Copyright (c) 2001 ProQuest Information and Learning. All rights reserved. Copyright Risk Management Society Publishing, Inc. Nov 2001

Although operational risk is difficult to quantify, significant benefits can be gained from its successful management. The following ten steps to operational risk management can help increase the likelihood of achieving business objectives and reduce operational losses:

1) Define it, and move on. Many initiatives do not get off the ground because too much time is spent trying to come up with the perfect definition for operational risk. Instead, a company should adopt a common definition, such as "risk of loss due to failures in people, processes and systems or an external event," or create a more tailored and workable definition, which can always be changed later on.

2) Put someone in charge. While it is true that operational risk management is everyone's job, someone needs to be accountable for developing its infrastructure, policies and outcome measurement, as well as integrating its activities within the overall enterprise risk management program. While a cross-functional committee should be established to develop and implement operational risk controls, one operational risk officer should be appointed to have overall responsibility for the project.

3) Have a Letterman list. A common complaint from board members and senior management is that they get too much data and not enough information. Every company should identify the top ten risks it faces, using self assessments, risk maps and operational risk metrics.

In many cases, these risks can account for over 80 percent of potential losses. Further, each risk should be specific enough to be actionable, and management methods should be tested against historical losses and incidents to ensure quality.

4) Know your losses. Until recently, most companies did not systematically capture the levels, trends and sources of operational risk losses. Specific losses are often netted against revenue or grouped in a generic error account. Companies should include operational losses as part of the general ledger and management reporting. Specific incidents such as policy violations and systems outages should also be included.

5) Have good brakes. Some compare risk limits to brakes on a car and worry that they will slow down a business. But while brakes do allow a car to slow down or stop when it needs to, they also give the driver the confidence to go even faster (e.g., race cars have the best brakes). For operational risk, having good brakes means setting performance goals and limits for each operational risk area and instituting regular reviews to ensure appropriate decisions and actions.

6) Create one dashboard. Operational risk metrics should be integrated into an enterprise risk management report, or better yet, be part of the overall performance measurement for the company. Risk reporting should include losses, incidents and early warning signals, with key risk indicators measured against performance goals and limits.

7) Peel the onion. It is not enough to measure and report on operational risk. A company must also identify, understand and fix the root causes for operational problems. After all, the best management strategy for operational risk is early detection and prevention.

8) Break down the silos. This includes the silos between line management and risk management, as well as the silos between the risk and control units themselves (e.g., audit, risk management, compliance). Risk committees, roles and responsibilities, and risk management strategies should be rationalized. The enterprise risk management program should also be coordinated with other enterprise initiatives, such as quality management.

9) Transfer risk if the price is right. Risks deemed undesirable should be transferred from the company only if the cost of risk transfer is lower than the cost of risk retention. The use of economic capital (see "Enterprising Solutions," RM, August 2001) to measure both risk exposures and risk transfer costs can form the basis for this analysis. Further, a company should rationalize its risk transfer activities with respect to the use of derivatives, insurance and alternative risk transfer products.

10) Balance the yin and the yang. Above all else, risk management is about people. It is critical to balance the hard side of risk management (e.g., policies, systems, limits) with the soft side (e.g., culture, values, incentives). An effective risk management program cannot be established with one and not the other.

©2008 Sungard. All rights reserved. Legal Information