Operational risk management

See also: Risk management

The term Operational Risk Management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events.

Four principles of ORM

The U.S. Department of Defense summarizes the principles of ORM as follows:[1]

Three levels of ORM

In Depth
In depth risk management is used before a project is implemented, when there is plenty of time to plan and prepare. Examples of in depth methods include training, drafting instructions and requirements, and acquiring personal protective equipment.
Deliberate risk management is used at routine periods through the implementation of a project or process. Examples include quality assurance, on-the-job training, safety briefs, performance reviews, and safety checks.
Time Critical
Time critical risk management is used during operational exercises or execution of tasks. It is defined as the effective use of all available resources by individuals, crews, and teams to safely and effectively accomplish the mission or task using risk management concepts when time and resources are limited. Examples of tools used includes execution check-lists and change management. This requires a high degree of situational awareness.[1]

ORM process

In depth

The International Organization for Standardization defines the risk management process in a four-step model:[2]

  1. Establish context
  2. Risk assessment
    • Risk identification
    • Risk analysis
    • Risk evaluation
  3. Risk treatment
  4. Monitor and review

This process is cyclic as any changes to the situation (such as operating environment or needs of the unit) requires re-evaluation per step one.


The U.S. Department of Defense summarizes the deliberate level of ORM process in a five-step model:[1]

  1. Identify hazards
  2. Assess hazards
  3. Make risk decisions
  4. Implement controls
  5. Supervise (and watch for changes)

Time critical

The U.S. Navy summarizes the time-critical risk management process in a four-step model:[3]

1. Assess the situation.

The three conditions of the Assess step are task loading, additive conditions, and human factors.

2. Balance your resources.

This refers to balancing resources in three different ways:

3. Communicate risks and intentions.
4. Do and debrief. (Take action and monitor for change.)

This is accomplished in three different phases:

Benefits of ORM

  1. Reduction of operational loss.
  2. Lower compliance/auditing costs.
  3. Early detection of unlawful activities.
  4. Reduced exposure to future risks.

Chief Operational Risk Officer

The role of the Chief Operational Risk Officer (CORO) continues to evolve and gain importance. In addition to being responsible for setting up a robust Operational Risk Management function at companies, the role also plays an important part in increasing awareness of the benefits of sound operational risk management.

Most complex financial institutions have a Chief Operational Risk Officer. The position is also required for Banks that fall into the Basel II Advanced Measurement Approach "mandatory" category.

ORM software

The impact of the Enron failure and the implementation of the Sarbanes–Oxley Act has caused several software development companies to create enterprise-wide software packages to manage risk. These software systems allow the financial audit to be executed at lower cost.

Forrester Research has identified 115 Governance, Risk and Compliance vendors that cover operational risk management projects. Active Agenda is an open source project dedicated to operational risk management.

See also




  1. 1 2 3 "Naval Safety Center ORM". Archived from the original on October 11, 2008. Retrieved November 4, 2008.
  2. "Committee Draft of ISO 31000 Risk management" (PDF). International Organization for Standardization. 2007-06-15.
  3. "Operational Risk Management - Time-Critical Risk Management". U.S. Navy. Retrieved 12 July 2009.

External links

This article is issued from Wikipedia - version of the 10/20/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.