Operational Risk Management
Seven Keys to Effective Operational Risk Management
OVERVIEW
Over the past few years Operational Risk Management
has garnered increased interest. It is not a new
concept but the recent regulatory compliance
challenges and need for better performance management
has moved it from an informal concept to a formal
process.
Now a significant component of an organization�s
Enterprise Risk Management program, Operational Risk
Management must be managed effectively. The Polivec
Enterprise Governance Solution can help your
organization manage the many components efficiently,
enabling your Operational Risk Management program to
achieve its goals
SEVEN CRITICAL COMPONENTS
While each organization will have its own unique goals
and requirements, there are some general components
that are critical to any effective risk program.
1. Document Risks. As risk assessments are performed
and updated, it is critical to keep risk documentation
updated. Many organizations do a good job of
documenting their risk during the primary assessment
phase, but keeping all those documents organized and
fresh as additional assessments are performed is a
challenge. Having a centralized repository to
automate this component is an important first step.
2. Implement Controls. Once risks have been
identified, the next step is to begin implementing
controls for those risks. Controls may be manual or
automated, but they must be clearly documented. As
with risk assessments, keeping control documentation
updated and relevant is critical and a document
repository is an invaluable tool to assist in this
area.
3. Map Controls to Risk. A common difficulty for most
organizations is maintaining the relationship between
controls and the risks they are addressing. Because
the two are often maintained separately, and
frequently by different people, ensuring that a change
in one is reflected in the other is a challenge.
Looking at a risk, an organization must be able to
quickly see all controls implemented for that risk,
and a control should be easily traced back to the risk
it is meant to address.
4. Educate Employees. Your employees are a critical
component of your risk management program, so without
a proper employee awareness program, you will not be
successful. While most employees want to do the
right thing, they cannot be expected to seek out risk
and control information. Instead, they must be
presented with the policies and procedures that are
relevant to their role.
5. Evaluate Control Effectiveness. There are many
tools that can be used to gauge the ongoing
effectiveness of controls. One of the most popular
and effective is the Control Self Assessment. It not
only provides import information that can be used to
adjust your control environment, but it also gives
business owners a sense of ownership of the controls
and the control review process. Having a solution to
automate the creation, distribution and collection of
self assessment surveys is a significant benefit that
organizations should strongly consider.
6. Audit Controls. The internal audit team helps to
ensure that controls are being followed by performing
periodic audits. Tracking the myriad of audit
activities is a daunting task. In addition, audit
activities generate a significant amount of documents,
spreadsheets and other files that must be organized.
Polivec EGS can help organizations track all audit
activities and audit artifacts.
7. Monitor Key Risk Indicators. With all of the other
pieces in place, you can now begin to truly manage
operational risk. Just as with other risk
disciplines, it is important to identify and track key
indicators of risk performance. These indicators
allow you to make decisions, adjust your risk
tolerance and react to special situations quickly.
MEASUREMENT ENABLES MANAGEMENT
Most organizations will agree with these seven keys
and many have already been implemented. However, the
most common method of addressing these needs is
through the use of manual processes or re-purposing
systems meant for other tasks. The most critical
component of building an effective Operational Risk
Management program is to automate and integrate as
much of these requirements as possible.
It is only through the integration of all risk
activity and data that you can truly measure the
operation and effectiveness of your program. And it
is only through accurate measurement that you can
efficiently manage operational risk.