target business environment – the development of an oper-
ational risk proﬁle of the proposed target environment can
help identify process design ﬂows at an early stage; and
business environment in transition – the management of
project-related risks affecting an organization during a
change is a key aspect of operational risk management.
Establishing policy and organization
Operational risk management can only be effective when inte-
grated into the core of operations and operating principles.
The starting point for formulating this framework is to
examine a range of organizational and business components as
a foundation for decisive action. The key components include:
Strategy: Organizations need to anticipate what they hope
to achieve from putting in place an organizational risk man-
agement plan. The strategy will be conditioned by such
factors as current operations, business objectives and
appetite for risk taking.
66 Operational Risk and Resilience
Figure 2.1 Management of changes in the business environment
Policy and principles: The point of establishing a policy is to
e n s u re a consistent approach to risk management with re g a rd
to employees’ behaviour, and to ensure that all risks across an
o rganization are identiﬁed. This is a written commitment to
the establishment of a framework. The prime concern is
meeting the expectations and obligations of stakeholders,
whether they are shareholders, customers, regulators, business
p a rtners, competitors or non-governmental org a n i z a t i o n s
(NGOs). Policies should be supported by a set of principles
that apply to speciﬁc components of operational risk (such as
change and project management, business continuity plan-
ning, management succession planning, and so on).
O rganizational model: A key element of the framework is
the drawing up of a clear stru c t u re with deﬁned operational
risk management roles, responsibilities and re p o rting lines.
The point of such a stru c t u re is to ensure that the policy (see
above) is executed eff e c t i v e l y. The stru c t u re should cover the
b o a rd, committees, senior management, business and opera-
tional line management. In addition, speciﬁc operational risk
management activities may be perf o rmed either by a cen-
tralized and dedicated operational risk function, or thro u g h
decentralized arrangements, or a combination of the two.
The nature of operational risk means that its management
should be as integrated as possible into the mainstream busi-
ness. It may not make sense to set up a separate gro u p
working in isolation from the rest of the org a n i z a t i o n .
Management needs to anticipate how the central team will
interact with the individual business units, perhaps drawing
up benchmarking exercises so that smaller teams can beneﬁt
f rom lessons learned in diff e rent parts of the gro u p .
Process portfolio: The processes should deﬁne how action is
to take place within the context of the organizational
model, and should include processes such as risk identiﬁca-
tion, assessment, mitigation, reporting and measurement.
Operational integrity 67
Other factors include:
– self-assessment and proﬁling;
– executive and dedicated reporting;
– capital allocation;
– stress testing and key risk indicators;
– investment appraisal; and
– control standards.
Establishing a process for ongoing risk management
Everyone in the organization should be encouraged to take
responsibility for operational risk management in his or her
particular areas. The policy, design and framework for opera-
tional risk management, however, should be driven by the
board and managed in the context of an enterprise risk man-
agement team. This team would be expected to have represen-
tatives at all levels of the organization, including:
operational risk management committee;
operational risk management team;
functional experts and specialists;
line management; and
key supervisors and staff.
Issues considered here may include those at: board; opera-
tional risk management committee; operational risk manage-
ment team; and business unit levels.
As representatives of the stakeholders, the board must ensure
that appropriate corporate governance frameworks are estab-
lished and operating. The establishment of a board-level risk
68 Operational Risk and Resilience