top of page

   Corporate Governance (Operational Risk Management – ORM)

 

  • Operational Risk Management (ORM) is a niche subset of Enterprise Risk Management (ERM) that strips away all financial, reputational, “social” and strategic considerations, in favor of a purely risk-adverse framework; since ORM does not focus on anything other than operations, ORM is not generally implemented in the context of an enterprise business, but not surprisingly has found great popularity with the military (particularly the United States Navy, which has apparently included ORM as a tool in many aspects of training, from enlisted people to officers); unlike ERM which attempts to achieve an acceptable balance between risk and rewards, ORM will rely only on controls that eliminate as much risk as possible.

  • Operational risk may be characterized as that type of risk resulting in loss from either catastrophic external events, failed internal controls, malfunctioning systems, negligent people; ORM may include defects in both how senior management enforces corporate policies and trains personnel, as well as whatever the inherent risk may be in the particular operations at issue; ORM seeks to link the risks in failed internal controls to those risks in unanticipated events, which when combined, may cause extensive damage to operations; ORM does not necessarily seek to eliminate all risk in all situations, since that would be impossible and unrealistic (although of course it would be great if it were possible to eliminate all possible risk in all possible situations), but rather, ORM seeks to manage risk to the point that a particular military mission or enterprise process may be completed effectively, with the least possible disruption.

  • Typical examples of operational risks may include, for example: defective operational processes; external fraud and theft; internal fraud and theft; natural disasters; negligent data breaches; negligent conduct (including not only employees, but also customers, vendors and other stakeholders); negligent employee error; poorly-implemented technology solutions in sensitive security areas; poorly-planned internal controls; regulatory changes; sabotage; technology that has not been stress-tested; undefeated cybersecurity attacks.

  • The most-critical point to remember about the implementation of any of the numerous types of risk management frameworks, is also the most-critical weakness of every type of risk management framework; every risk management framework is only as good as the practitioners who use it; if you do not have enthusiastic, intelligent, vigilant and well-trained practitioners for your risk management framework, it is totally useless, no matter how technologically-advanced it may be; the classic example of that failure is all of the radar-monitoring personnel and their command structure, at Pearl Harbor, Hawaii, on the morning of Sunday, December 7, 1941.

  • ORM practitioners attempt to: identify risks; assess all identified risks; measure the impacts of all identified risks; mitigate the impacts of all identified risks; report the impacts and mitigation or remediation operations of all identified risks to the appropriate senior management or senior officers; and document all actions taken for addition to the risk repository and risk taxonomy for future study and improvement.

  • The military in particular has expressed the basic ORM risk analysis as follows: accept risk only when the benefits of such acceptance outweigh the potential costs of such acceptance; never accept any unnecessary risk (meaning that every identified risk must be evaluated using some approved analysis tool, such as an impact and likelihood scale; plan extensively and in great detail to anticipate and manage all the various risks you may be able to identify (meaning that all identified risks must be prioritized, so that the very serious risks are addresses first, rather than simply dealing with any type of risk in the order in which it occurs); attempt to mitigate all immediate risks as soon as possible (meaning that various strategies of risk acceptance, risk avoidance, risk control – such as the simple expedient of using a firewall to prevent unauthorized access to sensitive information – and risk transfer – perhaps through insurance or by having a partner – may be employed, as appropriate); and, make risk decisions that may be effective and proportionate to the particular identified risk you may wish to negate.

  • Key risk indicators (KRIs) are especially useful for ORM, when monitoring the risk landscape; KRIs are metrics that an enterprise may have designed, developed or purchased from a technology company, that are tailored to the particular operations of that enterprise, and may be triggered when some particular activity, pattern or trend is detected, that will then alert ORM practitioners to some potentially-dangerous risk; KRIs should not be confused with key performance indicators (KPIs) which are just metrics which measure how various aspects of a framework may be performing, whereas KRIs are designed to detect danger.

  • Besides KRIs, another powerful ORM tool is the risk and control self-assessment (RCSA), which, if done properly, starting at the business-unit level (similar to a Sarbanes-Oxley – SOx – analysis) and then scaling up through the enterprise eventually to the C-suite and then scaling on up finally to the Board of Directors, is extremely useful for sharpening an enterprise risk profile; to perform an RCSA, personnel first at the business-unit level and then scaling on up to the Board of Directors, document all known risks applicable to that part of the enterprise under scrutiny, prioritize such risks by frequency and level of impact, and then provide detailed information regarding all the controls used to avoid, control, eliminate, mitigate or neutralize such risks; the RCSA may also serve as a baseline reference for taking action against such risks (for example by: assisting in the development or improvement of controls; creating a database of enterprise-wide methodologies that can measure and assess risk; establishing a glossary of standard risk terminology that may be used throughout the enterprise; incorporate KRIs to develop trend analyses for identifying patterns in risk-related activities; reference for budgetary and reporting purposes.

