operational risk management case study bonne boulangerie

• General & Introductory Accounting
• Corporate Finance

Operational Risk Management: A Case Study Approach to Effective Planning and Response

ISBN: 978-0-470-28186-4

Mark D. Abkowitz

• Email: [email protected]

Case Study Bon Boulangerie

• Author / Uploaded

College of Business Administration Operational Risk Management Case Study: Bon Boulangerie Borja, Jill Calimlim, Niccol

Views 10 Downloads 1 File size 410KB

Report DMCA / Copyright

Recommend Stories

Operational Risk Management Case Study Bon Boulangerie DIANA DEL BEL BELLUZ President, Risk Wise Inc. is ar stu ed d vi

0 0 95KB Read more

Projet Boulangerie

CREATION D’UNE BOULANGERIE-PATISSERIE ARTISANALE Promoteur : NDOMBELE MAZAMBI Willy Septembre 2009 I. PRO FORMAT DU P

0 0 710KB Read more

Boulangerie Lenotre

1 1 254KB Read more

Pâtisserie Boulangerie

Café pâtisserie boulangerie Travail réalisé par : WISSAL BENHIMA Encadre par : MR ADIL NAKI Année de formation : 2021/

1 0 913KB Read more

Boulangerie Patisserie

ANALYSE SECTORIELLE: BOULANGERIE / PATISSERIE Le métier/Le secteur Le boulanger pâtissier fabrique de manière artisana

552 73 887KB Read more

414 25 710KB Read more

1,049 54 597KB Read more

CURSO NE NIVELACION DE CARRERA MOVIMIENTO CIRCULAR 1. Dada la posición inicial de una partícula 20° y la posición angula

2 0 458KB Read more

Mangga Dua Mall LT. Dasar No. 43 B ………………………………………….. Tuan ..………………………………………… Toko ..…………………………………………. NOTA No. …………………

