Operational Risk Management

 Risk and Opportunities Optimized

Operational Risk Management image

Businesses are forced to be agile and make changes at a rapid pace and new risks continuously emerge. Organizations have to work in a more interconnected manner and there is a need for risk management programs to be collaborative

The success of any Risk Management is based on adoption of the methods and tools used to implement the program by the employees of the organization. Risk Central was built ground up to address the needs of the 1st, 2nd and 3rd line of defense in your organization.

The application has been designed to be simple to use for the 1st LOD while processes can be easily tailored without coding enabling 2nd and 3rd LOD to implement, manage and monitor the program.

ADAPTABLE

Screens & data fields, workflow stages, review & approval cycles and reporting can be built to suit the unique Risk and Compliance Management practices of each organisation without coding effort. The risk team or the operational departments can be enabled to define this with minimal training.

Outcomes

  • Ensures the quick Implementation of the system and processes

  • Customizations can be done using Configurations without Coding

  • Business Users can maintain and manage the application

  • Real time changes enhance end user and business as usual usage

Usable

Standardised business user screen designs ensures that all the staff in the organisation have very few clicks and navigations to learn. The clean clutter free user interface makes complex applications like risk management more welcoming. These user considerations allows fast adoption and fosters sustainable usage from everyone.

Outcomes

  • Risk management activities can be implemented organization wide
  • Enables employees to be more forthcoming to report Risks
  • Better data is available for accurate analysis and mitigations
  • Enhances the Risk Culture across the organization

Operational Risk Management

  • Standardized Risk & Control libraries can be defined.
  • Risk Control Self Assessment can be performed at any organization level.
  • Periodic Control testing can be scheduled.
  • Risk Heatmaps and KRI Dashboards can be viewed for monitoring
Operational Risk Management graph

Manage Risks at Strategic or Process Level

TOP DOWN RISK MANAGEMENT

Risk Central provides the framework for Top-Down risk management for Enterprise and Business risks. The application has 2 levels, the Enterprise and Business Levels, where risks related to Enterprise entities like Strategy, Operations, IT and Business entities like Product Lines, Business Lines can be defined.

Risks can be linked and a hierarchy can be created, and where necessary Bottom-Up risks too can be associated.

BOTTOM UP RISK MANAGEMENT

The Execution Level of the solution addresses the Bottom-Up approach for Departmental, Process, Product, and other risks. An unlimited parent-child risk hierarchy can be created at this level to deliver granular management of risk areas.

These risks can also be linked to Business or Enterprise level risks depending on the organizational needs.

INCIDENT MANAGEMENT

Loss events and other Incidents can be reported across any line of defence.

Managers and Risk teams get early warning notifications and can track incidents to closure.

Insurance recoveries for losses can be updated as and when they occur.

Intuitive Dashboards allow you to analyse trends.

INTEGRATION WITH THIRD-PARTY SYSTEMS

Risk Central provides Rest APIs to collect Incident information from other systems.

Excel based templates support upload of Incident data.

Dashboards can be designed to provide integrated views for Risk Monitoring.

COMPLIANCE ASSURANCE

System allows to create recurring time-based compliances and monitor the status regularly. Automatically triggers compliances to the right users in the organization allowing them to update compliances as complied and upload proof.

Automatic compliance reminder and escalations keeps compliance owners updated on upcoming compliances increasing the overall compliance level of the organization.

 

Features

Objective Library and Balanced Scorecard

Risk Central can be used to define the Strategic Objectives and supports Performance Management.

This module can be used as a simple library of Objectives and Key Performance Indicators. The module works as a comprehensive Balanced Scorecard as well for robust Performance Management. Specific or common Scorecards can be assigned to multiple Roles and Users enabling both individual and common goals to be achieved. Risks can be linked to Objectives and KPI’s can be associated to KRI’s using custom formulas to achieve the ‘Likelihood of Success’  ‘Objective Centric Risk and Certainty’ management metrics.

Automated workflows and Initiatives management ensures that everything is actionable and measurable.

Entity and Risk Hierarchies

Risk Central allows to see all potential risks in one place, to prioritize those risks, assign ownership, and to respond to them.

The Entity Hierarchy allows for hierarchical structure of Business Units, Product Lines, Business Line, Business Services, Departments, Assets, Vendors and other elements to be defined across 3 levels – Enterprise, Business and Execution. 

The Risk Hierarchy enables a parent-child taxonomy to be defined centrally and assigned to Roles and users across the 3 levels defined in the Entity Hierarchy. The Risks can be assigned to Business Units or even to satellite administrative units like BCM or HR to manage specific Risks across multiple Departments.

Risk Registers and Risk Control Self-Assessment (RCSA)

The Risk Registers enables Risk Assessments and Risk Treatments to be performed by authorised personnel.

Risk Central provides a comprehensive RCSA solution, that allows organizations to conduct regular risk-control reviews, with simplicity across a wide range of identified risks and evaluating associated controls and their effectiveness. 