  • Pundits have opined that implementing a robust ORM framework may result in added benefits to an enterprise, such as for example: attraction of more investors (who may see the ORM implementation as a strong shield to protect the enterprise supply chain); better forecasting about the continuity of operations (since the enterprise will be able to look back on all the risks it has addressed, and the possibilities for the recurrence of any such risks); efficient reporting (due to the information in the risk repository and risk taxonomy); enhanced ability to swiftly-counteract any threats to the enterprise (thus avoiding the huge monetary impact of disrupted operations); enhanced expertise (to be recognized in the particular enterprise industry as a technology leader, with the expertise in ORM); enhanced reputation for the executives of the Board of Directors and C-suite (meaning that industry analysts will be very impressed that such executives were perspicacious-enough to identify the need to implement an ORM framework, and then took all the necessary steps to do so); enhanced reputation for the enterprise (meaning that the public in general will view the new ORM implementation as an outward sign that the enterprise values the continued safety of its operations); improved brand recognition (due to all the other benefits that may have accrued to the enterprise through the other actions noted in this paragraph); more-efficient production operations, and thus, better products (in that the enterprise will be able to continuously produce its own products using its own operations, without fear of disruption, and thus not have to rely on outsourcing, which might degrade product delivery and integrity).

  • As might be expected, the military analysis of risk is very terse and to-the-point, with a 5-step process for implementing an ORM risk analysis, and uses a wonderful risk assessment matrix (RAM) in an attempt to visually quantify risk analysis:

    • Step 1 – identify the risks (and here, “risk” means anything that may prevent a mission from succeeding, or that may cause death, injury or property damage to the participants in the mission, or to those who may be within the scope of the mission), by: analyzing the mission and orders; listing all perceived risks that might cause the mission to fail; and then use a root-cause analysis to plan ways around the risk;

    • Step 2 – assess the risks (using basically the same methodology as in an RCSA, comparing the probability of a risk to the severity of the risk impact);

    • the probability element (the horizontal component of RAM) has at least four (4) categories: A – might any glitch occur on the mission, whether immediately or within a short period of time; B – will such glitch be definitely be time-related; C – may such glitch be time-related or related to some other impact; D – is it unlikely that any type of glitch may occur at any point in the mission;  

    • the severity element (the vertical component of the RAM) also has at least four (4) categories: I – Grave; might the risk impact the mission cause death to the participants on the mission or any people within the scope of the mission, or might such risk impact cause grave loss of an asset or facility, or might such risk impact cause grave damage to national interests of the United States; II – Severe; might the risk impact the mission cause severe illness, injury, property damage to the participants on the mission or any people within the scope of the mission, severe degradation of purpose, or might such risk impact cause severe loss of an asset or facility, or might such risk impact cause severe damage to national interests of the United States; III – Minor; might the risk impact the mission only cause minor illness, injury, property damage to the participants on the mission or any people within the scope of the mission, minor degradation of purpose, or might such risk impact cause only minor loss of an asset or facility, or might such risk impact cause only minor damage to national interests of the United States;  IV – Minimal; might the risk impact the mission only cause minimal illness, injury, property damage to the participants on the mission or any people within the scope of the mission, minimal degradation of purpose, or might such risk impact cause only minimal loss of an asset or facility, or might such risk impact cause only minimal damage to national interests of the United States;     

    • Step 3 – making risk-related decisions (such as whether to avoid, compensate, delay, reject or transfer the risk ; establishing custom controls (such as administrative controls, engineering controls, or physical controls – such as putting up a fence);

    • Step 4 – implementing whatever you decided to do in Step 3:

    • Step 5 – documenting, managing and monitoring anything you decided to do in Step 3.

  • As also might be expected, the military has developed a shortcut methodology to streamline ORM risk analysis in the event of emergencies, called time critical risk management (TCRM), which unfortunately has an analysis diagram (called the “ABCD Model” – that is a bit more-difficult to understand than the 5-step ORM risk analysis methodology outlines above), which makes the bold assumption that a field commander (even down to the rank of second lieutenant, sergeant, corporal or private) must be able to do the ABCD analysis, while simultaneously having complete situational awareness (SA) of the battlefield landscape; TCRM uses only a 4-step approach (combining the first two steps of the 5-step ORM risk analysis above), namely to – asses the impending risk situation; bring to bear whatever appropriate resources may be at your disposal, under the circumstances; communicate your situation to your superiors; and “do and debrief” to your superiors the entire risk event once the emergency has been contained; a Civil War cavalry general may have actually summed up the TCRM approach very clearly and succinctly with his famous axiom, “Get there the firstest with the mostest!”.

  • The military stresses these attributes as prerequisites for all military personnel, when performing either the 5-step ORM risk analysis or the 4-step ABCD analysis as follows, (in no particular order): adaptability; assertiveness; communication; decision-making; flexibility; leadership; mission analysis; situational awareness (SA).

  • Pundits generally point to the following actions that should be taken when implementing an ORM risk analysis framework (in no particular order of importance): enabling change management (whether regulatory or otherwise); identifying all supporting technology (such as an ORM software platform) to ensure that the technology is operating to full capacity; enabling a feedback loop for all end-users; mapping of controls, processes and risks back to their assumed point of risk impact (such as particular departments and divisions); monitoring all controls and corresponding risks, through various metrics such as KRIs; training all risk practitioners in their assigned tasks within the ORM framework (perhaps the most important); verifying that any resource planning is linked to the specific processes required to manage risk, and that there are enough resources available in the event of a risk emergency.

  • Drafting and negotiating all ORM-related documents and legal support for all ORM tasks.

   Progress_Page_Last_Updated_221104_2102

bottom of page