A picture is worth a thousand words and the chart below depicts the core influences of an operational risk program in my view. (The second illustration depicts RMA’s Operational Risk Framework.) Operational risk is defined by the Basel Committee on Banking Supervision as “the risk of loss resulting from inadequate or failed business processes, people and systems or from external events.” Operational risks relate to areas such as cyber and fraud, crime prevention, human resources management, information technology, information security (including digital and multimedia), business continuity management, physical security, and vendor management.

An operational risk program design can be embedded in both financial and non-financial organizations and needs to be suited to fit the culture and objectives of the specific organization.  The benefits of a program are multiple:

a) Understanding the key risks and application of relevant applicable mitigants and controls.

b) Reducing the complexity in operations by understanding the key processes.

c) Inserting key performance indicators, thus ensuring more effective processing.

d) Improving resource preparation and allocation for future planning.

e) It speaks to the internal controls of an organization.

7 main influences - 2



For an operational risk program to be successful, it must be fully integrated with the strategy and culture of the organization, otherwise it will have no bearing and credibility. It must be scalable regardless of the size, scale, and complexity of the organization to have influence. The program must be managed at the enterprise level and will have a policy and procedures document which will outline the risk appetite, scope, and governance of the program. The policy and procedures document will incorporate many of the influences below depending on the size and maturity of the program.


Operational risk arises in two areas: business as usual and new product/new activities conducted by the organization. Each of these areas will be influenced by regulatory and industry considerations. New products and activities require an added level of scrutiny, since these involve forecasted risks that have not yet manifested themselves and as such warrant an extra level of governance, usually managed by a committee. Moreover, these new activities will drive changes to the required framework in terms of key risk indicator (KRI) and key performance indicator (KPI) adjustments, new risk control self-assessment (RCSA) processes identified, and new scenarios considered.


Definition, consistency, and standardization of both tools, documents, and language are needed for a successful implementation. The tools will include: a) risk taxonomy (describes the risk, the event, and affect); b) definition of inherent risk (no controls), and residual risk (with controls); c) an operational control library (describes the types of controls); d) scorecards; and e) rating scales for inherent risks and control effectiveness. Common metrics such as KPIs and KRIs need to be aligned in a manner that drives areas of focus and ensures planned control assessments. Finally, a standard organizational specific RCSA will manage and evaluate the key processes and document the effectiveness, adequacy, and application of controls.


The standard RCSA should be able to be decomposed, allowing the contents to be inputted into a central registry. Remediation and action plans flowing from the RCSAs should show ownership and a timescale of when these plans will be executed and finalized. Supplementing the data derived from the RCSA will be incident reports, audit reports, and compliance reports. Internal loss data needs to be captured in this central registry as well, providing a basis for operational risk management and mitigation strategies. Collection of this diverse data is important, as the information contained will aid in understanding the effectiveness of the controls and the ability to predict patterns and trends which warrant further investigation.


A model which incorporates stress and scenario analysis will enable the organization to gain foresight and to evaluate the different types of responses needed under different operating environments. Note that this will be associated with a more mature program, as it will require a rich level and history of data points together with advanced modelling skills.


A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk. The framework will outline the key processes and activities, key documentation requirements, methodology assessments, governance (roles and responsibilities), and escalation and monitoring/ reporting responsibilities. Continuous education and training will play a major part in the program in embedding and maintaining this control environment, and will be the key factor in successful and effective implementation


The most important influence will be the reporting aspect and the different requirements of audiences both internal and external that need to be both informed and addressed. The information supplied should include meaningful metrics that  show both trend, materiality, and control effectiveness. The reporting will also need to cascade down and filter up with governance decisions documented and actioned. Reporting will further include a catalogue of material incident reporting, an evaluation by audit or a third party on the effectiveness of the program, and a pronouncement as to the quality control and assurance of the program.


The internal control structure of any organization is under constant threat with the advent of cyber risk and the explosion of social media. Operational risks are expanding and emerging with the constant deployment of new and rapid technology. An operational risk program—small or large, immature or mature—is a must have. Without it, the organization can quickly lose both credibility and reputation. Examples include Volkswagen, GM, and Toyota. The implementation is not difficult, but it does require vision, application, and documentation to ensure effectiveness.

This article was published on The Risk Management Association