Questionnaires/Surveys can be used to collect some or all of the information required for an RCSA. The system can auto calculate residual risks based on various events and changes or exceptions happening in the underlying processes. 

RCSA outputs are used for the development of risk action plans. Action plans might include improving the effectiveness of existing controls or introducing new controls to address issues.

Qualitative, Quantitative Scoring and Rollups

The application allows scoring of Risks using Qualitative or Quantitative values. The formulas to rollup the Risk values both across Risk Hierarchy and Entity Hierarchy can be defined.

The system automatically rolls-up the values based on the formulas.

Controls Management

The Controls framework within the application is designed to address the need where one set of controls being applicable to multiple Standards and Frameworks. Controls can be reused across External Standards and Frameworks like ISO, NIST, GDPR, HIPAA or others as well as internal policy frameworks.

Controls and Control Objectives can be defined and assessed once and used for compliance as well as Risk Management across the system. This dramatically reduces the effort to manage and monitor multiple controls across various entities.

Incident Management - Risk Events/ Loss Reporting

Risk Central has capabilities with consistent procedures for incident management i.e. incident or event recording, triaging, investigating, tracking, and closure. Incidents can be linked to organizations, processes, controls, risks, policies, and regulations to identify compliance or regulatory risk.

Events & Loss reporting workflow is business user configurable to adapt to unique organizational requirements. Automated alerts and notifications are triggered to relevant stakeholders when incidents are initiated.

Issue Management and Remediations

Issues and Remediations can be raised from various modules in the system. Multiple workflows each having their own data collection fields for different kind of Issues and Remediations can be defined. These can then be assigned to stakeholders for tracking and closures.

Remediation workflows can also be integrated with other IT systems like IT Patch Management or Network Management systems to deliver the complete lifecycle of issue resolution.

Exceptions/
Deviations & Self-Attestations

Control Exceptions/Deviations with their severity can be tracked and managed within the application using a configurable workflow.

Users can provide self attestations periodically for having closed the deviations on controls, policies and process exceptions taken by them. This feature allows users to provide confirmation of compliance ensuring the organizations stay compliant with regulatory and policy requirements. Monitoring dashboards allow organizations to track these exceptions and deviations to closure.

Key Indicators (KIs)

The solution supports Key Risk Indicators (KRI’s), Key Control Indicators (KCI’s) and Key Performance Indicators (KPI’s). Both leading and lagging indicators along with thresholds and notifications can be set using the comprehensive Rules Engine. The schedules set on each indicator generates tasks automatically for stakeholders to input the indicator values during the manual type of metric collection.

IT systems within the organization can be integrated for all or a specific metric enabling automatic data collection without needing manual input and reporting. The solution can be integrated with Business IT systems like Core Banking, ERP, CRM and others as well as IT Infrastructure and Security Management systems.

Risk Analyzer

This is a proprietary 360 degrees risk analysis feature that enables to understand the risk drivers and their impacts based on the interlinkages.

Impact analysis can be performed on various drivers of any element for primary and derived interconnectedness.

Configurable Workflows, Drag & Drop Forms

Risk Central Workflow management system automates multi step processes that exist between any combination of entities / stakeholders to achieve better business outcomes.

Screens & data fields, workflow stages, review & approval cycles and reporting can be built to suit the unique Risk and Compliance Management practices of the organisation without coding effort. The risk or the operational departments can design new workflows without needing IT help.

Heatmaps, Dashboards & Reports

The application provides canned Heat Maps as well as Reports and Dashboards for every module.

Adhoc Reports and Heatmaps can be designed by Business Users using the Dashboard Designer and the Heatmap Designer. These can then be assigned to users and roles within the system. 

The intelligent Access Management feature delivers the right data within these reports to the right users based on the Role they are assigned in the system.

FAQ's

Operational risk management (ORM) is a process that identifies, assesses, and controls risks that may arise from an organization’s internal processes, people, systems, or external events. It can help organizations minimize losses, increase productivity, and keep business operations efficient and effective.

The main types of operational risks are:

  • People risks are risks that arise from human error, fraud, or misconduct. These risks can be caused by employees, customers, or suppliers. For example, an employee error could lead to a data breach, or a customer could commit fraud by using a stolen credit card.
  • Process risks are risks that arise from inadequate or flawed processes. These risks can be caused by poor communication, lack of training, or outdated systems. For example, a flawed process could lead to a product recall, or a lack of training could lead to a security breach.
  • Systems risks are risks that arise from failures or disruptions to information systems. These risks can be caused by hardware or software failures, natural disasters, or cyberattacks. For example, a hardware failure could lead to a loss of data, or a cyberattack could lead to the theft of sensitive information.
  • External events risks are risks that arise from events outside of the organization’s control. These risks can be caused by natural disasters, political instability, or economic downturns. For example, a natural disaster could lead to a loss of production, or a political instability could lead to a disruption in supply chains.
  • Regulatory risks are risks that arise from non-compliance with laws and regulations. These risks can be caused by a failure to understand the regulations, or a failure to implement the necessary controls. For example, a failure to comply with data protection regulations could lead to a fine, or a failure to comply with financial regulations could lead to a loss of market share.

