a Strategy

The first step in risk identification is to list all possible risks that your business may encounter. The scope of your ORM framework will help you do this, so expect it to grow as you work on the ORM plan. Some risks come from the following:

    • Vendors
    • Internet Technology
    • Compliance
    • Financial Reporting
    • Processes and Systems

ORM planning means thinking about disaster recovery, business cohesion, compliance and data security. Produce a risk map that clearly outlines every scenario your company may face. Keep in mind that most operational risks are due to the following factors:

    • Human Error
    • Criminal Activity
    • Internal System Failure
    • Weather or Other Disruptive Events

Look at each of these factors and then create a strategy to handle all possibilities. Collect all the risks and list how they relate to each other, such as:

    • Regulations
    • Controls
    • Policies
    • Procedures
    • Tests and Indicators
    1. Create the Foundation for a Rock Solid ORM Plan

The second step is to create a solid foundation that includes:

    • Risk & Control Self-Assessment – RCSA determines the main operational risks to your business, so you will be able to target which have the most impact on your business.
    • Key Risk Indicators – You can use KRIs to create the basic framework for reporting problems and measure operational risks consistently across your company. They should help you monitor issues, and even give you an early warning of problems or control issues that may be lurking just below the surface.
    • Loss Events – Loss events helps you identify and analyze your operational losses to minimize negative consequences. Use it to do root cause analysis and create complete reports to help identify even more risks and fixes in order improve your ORM plan over time.
    • Issue Management – This step is to record any issues that link to risk assessment, such as loss records, ad-hoc issues, key risk indicators and internal and compliance audits. It is also helpful for assigning tasks, prioritizing and set completion dates, as well as identifying and documenting all subsequent actions.
    1. Connect All ORM Procedures

The third step is to create reports for each operational risk that go to management to help them connect all ORM processes. This ongoing process will help indicate where the risk assessments fell short or the company experienced surprise losses after an event. They will assign the right team to each risk and solution, too.

    1. Setting the Scene: Key Risks

The fourth step targets the key risks and encourages collaboration between departments and managers. Scenario creation and capital calculation is also a part of this step. Identifying the causes of risks, what happens during a situation and how your staff reacts to each is key. Use the data from all your ORM processes, as well as the scenario process to determine your operational risk capital, too.

    1. Presentation Perfection

The fifth step is to present your reports on the key risks and scenarios to upper management to compare them to the risk appetite statement your board of directors or senior staff has compiled. Here is where your second step comes into play, which will focus the needs of your company better in your ORM plan.

Use this step to make the final adjustments and strategic changes to mitigate risks even further by linking the risk to the strategy, and then communicating all processes to your higher ups.

    1. Involving Your Business and Audit Teams

Your ORM plan should go under review by your audit and business teams from the beginning; however, once it is completed and ready to use, they need to give it a final read in this final step. They will make sure that all processes address their requirements, and that they will operate smoothly by making sure communications between all teams are effective.

In their report, “Update to Sound Practice Guidance – Risk Control Self Assessment,” the Institute of Operational Risk states, “There is no “one-size-fits-all” approach to the management of operational risk. However by drawing on the experience of practicing risk professionals, it is possible to identify examples of good practice.”  Once you finish your ORM plan, you can use it to balance the weight between risk and opportunity. This way you will know what steps to take to help your business continue to be a solid success in today’s marketplace.

Alana Aston is an operations manager at a busy auto parts supplier. In her spare time, she enjoys blogging about the things she learns on the job.

Share small business news, blogs and social media tips with Project Eve’s community of small business owners and entrepreneurs today. Our contributors come from a wide range of backgrounds; so whether you are a small business owner, social media strategist, financial adviser, serial entrepreneur, or write an amateur blog we urge you to contribute a blog to our 500,000+ community today. For more information, please refer to our Content Submissions Guidelines.

Add a Blog


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.