254 20 357KB Read more

Citation preview

College of Business Administration Operational Risk Management Case Study: Bon Boulangerie Borja, Jill Calimlim, Niccolo Covarrubia, Isabelle Elizar, Alaine Elnar, Mary Galarpe, Jim Roy Griego, Jubilee Mercader, Joan Palpallatoc, Aila Risk Management First Semester, 2019-2020 TABLE OF CONTENTS 1. BACKGROUND OF THE COMPANY/CASE 2. VIEWPOINT/POINT OF VIEW 3. TIME CONTEXT 4. CASE ANALYSIS PROCESS 4.1.1. STATEMENT OF THE PROBLEM 4.1.2. STATEMENT OF OBJECTIVES 4.1.3. AREAS OF CONSIDERATION (SWOT ANALYSIS) 4.1.4. ASSUMPTIONS 4.1.5. ALTERNATIVE COURSE OF ACTION (ACA) 4.1.6. ANALYSIS 4.1.7. CONCLUSION 4.1.8. PLAN OF ACTION 4.1.9. RISK ASSESSMENT PLAN  BACKGROUND OF THE COMPANY/CASE Bon Boulangerie is a bakery business located in Oakville. Which Ray Pane, purchased the business three (3) years ago which he plans to expand its structures and its territory to maximize and utilize the target market. It consisted of a single site with baking facilities and a retail store and café. He also began a new line of business, wholesaling to a local restaurants and high-end grocery stores within a 20-kilometer radius of the bakery.  VIEWPOINT Bon Boulangerie has a plan of expanding the company itself to compete completely with other company who has the same product by increase of the territorial spot of the bakery. Since, the bakery now has competed with the well-known pastries businesses. The purpose is that the bakery should now increase the range than the usual range which it gives more impact and of course be recognized by the consumer itself.  TIME CONTEXT  Ray Pane, purchased the business three (3) years ago.  Began to change and expand product offering.  He also began a new line of business, wholesaling to a local restaurants and high-end grocery stores within a 20-kilometer radius of the bakery.  STATEMENT OF THE PROBLEM o What are the main operational targets for the wholesale business line of Ray? o How does the strategic drive of Ray translate to the operational level of the business? o What are the internal and external factors that need to be considered to achieve operational success? o What are the risk variables behind the uncertainty around achieving operational goals of the company? o How large those risk variables may impact the overall business of Ray? o What are the significant factors on which Ray should focus his attention to manage the operational risks associated with the new facility? o How appropriate the company can obtain that they can put into reality the forecast outcome for the next 3 years of the business in regards to risk associated with it?  STATEMENT OF OBJECTIVES In this case Ray Pane wants to expand the product that the business offers into wholesale to distribute some local restaurants and luxurious grocery store near the bakery which he owns to gain more sales. The strategy that Ray Pane thinking was quit good for his income but it will take him more years to be financial stable and there will be an obligatory to raise the level of product development, marketing, sales, and distribution. Therefore, Ray Pane purpose is to be a successful entrepreneur and make his business to be known and to make good deal into market place across the entire Toronto area. Bon Boulangerie bakery’s goal is to establish multiple streams of income for his bakery. He thinks that being too dependent on one market can leave the bakery vulnerable to downturns or a catastrophic loss. Since pane business is quit expanding into wholesaling, his enterprise should build a strong reputation among competitors and develop the business product, these sales may cost more in the long-run by compromising bakery’s reputation. Develop a specialty, and practice until he become an expert.  AREAS OF CONSIDERATION (SWOT ANALYSIS) A. Strengths and Weaknesses Strengths:  The owner hired a full time vice-president who will supervise the sales and marketing of the company  He also hired a full time distribution manager to be able to focus on the delivery of the product.  The company can expand in just short period of time (three years).  The net income for the first three years of the company is continuing growing over the years.  The company knows the flow of their net income over the years. Weaknesses:  It took several years to add new wholesale customers and wholesale products so there will be unutilized spaces in the new facility.  There are a lot of competitors with the same products. B. Opportunities and Threats Opportunities:  The owner changes and expand the product offerings to be able to increase the volume of sales and margins.  The company sells wholesale products to be distributed to different high-end grocery stores.  The ability to offer competitive products for the bigger market. Threats:  In the expansion that the company did, they need to expand or increase the level of: product development, marketing, sales, and distribution. Which the company didn’t meet at the first year of their expansion.  Bigger company that offers the same product.  There are a lot of bigger companies with the same category of products that also distribute in high-end groceries stores.  ASSUMPTIONS In year 4, Bon Boulangerie will open their new baking facility. When Bon Boulangerie expands their operation, the production of goods will increase, assuming that it can cater more wholesalers and fulfill the demand of the market. The expansion in operation will need more workers in production and in distribution, assuming that it can give employment. Opening a new baking facility will challenge the company to increase their sales/ profit, assuming that it will require an increased level of product development, marketing, sales and distribution.  ALTERNATIVE COURSE OF ACTION  The Bon Boulangerie will have their new facility but it will be unutilized capacity because for Bon Boulangerie it will take several years to add new wholesale customers and wholesale products. So, the action that they need for them to have an income to their unutilized new facility is to make it available for lease.  Since, Bon Boulangerie can already compete with bigger / different company with same product, or bigger company with the same category in high-end groceries stores in the area, the company can also sell their products beyond the boundary of their area, or outside of the city to have bigger income.  Bon Boulangerie company could add some of workers due to its growing status, the old employees can be superior to them and help the new ones to grow along in their company.  ANALYSIS  Since the Bon Boulangerie are planning to expand its own structure. The possible is the production could now create more product than the usual. The name itself will also be more recognized by their target market and can compete to other company. Having the expansion means they will have more manpower and more equipment that they will able to assist its own employees. As stated, it will create more employment opportunity of the unemployed ones. That is the advantage of having expansion of the Bon Boulangerie.  The disadvantage one would be the increase the operational cost because again, the expansion meaning they will add more facilities would increase its costs. The cost for expansion are pricey. Even in buying new equipments for the production itself. The resources would also increase because they are now expanding the company itself. Also, having expansion meaning the number of the employees would increase.  CONCLUSION o At the beginning, the bakery has been successful in business as a retail, however, based on the market research of its retail and cafe clientele it can be further expanded by introducing a new line of business; wholesale. For the first year in the business operations regarding wholesaling, it was expected that the profits will decline as the locals are familiarizing themselves with this idea. By hiring competent employees and leasing for a separate baking facility is a favorable strategy; foe they can better focus in making the new line of business successful while also being managed by employees who knows what to do in regards to creating a favorable impression on the business. o The idea of wholesale was brilliant, a lot of restaurants and other retailers have been availing this good opportunity for ease of work and cost effectiveness; and by its third year, the profits have tripled, as per Ray's expectation when he first thought of the idea. Currently, it is still being improved by lessening the shipping cost and operating expenses.  PLAN OF ACTION *To prevent harm in unutilized new facilities they must have a seminar or attend some seminars to have utilized new facilities this could help in decision making and make a better plan for the company performance. *There is no easy way to get right away a good income, so to avoid waste of product they may produce or release a product depends to the demand of a customers outside their boundary area *The addition of workers could lead to risk because people may take advantage of it so as an action for this the HR must know well the applicant through a discipline and refined interview made by them.  RISK ASSESSMENT PLAN RISK CONTROL LIKELIHOOD JUSTIFICATION CONSEQUENCES JUSTIFICATION IDENTIFIED AVAILABLE (A) (B) Operational Cost Cost Cutting 4 Company will occur operational cost in a month for its expenses. 2 Increase of Employees Hiring of employees limitation 2 3 Maintenance of Equipment Buying High Qualities of Equipment Parts 3 Operation On-Going while on the process of expansion Materials to be used in construction should be optimized 4 Since company trying to expand its business, meaning that they would need to hire more workers Maintaining the quality of equipment once a year needed to secure the safety of the employees Company would shoulder any liabilities and damages for the employees Company will have approximately a 50K – 1M loss for financial for its operating expenses Increase of Employees will now improve of its productivity at least 50% RISK LEVEL (A*B) 8 RISK TREATMENT 6 Accept Transfer 1 Loss will occurred at least 50k – 500k for maintenance 3 Enhance/ Mitigate 3 The productivity of goods still produce but not the usual 12 Avoid

Report "Case Study Bon Boulangerie"

Operational Risk Management: Overview and Guide

Vice Vicente

February 16, 2024

Senior Management typically has one of two perspectives on risk. In the traditional  Enterprise Risk Management (ERM) view, the goal is to find the perfect balance of risk and reward. Sometimes, the organization will accept more risk for a chance to grow the organization more quickly, while other times the focus switches to controlling risks with slower growth. The Operational Risk Management (ORM) perspective is more risk-averse, focusing on protecting the organization. Keep reading to get an in-depth overview of Operational Risk Management, including the five steps of the ORM process.

What Is Operational Risk Management?

Operational risk is the risk of loss as a result of ineffective or failed internal processes, people, systems, or external events that can disrupt the flow of business operations. These operational losses can be directly or indirectly financial. For example, a poorly trained employee may directly lose the company a sales opportunity, or a company’s reputation can suffer indirectly from poor customer service.

