Operational risk is the risk of loss which would result from failed or ineffective internal processes, people or systems. Often, these risks can be exposed by external events that disrupt business. These can include natural disasters (floods, hurricanes), infrastructure failures (power outages, damage to telecommunications lines), and political and social problems (riots, pandemic response).
While larger companies focus on enterprise risk management, which seeks to find the optimal balance between risk and reward, small and midsized organizations gain more value from operational risk management, which is more risk-averse and focuses on protecting the organization. Our Operational Risk and Control practice helps SMEs use technology to implement and manage an efficient and effective ORM framework.
You can't control or mitigate a risk until it's been identified. Our methodology guides clients through the creation and periodic review of applicable risks, and documenting them in a categorized register.
This phase conducts a systematic review of each risk, allocating ratings for each based on their probability and impact. The output is a matrix, which combined with your determined risk appetite produces a prioritized list of known risks.
Risk mitigation is handled one of four ways:
Internal controls are designed specifically to mitigate the risk in question. Mitigation can be in the form of guaranteed avoidance (for example a fully automated preventive control, such as preventing IT security staff from altering the access rights on their own accounts to circumvent segregation of duties within a system) or the ability to detect an undesirable situation (e.g. periodic reports that highlight staff whose access to certain data needs to be removed). Controls should always be fully documented and include the following:
We have specific and considerable experience in designing, testing and implementing internal control frameworks, and over the years have developed our own detailed control modeling language. This allows us to not only perform highly accurate work in this area, but also to benchmark performance across industries, divisions, regions and other dimensions. The combination of our modeling language and determination of sample sizes means we're able to optimize the cost and value of internal control work, something which many internal control frameworks struggle to do.
Controls may be performed by people who make mistakes, or computer systems that become problematic and unreliable due to upgrades and other technical issues. For this reason, the internal control environment is prone to change over time and should be monitored periodically. Monitoring involves:
Our experience in building decision support systems aligns with our operational risk management experience so we can help our clients implement successful control monitoring solutions.