Seven Keys to Effective Operational Risk Management

Friday, August 17, 2007

OVERVIEW

Over the past few years Operational Risk Management has garnered increased interest.  It is not a new concept but the recent regulatory compliance challenges and need for better performance management has moved it from an informal concept to a formal process.

Now a significant component of an organization’s Enterprise Risk Management program, Operational Risk Management must be managed effectively.   The Polivec Enterprise Governance Solution can help your organization manage the many components efficiently, enabling your Operational Risk Management program to achieve its goals

SEVEN CRITICAL COMPONENTS

While each organization will have its own unique goals and requirements, there are some general components that are critical to any effective risk program.

1. Document Risks. As risk assessments are performed and updated, it is critical to keep risk documentation updated.   Many organizations do a good job of documenting their risk during the primary assessment phase, but keeping all those documents organized and fresh as additional assessments are performed is a challenge.  Having a centralized repository to automate this component is an important first step.

2. Implement Controls. Once risks have been identified, the next step is to begin implementing controls for those risks.  Controls may be manual or automated, but they must be clearly documented.  As with risk assessments, keeping control documentation updated and relevant is critical and a document repository is an invaluable tool to assist in this area.

3. Map Controls to Risk. A common difficulty for most organizations is maintaining the relationship between controls and the risks they are addressing.  Because the two are often maintained separately, and frequently by different people, ensuring that a change in one is reflected in the other is a challenge.   Looking at a risk, an organization must be able to quickly see all controls implemented for that risk, and a control should be easily traced back to the risk it is meant to address.

4. Educate Employees.  Your employees are a critical component of your risk management program, so without a proper employee awareness program, you will not be successful.   While most employees want to do the right thing, they cannot be expected to seek out risk and control information.  Instead, they must be presented with the policies and procedures that are relevant to their role.
 
5. Evaluate Control Effectiveness.  There are many tools that can be used to gauge the ongoing effectiveness of controls.  One of the most popular and effective is the Control Self Assessment.  It not only provides import information that can be used to adjust your control environment, but it also gives business owners a sense of ownership of the controls and the control review process.  Having a solution to automate the creation, distribution and collection of self assessment surveys is a significant benefit that organizations should strongly consider.

6. Audit Controls. The internal audit team helps to ensure that controls are being followed by performing periodic audits.   Tracking the myriad of audit activities is a daunting task.  In addition, audit activities generate a significant amount of documents, spreadsheets and other files that must be organized.   Polivec EGS can help organizations track all audit activities and audit artifacts.

7. Monitor Key Risk Indicators. With all of the other pieces in place, you can now begin to truly manage operational risk.  Just as with other risk disciplines, it is important to identify and track key indicators of risk performance.   These indicators allow you to make decisions, adjust your risk tolerance and react to special situations quickly. 

MEASUREMENT ENABLES MANAGEMENT

Most organizations will agree with these seven keys and many have already been implemented.  However, the most common method of addressing these needs is through the use of manual processes or re-purposing systems meant for other tasks.  The most critical component of building an effective Operational Risk Management program is to automate and integrate as much of these requirements as possible.

It is only through the integration of all risk activity and data that you can truly measure the operation and effectiveness of your program.  And it is only through accurate measurement that you can efficiently manage operational risk.

The Polivec Enterprise Governance Solution can provide the platform to integrate, measure and manage your operational risk management program.