Operational risk can refer to both the risk in operating an organization and the processes management uses when implementing, training, and enforcing policies.  Operational risk can be viewed as part of a chain reaction: overlooked issues and control failures can— whether small or large — lead to greater risk materialization, which may result in an organizational failure that can harm a company’s bottom line and damage its reputation. While operational risk management is considered a subset of  enterprise risk management , it excludes strategic, reputational, financial, and market risks, focusing on unsystematic risks.

Examples of Operational Risk

Operational risk permeates every organization and every internal process. The goal of the operational risk management function is to focus on the risks with the most impact on the organization and to hold employees who manage operational risk accountable.

Examples of operational risk include:

• Employee conduct and employee error
• Breach of private data resulting from cyber attacks
• Technology risks tied to automation, robotics, and artificial intelligence
• Business processes and controls
• Development and introduction of new products
• Physical events, such as natural disasters
• Internal and external fraud
• Workplace safety risks

A Brief History of Operational Risk

Over the last two decades, the methodology for evaluating internal controls and risks has become more and more standardized. The standardization has been in response to government regulators, credit-rating agencies, stock exchanges, and institutional investor groups demanding greater levels of insight and assurance over companies’ risk-control environment; that is, risks and the effectiveness of controls in place to mitigate them. Originally geared towards financial services, the emphasis on standardized risk management was partially driven by the Basel Committee on Banking Supervision (Basel Committee), which was founded in 1974 and includes a number of international members. Since then, the discipline of risk management has spread beyond the financial and banking industries. The release of COSO’s Internal Control-Integrated Framework in 1992 and the Sarbanes-Oxley Compliance Act of 2002, fueled by financial fraud at WorldCom and Enron, have led to increased pressure on the need for organizations to have an effective operational risk management discipline in place. In the U.S., the greatest pressure for increased involvement of senior executives in risk oversight comes from the audit committee. More recently,  COSO released an  Enterprise Risk Management Framework . After working with these frameworks for several years, many risk managers have moved to an operational risk management process.

Table: Loss Event Types and Examples Defined by the Basel Committee

Table source: FDIC Operational Risk Management

How Operational Risk Management Works

When dealing with operational risk, the organization has to consider every aspect of its objectives. Since operational risk is so pervasive, the goal is to reduce and control every risk to an acceptable level. Operational Risk Management attempts to reduce risks through the linear process of risk identification, risk assessment, measurement and mitigation, monitoring, and reporting while determining who manages operational risk.

These stages are guided by  four principles :

• Accept risk when benefits outweigh the cost.
• Accept no unnecessary risk.
• Anticipate and manage risk by planning.
• Make risk decisions at the right level.

Risk Identification

Operational Risk Management begins with identifying what can go wrong. As a best practice, a control framework should be used or developed to ensure completeness. Identifying risks begins with scenario analysis — taking a look at the challenges facing the business and pinpointing areas that could disrupt operations or pose another risk to the organization.

Risk Assessment

Once the risks are identified, the risks are assessed using an impact and likelihood scale, also known as a Risk Assessment Matrix . At this stage, risks are categorized by type of risk and level of risk.

Measurement and Mitigation

In the risk assessment, risks are measured against a consistent scale to allow the risks to be prioritized and ranked compared to one another. The measurement also considers the cost of controlling the risk related to the potential exposure.

Monitoring and Reporting

Risks are monitored through an ongoing risk assessment to determine any changes over time. The risks and any changes are reported to senior management and the board to facilitate decision-making processes.

Primary Objectives of Operational Risk Management

As the name suggests, the primary objective of Operational Risk Management is to mitigate risks related to the daily operations of an organization. The practice of Operational Risk Management focuses on operations and excludes other risk areas such as strategic and financial risks . While other risk disciplines, such as Enterprise Risk Management (ERM), emphasize optimizing risk appetites to balance risk-taking and potential rewards, ORM processes primarily focus on controls and eliminating risk. The ORM framework starts with risks and deciding on a mitigation strategy.

Operational Risk Management proactively seeks to protect the organization by eliminating or minimizing risk.

Depending on the organization, managing operational risk could have a very large scope. Some organizations might categorize fraud risks, technology risks, as well as the daily operations of financial teams like accounting and finance as part of this umbrella. The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an institution’s business functions.” Given this viewpoint, the scope of operational risk management will encompass cybersecurity , fraud , and nearly all internal control activities.

Applying a control framework, whether a formal framework or an internally developed model, will help when designing the  internal control processes . One approach to understanding how ORM processes look in your organization is by organizing operational risks into categories like people risks, technology risks, reputational risks, and regulatory risks.

The people category includes employees, customers, vendors , contractors, and other stakeholders. Employee risk includes human error and intentional wrongdoing, such as in cases of fraud. Risks include breach of policy, insufficient guidance, poor training, bad decision-making, or fraudulent behavior. People can pose a risk to the organization even externally, as social media is more and more likely to have an impact on business. Risks associated with people can be especially sensitive and tricky, especially since people play a role in every aspect of an organization’s operations. Fostering a healthy risk culture through training and regular communication is key to managing this area of risk.

Technology risk from an operational standpoint includes hardware, software, privacy, and security. Technology risk also spans the entire organization and affects the people category described above. Hardware limitations can hinder productivity, especially when in a remote work environment. Software too can reduce productivity when applications suffer an outage or employees lack training. Software can also impact customers as they interact with your organization. External threats exist as hackers attempt to steal information or hijack networks. This can lead to leaked customer information and data privacy concerns.

