Beruflich Dokumente
Kultur Dokumente
Many things can disrupt the business. The measure of this disruption is operational risk. Understanding the true scope, nature and impact of risk to
operations is more possible than ever before. While the individual needs of different functions are often best supported by use of separate technologies,
connecting them and the data they manage provides the holistic view of operational risk needed to support informed business decisions. In this illustration,
we outline what connected management of operational risk looks like and how having it benefits the organization.
Connected Risk
FINANCE OPERATIONS
DEFINING OPERATIONAL RISK SCOPE REQUIREMENTS
Management
Any event that can disrupt business processes
STRATEGIC PLANNING
EMERGING RISK
INFORMATION TECHNOLOGY Enhances Better
presents an operational risk and potential for
COSTS & BENEFITS
POLICIES SUBMIT Business Decisions
loss. Failed procedures or systems, employee Our connected platform
provides better visibility When risks are well understood,
errors or improper actions, unidentified We can fine tune our strategic
design over time by monitoring Having a connected view to the state of the they can be used to the advantage
regulatory change, model use failures, the realization of risk and of operational risk business and potential of the business. By combining
impact of emerging risks.
unexpected business actions, fraud and other impact on strategic execution. supports our ability to multiple risk data streams in one
define potential impact
criminal activity – all present operational risks. STRATEGIC PLANNING Having a connected view of and increases confidence system with advanced data mapping
operational risk supports our that we can meet our
OPTIONS ability to define potential capabilities, everyone with
financial objectives.
COSTS impact and increases responsibility for identifying and
confidence that we can meet
RISKS
our financial objectives. responding to operational risk can
contribute to meaningful decisions
THE OPERATIONAL RISK TEAM about business plans and risk
The team should include business risk managers in Having a risk intelligent
view of the business management. Systems offering
each unit, together with a number of risk IN
TE helps us determine how We can stand up integrated NS connected management of
specialists, including: RN strategic design quality RISK operational risk applications T IO
AL and effectiveness of
INTEGRATED and meet business needs faster G RA operational risk provide the ability to:
• legal • insurance RI execution contribute to INSIGHT on our connected platform. TE
SK performance outcomes. DATA IN
• security • data privacy CH • Enable integrated ecosystem
• fraud management • cyber risk
DA
TA CO G TE OUTCOMES OF
of internal and external
N S OLIDAT E D RE ICS
• disaster recovery • third party management
RI
SO
UR D ATA R TY LY
T PERFORMANCE
content and technology to
• business continuity • environmental, SK CE PA A inform decision-making
• compliance health and safety SY S
3R
D AN DRIVEN SOX
ST
I N T E GRAT E D R ISK
BU
SIN
EM
S N AL AT
A MANAGEMENT
• Establish a dynamic view of
S Y STEM S R D
ES TE ES risk appetite that changes as
SS EX IC
YS RV inputs change
TE SE · Strategic business context
M D
SD R CE • Develop
As you define our risk appetite and tolerance for
AT OU for SOX and maintain an
documentation
each category of risk, we’ll establish appropriate
A TS aggregated picture of risk
controls, monitor and manage issues that arise, and
track factors that might lead to a change in appetite.
OU across the business
· Evidence driven and
RISK APPETITE
RISK REGISTER
risk based
• Monitor business
trending risk data to
RISK REPORTS inform a predictive
performance view of
FRAUD
SUBMIT emerging risk
BOARD / RISK EVENTS > DEPT > CONTROLS
WORKPLACE SAFETY INTAKE INVESTIGATION ANALYTICS RESOLUTION C-SUITE CHANGES >
We’ve completed scenario analyses for
BUSINESS DISRUPTION
PRODUCTS / SERVICES a variety of op risks and identified
SUMMARY >
•· Track
Improved efficiency
and manage andand
status
PROCESSES
CONTROLS LIBRARY events and changes we need to track in
Our tracking of external risk impact of risk
resource projects across
allocation
the external and internal environments. We’ve analyzed similar issues in several
OTHER
departments and found one root cause,
information has also the business
informed our decisions on
so we’ve been able to identify and remove
how to address these issues INCIDENTS
We’ve got established taxonomies the driver of this type of risk event.