These are just some of the main types of operational risks. Different organizations will face different types of risks, depending on their industry, size, and location. It is important for organizations to identify and assess the operational risks that they face, so that they can develop and implement appropriate controls to mitigate those risks.

There are a number of ways to identify operational risks. Some common methods include:

  • Risk identification workshops. These workshops bring together a cross-functional team of employees to identify and discuss potential risks. The team can use brainstorming, root cause analysis, and other techniques to identify risks.
  • Risk assessments. Risk assessments are a more formal process of identifying and assessing risks. They typically involve a detailed review of the organization’s operations, processes, and systems.
  • Internal audits. Internal audits are a way to identify and assess risks by reviewing the organization’s controls and procedures.
  • External audits. External audits are conducted by independent auditors and can provide a more objective view of the organization’s risks.
  • Regulatory reviews. Regulatory reviews can identify risks that are associated with compliance with laws and regulations.
  • Business continuity planning. Business continuity planning is a process of identifying and mitigating risks that could disrupt the organization’s operations. The planning process can help to identify risks that have not been previously identified.
  • Employee surveys. Employee surveys can be used to identify risks that are perceived by employees. Employees may be aware of risks that are not known to management.
  • Data analysis. Data analysis can be used to identify trends and patterns that may indicate the presence of risks. For example, an increase in the number of customer complaints may indicate a risk of customer dissatisfaction.

It is important to note that no single method is perfect for identifying operational risks. The best approach is to use a combination of methods to get a comprehensive view of the risks that the organization faces.

Once the organization has identified its operational risks, it can then assess the likelihood and impact of each risk. This information can be used to prioritize the risks and develop and implement appropriate controls to mitigate those risks.

Operational risk management (ORM) is a complex and challenging process. Here are some of the challenges that organizations face when implementing ORM:

  • Lack of awareness and understanding. Many organizations are not aware of the importance of ORM or do not understand the concept. This can lead to a lack of commitment to ORM and a lack of resources allocated to it.
  • Lack of data and information. In order to effectively identify and assess risks, organizations need to have access to data and information about their operations, processes, and systems. However, many organizations lack this data or information.
  • Lack of resources. ORM can be a resource-intensive process. Organizations need to have the time, people, and money to implement and maintain an effective ORM program.
  • Lack of a culture of risk management. In order for ORM to be successful, it needs to be embedded in the organization’s culture. This means that everyone in the organization needs to understand the importance of risk management and be committed to it.
  • Lack of communication and coordination. ORM is a cross-functional process that requires the involvement of people from all parts of the organization. However, many organizations struggle to communicate and coordinate effectively across different departments.
  • Lack of a clear risk appetite. In order to make informed decisions about risk, organizations need to have a clear understanding of their risk appetite. This means understanding the level of risk that the organization is willing to accept in order to achieve its goals.
  • Lack of a risk management framework. A risk management framework is a set of policies, procedures, and tools that help organizations to identify, assess, and manage risks. Many organizations do not have a formal risk management framework in place.
  • Lack of a risk management culture. A risk management culture is an environment in which everyone in the organization understands the importance of risk management and is committed to it. This culture is essential for the successful implementation of ORM.

These are just some of the challenges that organizations face when implementing ORM. Overcoming these challenges requires commitment from senior management, a clear understanding of the risks that the organization faces, and a well-designed and implemented ORM program.

Interested to learn more?

Resources

Operational Risk Management Solution
Brochures

Operational Risk Management

Operational Risk Management Organizations face various operational risks due to the dynamic and complex nature of the business environment. These risks include cybersecurity attacks, natural …

Download
Improve your Organisation’s Decision Making and Response Mechanism through an Integrated Risk & Resilience Approach
Risk Management

Improve your Organisation’s Decision Making and Response Mechanism through an Integrated Risk & Resilience Approach

During last twelve to twenty four months we have all experienced extraordinary uncertainty primarily due to natural calamity, COVID-19 pandemic, unstable global economy,  political differences …

Read More →
Key Highlights of APRA`s Discussion Paper on Strengthening Operational Risk Management
Risk Management

Key Highlights of APRA`s Discussion Paper on Strengthening Operational Risk Management

Events of recent years like COVID-19, cyber-attacks, flood and storms etc. has reinforced the importance of managing and responding to operational risks. To ensure that …

Read More →
An Integrated Risk and Resilience Framework – A Better Approach to Manage Uncertainty
Risk Management

An Integrated Risk and Resilience Framework – A Better Approach to Manage Uncertainty

Businesses across the globe have, in the last couple of years, seen exceptional uncertainty due to political tensions, economic turmoil, COVID-19 pandemic and others.   Markets …

Read More →
The Seven Steps to Implementing an Effective Risk Management Process
Risk Management

The Seven Steps to Implementing an Effective Risk Management Process

Risk Management Process is a methodology by which risks are formally identified, measured and treated to ensure that risk is avoided, transferred or mitigated. As …

Read More →