As technology expands to play a larger role in all of our lives risks in this space become increasingly significant and complex. If not included already, business continuity plans should address risks related to technology failures and other disruptions.

Regulations

Risk for non-compliance to regulation exists in some form in nearly every organization. Some industries are more highly regulated than others, but all regulations come down to operationalizing internal controls. Over the past decade, the number and complexity of rules have increased and the penalties have become more severe.

Understanding the sources of risk will help determine who manages operational risk. Enterprise Risk Management and Operational Risk Management both address risks in the same areas but from different perspectives. To consolidate these disciplines, some organizations have implemented Integrated Risk Management or IRM. IRM addresses risk from a cultural point of view. Depending on the objective of the particular risk practice, the organization can implement technology with different parameters for teams like ERM and ORM.

Steps in the ORM Process

While there are different versions of the ORM process steps, Operational Risk Management is generally applied as a five-step process. All five steps are critical, and all steps should be implemented.

Image: Steps in the ORM Process

Image source: PWC Operational Risk Management

Step 1: Risk Identification

Risks must be identified so these can be controlled. Risk identification starts with understanding the organization’s objectives. Risks are anything preventing the organization from achieving its objectives.

• Process Analysis: Review internal processes, including production, IT, human resources, and customer service, to identify potential fail points or vulnerabilities.
• Loss Data Analysis: Examine historical loss data within the organization to identify trends and areas of concern. This includes financial losses, data breaches, compliance violations, and any incidents that disrupted operations.
• Risk Workshop and Interviews: Conduct workshops and interviews with employees at various levels to gather insights on perceived risks, potential areas of improvement, and past incidents.
• External Event Analysis: Consider external events and changes in the regulatory landscape that could impact operations. This includes industry trends, technological advancements, and geopolitical events.
• Scenario Analysis:  Develop hypothetical scenarios to identify potential risks and their impact. This helps in understanding the organization’s resilience and preparedness for unlikely but impactful events.

Step 2: Risk Assessment

Risk assessment is a systematic process for rating risks based on likelihood and impact. The outcome of the risk assessment is a prioritized listing of known risks, along with the risk owner and risk mitigation plan, also known as a risk register. It may not be possible or advisable for an organization to address all identified risks — thus, prioritization is critical for the management of operational risk and points project teams to the most significant risks. This risk assessment process may look similar to the risk assessment done by internal audit , and should, in fact, be informed by prior audit reports and findings.

Step 3: Risk Mitigation

The risk mitigation step involves developing and choosing a path for controlling specific risks. In the Operational Risk Management process, there are four options for addressing potential risk events: transfer, avoid, accept, and mitigate.

• Transfer : Transferring shifts the risk to another organization. The two most common means for transferring are outsourcing and insuring. When outsourcing, management cannot completely transfer the responsibility for controlling risk. Insuring against the risk ultimately transfers some of the financial impacts of the risk to the insurance company. A good example of transferring risk occurs with cloud-based software companies. When a company purchases cloud-based software, the contract usually includes a clause for data breach insurance. The purchaser is ensuring the vendor can pay for damages in the event of a data breach. At the same time, the vendor will also have their data center provide SOC reports showing there are sufficient controls in place to minimize the likelihood of a data breach.
• Avoid: Avoidance prevents the organization from entering into a risk-rich situation or environment. For example, when choosing a vendor for a service, the organization could choose to accept a vendor with a higher-priced bid if the lower-cost vendor does not have adequate references.
• Accept: Based on the comparison of the risk to the cost of control, management could accept the risk and move forward with the risky choice. As an example, there is the risk an employee will burn themselves if the company installs new coffee makers in the break room. The benefit of employee satisfaction from new coffee makers outweighs the risk of an employee accidentally burning themselves on a hot cup of coffee, so management accepts the risk and installs the new appliance.
• Mitigate: Mitigating risks involves implementing action plans and controls that reduce the likelihood of the risk and/or the impact it would have if the risk were realized. For example, if an organization allows employees to work from home, there is a risk of data leakage due to the transmission of data across the public internet. To mitigate this risk, management might implement a VPN service and have remote users access the business network through VPN only. This would reduce the likelihood of data leakage, thereby mitigating the risk.

We’ve mentioned a few times that very few risks can be eliminated. Noting the residual risk — the risk remaining after mitigation — is an equally important part of the risk mitigation phase of ORM.

Step 4: Control Implementation

Once risk mitigation decisions are made, action plans are formed, and residual risk is captured, the next step is implementation. Controls should be designed specifically to address and mitigate the risk in question. The control rationale, objective, and activity should be formally documented so the controls can be clearly communicated and executed. Controls might take the form of a new process, an additional approver, or built-in controls that prevent end users from making errors or performing malicious activities. Whenever possible, controls should be designed to be preventive, rather than detective or corrective. With risk management and medicine, it seems the best cure is prevention. That said, it may be impossible to prevent a risk from occurring, which is where detective controls come into play. Detecting anomalies and then correcting them may be sufficient to mitigate certain risks.

Most likely, your organization already has some controls in place to combat risks. It’s still wise to review those controls on an annual basis (at minimum) and determine whether additional controls are needed if there are gaps in the control, or if the control is sufficient to address the risk and requires no changes.

Step 5: Monitoring

Since controls may be performed by people who make mistakes, or the environment could change, controls should be monitored. Control monitoring involves testing the control for appropriateness of design, and operating effectiveness. Any exceptions or issues should be raised to management with action plans established.