TYPE LOCATION PRODUCT •· Support
Reliable,unified
repeatable SOX
of risks across our operations,
so our appetite decisions and self-assessments and
compliance processes
management should be consistent By using the same methodologies across Looking at the consolidated analyses for a standardized
the company we’re able to develop information from
consistent management approaches different angles helps us approach to risk
see what is really going on. · decision-making
Clarity on risk and control
context and priority
SELF-ASSESSMENT AND INCIDENT IDENTIFICATION AND • Manage and monitor action
OPERATIONAL RISK INDICATORS AND REPORTS plans to maintain risk within
APPETITE AND TOLERANCE CONTROL PLANNING EVENT MANAGEMENT • Establish data driven alerts and actions based · tolerances
Real time audit trail
on indicators and established thresholds
• Establish risk policy with clear • Deliver information to support well-reasoned • Manage with consideration to multiple effects
• Enable 360º reporting throughout the
and reporting
decision-making guidance risk decision making and contributing factors
management process for all affected
• Coordinate responses to risk
• Align appetite and tolerances to • Streamline assessment processes and controls • Evaluate and address deviation from tolerances incidents to minimize direct
specific objectives aligned to risk appetite and impact on strategy stakeholders
• Customize real-time lenses providing relevant and cumulative impacts
• Communicate broadly throughout • Enable effective review and challenge by risk • Leverage occurrences to better inform future
the organization leadership team risk decision-making analytics and metrics for each audience
Contact info@oceg.org for comments, reprints or licensing requests ©2018 OCEG for additional resources visit www.oceg.org/resources
[GRC ILLUSTRATED] [GRC ILLUSTRATED]
I
to reliably achieve objectives, while addressing uncertainty,
am sitting in a pub in London having a last pint before I and act with integrity. To be operationally resilient requires
fly home in the morning. After an intense week of interac- that we understand the operational objectives of the organi-
tions with organizations my mind is laser focused on the zation and in that context manage the risk and uncertainty
burning issue of the day: operational resiliency. in hitting those objectives while operating with the bounda-
The FCA, PRA, and Bank of England have recently released ries of values and requirements set on the organization.
a discussion paper focused on the need to build greater op- Achieving operational resiliency requires a connected
erational resilience in organizations. This challenge is much view of risk to see the big picture of how risk interconnects
broader than just the United Kingdom and financial services; and impacts the organization and its processes. A key aspect
it is an issue that crosses the globe and industries. How do we of this is the close relationship between operational risk man-
build resiliency in our business to risk and disruption? agement (ORM) and business continuity management (BCM).
Today’s organization is complex and chaotic—in a constant It baffles me how these two functions operate independently
state of metamorphosis. Keeping complexity and change in in most organizations when they have so much synergy.
sync is a significant challenge for operational risk manage- Connecting ORM and BCM is just part of achieving opera-
ment functions. Consider that the modern organization is: tional resiliency. To be resilient requires that the organization
also manage the intersection of compliance, information secu-
»» Distributed. Traditional brick-and-mortar business is a rity, business operations/processes, performance, third-party
thing of the past: Physical buildings and conventional em- management, and other risk functions. Operational risk man-
ployees no longer define organizations. The organization agement is an umbrella covering a lot of risk departments that
is an interconnected mesh of relationships and interac- have historically operated in silos. These silos need to collabo-
tions that span business boundaries with distributed op- rate and connect in a broader operational risk strategy focused
erations complicated by a web of global relationships. on the operational resiliency of the organization.
»» Dynamic. Organizations are in a constant state of change. Managing operational risk activities in disconnected si-
Distributed business operations are growing and changing los leads the organization to inevitable failure. Decentralized
at the same time the organization attempts to remain com- and disconnected distributed systems of the past catch the
petitive with shifting business strategy, technology, and organization off guard to risk. The complexity of business
processes while keeping current with changes in risk and and intricacy and interconnectedness of risk requires an in-
regulatory environments around the world. The multiplicity tegrated approach. Silos of risk fail to actively manage risk
of risk environments an organization monitors span regu- and leave the organization blind to intricate relationships of
latory, geopolitical, and operational risks across the globe. connected risk across the organization. An ad hoc approach
»» Disrupted. The intersection of distributed and dynamic to operational risk management results in poor visibility
business brings disruption. Change (dynamic business) across the organization and its control environment because
combined with complexity (distributed operations and there is no framework or architecture for managing risk as
relationships) means the organization is easily disrupted. an integrated part of business.
Organizations are attempting to manage high volumes of Distributed, dynamic, and disrupted business demands a
structured and unstructured risk information across mul- strategic approach to operational risk strategy and process
tiple systems, processes, and relationships to see the big enabled with an integrated information and technology
picture of performance, risk, and compliance. The velocity, architecture. The organization needs complete situational
variety, and volume of risk is overwhelming—disrupting awareness of risk across operations, processes, relationships,
the organization and slowing it down at a time when it systems, and information to see the big picture of risk and its
needs to be agile and fast. impact on organization performance and strategy. ■
In defining operational resiliency, I can think of nothing Michael Rasmussen is the GRC Economist and Pundit for the
stronger than leveraging the OCEG definition for governance, anlyst firm GRC 20/20, and an OCEG Fellow.