There are many operational risk management frameworks out there to choose from in the many books that have been written about Operational Risk Management. But despite their eloquence and apparent usefulness, they actually don’t work in practice. And by don’t work in practice, I mean they add to the confusion and complication rather than provide a simple structured approach for managing operational risk.
So, what makes the framework presented below useful? It is useful because it organizes in a logical mutually exclusive and comprehensively exhaustive hierarchical structure what an operational risk manager does.
What does an operational risk manager do, which by the way is the same as what any risk manager does? The words may be different, and the methods may be different, but the objectives of the distinctive actions by each type of risk manager are the same regardless of the risk they are managing.
Each risk manager wants to first identify the exposure to the various risks within a particular activity, portfolio, or position. There are many contradictory and sometimes vague definitions of risk floating around. What do we mean by risk? Simply, the risk is the amount of potential financial or reputational loss that can occur from an adverse event. That amount is dependent on the frequency of the event and the amount of loss should the event occur. But we are getting ahead of ourselves. How to size the amount of the potential loss will be discussed in a future post. Although the words may vary, the essence of this definition is what most practitioners use, either implicitly or explicitly. Also note, that in identifying exposures we are concerned with potential losses, that is losses that may happen in the future, not past losses.
So, besides identifying the risk exposure, what else do risk managers do? They put in place controls to contain the potential losses to within the desired level, known as the Risk Appetite. But since controls are not perfect, losses do occur beyond the Risk appetite. Ok, what happens after a loss occurs? If the loss is large enough it could lead to the disruption of the business and even to bankruptcy. A risk manager, therefore, has to build resiliency by having sufficient resources, and a strategy and plan to recover quickly from disruption and in the extreme case avoid bankruptcy.
In summary, a risk manager identifies exposures, implements controls, and creates resilience. All risk managers do that. Operational risk managers do that for operational risk events.