Within the monitoring step in the Operational Risk Management strategy, some organizations, especially in financial services, have adopted continuous monitoring or early warning systems built around key risk indicators (KRIs). Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposure in various areas of the enterprise. KRIs designed around ratios monitored by business intelligence applications are how banks can manage operational risk, but the concept can be applied across all industries. KRIs can be designed to monitor nearly any potential risk and send a notification. As an example, a company could design a key risk indicator around customer satisfaction scores. Falling customer satisfaction scores could indicate customer service representatives are not being trained or that the training is ineffective.

State of Operational Risk Management

In the last five years, U.S. organizations have experienced significant increases in the volume and complexity of risks, with 32% of companies experiencing an operational surprise in that time period (see figure above). As organizations grow and evolve, so do the complexity, frequency, and impact of poorly managed risks. Losses from failure to properly manage operational risk have led to the downfall of many financial institutions — recent bank collapses are speculated to have been caused by poor operational risk management and decision-making around the valuation of assets. Moreover, growing pressure from the board for increased risk oversight also points to the importance of having a strong operational risk management practice in place. But how many organizations actually do?

According to a  2017 ERM Initiative study commissioned by the Association of International Certified Professional Accountants, risk management practices around the world are relatively immature: less than 30% of global organizations have “complete” enterprise risk management processes in place. This may suggest a disconnect between operational and enterprise risk management and strategy execution in organizations.

Challenges and Shortcomings of Operational Risk Management

In many organizations, operational risk management is one of the most tenuous links in their ability to meet the demands of customers and stakeholders. While operational risk management is a subset of enterprise risk management, similar challenges like competing priorities and lack of perceived value affect proper development among both programs. Some common challenges include:

• Organizations do not have sufficient resources to invest in operational risk management or ERM.
• Lack of communication and education around the importance of operational risk management and the consequences of operational failures on a company’s bottom line.
• Lack of awareness, interest, or appreciation across boards and C-suite executives regarding operational risk management.
• Lack of consistent methodologies to measure and assess risk poses challenges when it comes to providing an accurate portrait of an organization’s risk profile.
• Establishing standard risk terminology to be used moving forward, which is conducive to successful Risk and Control Self-Assessments (RCSAs).
• Processes are varied and complex due to changes in technology.
• ORM is often consolidated into other functions, such as compliance and IT, preventing ORM from receiving appropriate attention.
• Operational Risk Management programs can be manual, disjointed, and over-complicated, mostly because ORM developed as a reactive function in response to regulations and compliance.

Benefits of a Strong Operational Risk Management Program

Establishing an effective operational risk management program helps achieve an organization’s strategic objectives while ensuring business continuity in the event of business disruptions and system failures. Having a strong ORM also demonstrates to clients that the company is prepared for crisis and loss. Organizations that can effectively implement a strong ORM program can experience improved competitive advantages, including:

• Better C-suite visibility.
• Better informed business risk-taking.
• Improved product performance and better brand recognition.
• Stronger relationships with customers and stakeholders.
• Greater investor confidence.
• Better performance reporting.
• More sustainable financial forecasting.

Effective operational risk management can save an organization in monetary costs by preventing or correcting loss events. ORM encourages the optimization of business practices to make them more efficient and effective. Fostering an operational risk mindset equips an organization to adapt to the future.

Developing an Operational Risk Management Program

In the process of creating an operational risk framework and program, areas the risk management team should focus on include:

• Promoting an organization-wide understanding of the program’s value and function.
• Leveraging technology to implement an automated approach to monitoring, aggregating, and collecting risk data.
• Establishing an effective method for evaluating and identifying principal risks in the organization and a way to continuously identify and update those risks and associated measures.
• Focus on helping the organization reduce material risk exposures while encouraging activities where the potential benefits outweigh the risks.
• Focus on partnering ORM with other functions in the organization to better embed best practices into the organization.

The Risk and Control Self-Assessment

Developing an operational risk program begins with risk management teams engaging with business process owners in identifying the risks and controls in the organization. While every organization will approach measuring operational risk differently, one of the first steps to understanding the nature of operational risks in your organization is through a Risk and Control Self-Assessment (RCSA).

The RCSA is a framework providing an enterprise view of operational risk and can be used to perform operational risk assessments, analyze your organization’s operational risk profile, and chart a course for managing risk. The RCSA forms an important part of an organization’s overall operational risk framework. An RCSA requires documentation of risks, identifying the risk levels by estimating the frequency and impact of risks, and documenting the controls and processes related to those risks. A general best practice for organizing the assessment approach is by conducting the RCSA at the business-unit level.

The RCSA should be developed to serve as a reference for your organization’s risk initiatives. Below are several  leading industry best practices for developing your Risk and Control Self-Assessment:

• Integrate Risk and Control Self-Assessment programs into your operational risk initiatives.
• Establish a standard risk terminology and consistent methodologies to measure and assess risk.
• Develop a complete view of risks and controls — this will be important for later analysis.
• Incorporate a trend analysis methodology into your RCSA to identify patterns in risk as well as potential control failures.
• Incorporate a method for identifying non-financial risks that may have impacts harming your bottom line.
• Use your RCSA to budget for operational risk management initiatives.

Operational Risk Management Tools and Resources

Technology enablement increases the value Operational Risk Management brings to the organization. When planning the ORM function, consider building the library of risks and controls and the risk assessment process in a risk management application. Establishing effective risk management capabilities is an important part of driving better business decisions and is a tool the C-suite leverages for competitive advantage. Embedding the processes with technology ensures these are applied consistently. A strong Operational Risk Management program can help drive your  operational audits and risk library , as well as your  SOX and  compliance programs. Find out how AuditBoard can help you manage, automate, and streamline your operational risk management program to help turn your operational risks into opportunities to gain a competitive advantage.

Frequently Asked Questions About Operational Risk Management

Operational Risk Management attempts to reduce risks through the linear process of risk identification, risk assessment, measurement and mitigation, monitoring, and reporting while determining who manages operational risk.

What are some examples of operational risk?

• Physical events, such as natural catastrophes

How does operational risk management work?

What are the benefits and objectives of operational risk management.

Establishing an effective operational risk management program helps achieve an organization’s strategic objectives while ensuring business continuity in the event of disruptions and system failures.

What are the steps in the ORM process?

The five steps in the ORM process are: 1) Risk Identification, 2) Risk Assessment, 3) Risk Mitigation, 4) Control Implementation, and 5) Monitoring.

• Measuring Operational Risk, EY ↩
• Operational risk management: The new differentiator, Deloitte  ↩

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn .

Related Articles

Operational Risk Management (ORM) Certificate Program

Case studies and standards.

The following resources are publicly available. These reading list items should be combined with the Operational Risk Management Certificate Handbook.

  Case Studies

• Bankers Trust
• Bankgesellschaft Berlin
• China Aviation Oil
• Fannie Mae and Freddie Mac
• Long Term Capital Management (LTCM)
• Metallgesellschaft
• National Australia Bank (NAB) - FX Options
• Northern Rock
• Orange County
• Washington Mutual (Wamu)

New for 2023

• The Failure of Silicon Valley Bank
• The Failure of FTX
• Operational Resilience at TSB

Standards and Practices*

• Standards of Best Practice, Conduct and Ethics , PRMIA Ethics Committee, PRMIA, September 2009
• Bylaws of Professional Risk Managers' International Association , PRMIA, July 2016

Case Study Overview

Thank you to our sponsors , including:

Looking to further your career?

Become a Member

Sign Up for Mailing List

What are You Looking for?

• Agricultural
• Art and Design
• Business and Financial
• Construction and Manual Labor
• Engineering and Technical
• Information Technology
• Media and Communication
• Protective Services
• Science and Research
• Service Industry
• Social and Human Services
• Transportation and Logistics

Case Studies of Successful Risk Management

Introduction, risk management.

Risk management involves identifying, assessing, and mitigating risks to minimize their impact on an organization. It aims to protect assets, ensure operational continuity, and support strategic goals. By proactively addressing potential threats, organizations can reduce the likelihood of adverse events and enhance their resilience.

Importance of Successful Risk Management

Successful risk management is crucial for any organization. It helps prevent financial losses, safeguard reputations, and ensure regulatory compliance. Effective risk management supports decision-making by providing insights into potential threats and opportunities. It enables organizations to respond swiftly to unexpected challenges, maintaining stability and operational efficiency.

Introducing Case Studies in Risk Management

Case studies are valuable tools for understanding successful risk management practices. They offer real-world examples of how organizations identify and address risks. By examining these cases, businesses can learn from others’ experiences and apply similar strategies. Case studies highlight practical applications of risk management theories and provide insights into effective risk mitigation techniques. In this session, we will explore case studies that demonstrate successful risk management in action. These examples will illustrate how organizations tackle various risks and implement strategies to ensure their continued success.

Case Study 1: Apple Inc.

Overview of apple’s successful risk management strategies.

Apple Inc. has implemented effective risk management strategies to navigate its complex global operations. The company faces various risks, including supply chain disruptions, cybersecurity threats, and regulatory compliance. Apple’s approach to risk management involves comprehensive planning and proactive measures. By addressing these risks, Apple maintains its market leadership and ensures operational stability.

Key Risks Identified by Apple

Apple identifies several key risks that could impact its business. Supply chain disruptions pose a significant risk, especially given Apple’s reliance on global suppliers. The company also faces cybersecurity threats, with potential risks to its data and customer information. Regulatory compliance is another critical area, as Apple operates in multiple jurisdictions with varying regulations. Market competition and technological changes add further complexity to its risk landscape.

How Apple Mitigated These Risks Effectively

Apple employs several strategies to mitigate these risks effectively. To address supply chain disruptions, Apple diversifies its supplier base and establishes strong relationships with key partners. The company also invests in supply chain visibility and flexibility, enabling it to adapt quickly to changes. For cybersecurity threats, Apple implements robust security measures, including encryption and multi-factor authentication. The company continuously monitors its systems for vulnerabilities and conducts regular security audits. This proactive approach helps protect sensitive data and maintain customer trust. In terms of regulatory compliance, Apple closely monitors regulatory changes in all operating regions. The company maintains a dedicated team to ensure compliance with local and international laws. This team also works on adjusting policies and practices to meet evolving regulatory requirements. Apple also invests heavily in research and development to stay ahead of technological changes and market competition. By innovating and adapting its product offerings, Apple reduces the risk of obsolescence and maintains its competitive edge. Apple’s risk management strategies effectively address key risks such as supply chain disruptions, cybersecurity threats, and regulatory compliance. Through diversification, robust security measures, regulatory vigilance, and continuous innovation, Apple manages to stay resilient in a dynamic global environment. These strategies help Apple maintain its market position and operational excellence, setting a benchmark for successful risk management practices.

Read: Balancing Customer Service as a Bank Manager

Case Study 2: Toyota

Examination of toyota’s risk management practices.

Toyota’s risk management practices have become a benchmark in the automotive industry. The company employs a comprehensive risk management framework to handle various risks. Toyota integrates risk assessment into its corporate strategy, focusing on both internal and external factors. The company uses a centralized risk management team to oversee global operations. This team identifies potential risks and develops mitigation strategies. Toyota also emphasizes continuous improvement and learning from past experiences. They use advanced technologies to monitor and manage risks effectively. By incorporating risk management into every aspect of their operations, Toyota ensures resilience and adaptability in a rapidly changing environment.

Major Risk Event Faced by Toyota

One major risk event Toyota faced was the 2010 vehicle recall crisis. The company recalled millions of vehicles due to safety issues with accelerator pedals and braking systems. This recall impacted Toyota’s reputation and financial performance significantly. The crisis emerged from reports of unintended acceleration, which raised concerns about vehicle safety. The widespread recall affected not only Toyota’s brand image but also its customer trust. The event highlighted the critical need for robust risk management practices in addressing safety issues. It posed significant challenges to Toyota’s operational and reputational stability.

Evaluation of Toyota’s Response and Recovery Strategies

Toyota’s response to the recall crisis was swift and comprehensive. The company initiated a large-scale recall to address the safety concerns promptly. They worked closely with regulatory agencies to ensure compliance and transparency. Toyota also implemented improved quality control measures to prevent future issues. The company increased its focus on customer communication and support during the crisis. They launched a public relations campaign to restore consumer trust and confidence. Additionally, Toyota invested in enhancing its risk assessment processes and crisis response strategies. These efforts helped the company recover its reputation and rebuild customer trust. Toyota’s proactive and transparent approach demonstrated their commitment to addressing and managing risks effectively. Their response and recovery strategies contributed to long-term resilience and stability in the face of significant challenges.

Read: Interview Tips for Bank Branch Manager Positions

Case Study 3: Amazon

Overview of amazon’s risk management framework.

Amazon employs a comprehensive risk assessment framework to navigate its vast and complex operations. This framework integrates risk identification, assessment, and mitigation strategies. Amazon’s approach involves a combination of proactive and reactive measures. The company uses data-driven insights to anticipate and address potential risks. Key components include robust cybersecurity measures, supply chain management , and compliance with regulations. Amazon’s risk assessment practices are designed to protect its global operations and maintain business continuity.

Case Study: Supply Chain Disruptions

A notable risk scenario faced by Amazon was the disruption of its supply chain during the COVID-19 pandemic. The pandemic caused significant challenges in logistics and inventory management. Amazon experienced delays in order fulfillment, increased shipping times, and shortages of essential products. To address these challenges, Amazon implemented several risk assessment strategies. First, the company increased its inventory levels to buffer against supply chain interruptions. Amazon also diversified its supplier base to reduce dependence on any single source. The company invested in advanced forecasting tools to better predict demand and manage stock levels. Additionally, Amazon expanded its logistics network, including increasing warehouse capacity and adding new delivery routes. These measures helped Amazon adapt to the rapidly changing conditions and mitigate the impact of the disruption.

Analyzing the Impact of Effective Risk Management on Amazon’s Success

Effective risk assessment played a crucial role in Amazon’s ability to handle the supply chain disruption. By swiftly implementing risk mitigation strategies, Amazon maintained customer trust and satisfaction. The company’s proactive approach to increasing inventory and diversifying suppliers minimized the negative effects on its operations. The expansion of its logistics network allowed Amazon to continue fulfilling orders despite significant challenges. This resilience contributed to maintaining its market position and customer loyalty. The ability to adapt quickly and efficiently in the face of disruptions showcased Amazon’s robust risk management capabilities. Overall, Amazon’s successful management of the supply chain crisis highlighted the importance of a well-structured risk assessment framework. The company’s actions ensured continuity in its operations and reinforced its reputation as a reliable retailer. Effective risk assessment not only helped Amazon navigate the immediate challenges but also positioned it for long-term success. Amazon’s risk assessment framework is comprehensive, incorporating proactive and reactive measures to address various risks. The case study of supply chain disruptions during the COVID-19 pandemic illustrates the company’s ability to handle significant challenges effectively. By implementing strategic risk assessment practices, Amazon maintained its operational efficiency and customer trust. The success of these initiatives underscores the value of a robust risk management framework in achieving long-term business success.

Read: Investment Banking Exit Opportunities Explained

Transform Your Career Today

Unlock a personalized career strategy that drives real results. Get tailored advice and a roadmap designed just for you.

Key Factors in Successful Risk Management

Common elements in successful risk management case studies.

Successful risk assessment case studies reveal several common elements. Each case highlights the importance of a structured risk management framework. Key elements include thorough risk identification, comprehensive risk assessment, and effective mitigation strategies. Organizations that succeed in managing risks typically use these practices to address potential issues before they escalate. One common element is the establishment of clear risk management policies. These policies guide decision-making and ensure that risk management is integrated into all aspects of the organization. Effective communication of these policies to all employees is also crucial for successful risk management. Another element is the use of advanced risk management tools and techniques. Successful organizations often employ sophisticated software and methodologies to assess and manage risks. They continuously monitor risks and adjust their strategies based on new information and changing conditions.

Role of Leadership in Risk Management

Leadership plays a pivotal role in successful risk management. Leaders set the tone for how risk assessment is approached within an organization. They must champion risk management initiatives and ensure that resources are allocated appropriately. Effective leaders actively promote a culture of risk awareness. They encourage open communication about risks and foster an environment where employees feel comfortable reporting potential issues. Leaders also play a critical role in making informed decisions based on risk assessments and mitigation strategies. Leadership is essential for driving the implementation of risk assessment strategies. Leaders must ensure that risk assessment practices are not only planned but also executed effectively. Their involvement in overseeing and reviewing risk assessment processes helps maintain accountability and ensures that the strategies are achieving their intended outcomes.

Importance of Proactive Risk Assessment and Planning

Proactive risk assessment and planning are vital components of successful risk management. Identifying potential risks before they occur allows organizations to prepare and implement mitigation strategies in advance. This proactive approach minimizes the impact of risks and enhances overall resilience. Effective risk management involves regularly updating risk assessments and planning based on new information and emerging threats. Organizations that anticipate risks and develop contingency plans are better equipped to handle unexpected challenges. Proactive planning helps in adapting strategies quickly and effectively when risks materialize. Additionally, proactive risk assessment encourages continuous improvement. Organizations that regularly review and refine their risk assessment processes can better address future risks. This iterative approach ensures that risk assessment strategies remain relevant and effective over time. In short, successful risk assessment case studies share common elements such as structured frameworks and advanced tools. Leadership is crucial in promoting a culture of risk awareness and ensuring effective execution of strategies. Proactive risk assessment and planning are essential for minimizing risk impact and enhancing organizational resilience.

Read: How to Choose the Right Investment Banking Firm

Challenges in Risk Management

Potential obstacles to effective risk management.

Effective risk management can face several obstacles that organizations must address to ensure success. One significant obstacle is a lack of data. Incomplete or inaccurate data can hinder the ability to identify and assess risks accurately. Organizations must invest in robust data collection and analysis systems to overcome this challenge. Another obstacle is resistance to change. Employees and stakeholders may be resistant to new risk management processes or tools. To address this, organizations should focus on clear communication and training to build acceptance and understanding. Limited resources can also impede effective risk management. Budget constraints or a shortage of skilled personnel can affect the implementation of comprehensive risk management strategies. Organizations should prioritize risk management within their budgets and seek external expertise when necessary.

The Dynamic Nature of Risks

Today’s business environment presents a dynamic landscape of risks. Rapid technological advancements, changing regulations, and global economic fluctuations continually introduce new risks. This dynamic nature means that risk management strategies must be agile and adaptable. For example, the rise of cyber threats has introduced new challenges in managing data security risks. Organizations must continuously update their cybersecurity measures to address evolving threats. Similarly, global trade uncertainties can impact supply chain risks, requiring businesses to adjust their strategies frequently. The rapid pace of change in the business environment means that risk assessment cannot be static. Organizations must regularly review and update their risk assessment strategies to keep pace with new and emerging risks.

Strategies for Overcoming Challenges in Risk Management

To overcome the challenges in risk assessment, organizations can adopt several effective strategies. First, investing in advanced riskassessment technologies can enhance data accuracy and analysis capabilities. Tools like predictive analytics and artificial intelligence can help identify and assess risks more effectively. Second, fostering a culture of risk awareness is crucial. Encouraging open communication about risks and involving employees in risk assessment processes can reduce resistance to change. Regular training and awareness programs can help employees understand and embrace risk management practices. Third, building flexibility into risk assessment strategies allows organizations to adapt to changing conditions. Implementing a dynamic risk assessment framework enables businesses to respond quickly to new risks and adjust strategies as needed. This flexibility is essential for managing risks in today’s fast-paced environment. Finally, leveraging external expertise can address resource limitations. Engaging consultants or partnering with risk assessment firms can provide additional support and insights. These external resources can help organizations implement best practices and overcome internal constraints. Addressing obstacles to effective risk assessment requires a proactive approach. Understanding the dynamic nature of risks and implementing strategies to overcome challenges can enhance an organization’s risk assessment capabilities. By investing in technology, fostering a risk-aware culture, and maintaining flexibility, businesses can navigate the complexities of today’s risk environment successfully.

Best Practices in Risk Management

Industry best practices in risk management.

Effective risk assessment relies on adopting industry best practices to address potential threats. Organizations across various sectors use proven strategies to successfully manage risks. Implementing comprehensive risk assessment processes and establishing clear risk policies are fundamental practices. Regular training and communication ensure employees understand their roles in risk assessment. Additionally, developing and continuously reviewing robust contingency plans prepares organizations for unforeseen challenges. Sharing these practices across industries enhances overall risk assessment standards and offers valuable insights for improvement.

The Role of Technology in Enhancing Risk Management

Technology significantly enhances risk assessment capabilities by providing real-time data and analytical insights. Advanced tools such as artificial intelligence, machine learning, and data analytics help identify patterns and predict potential risks. Predictive analytics, for example, forecasts future risks based on historical data and current trends, enabling proactive risk mitigation. Risk assessment software integrates various data sources, offering a comprehensive view of risk exposure and facilitating informed decision-making. Cybersecurity tools also play a crucial role by monitoring networks, detecting vulnerabilities, and responding to potential breaches, ensuring data security and integrity. Automation tools streamline risk assessment processes, reducing manual errors and increasing efficiency.

Successful Risk Management Techniques Used by Top Organizations

Successful risk assessment techniques from leading organizations illustrate the effectiveness of various strategies. General Electric (GE) employs a risk assessment framework that integrates advanced analytics and real-time data monitoring. This approach allows GE to use predictive analytics for assessing operational risks and implementing preventive measures, effectively managing risks across its global operations. JPMorgan Chase utilizes comprehensive risk management practices, including advanced technology for monitoring financial risks. The bank’s use of machine learning algorithms to analyze transaction data helps detect fraudulent activities and prevent financial losses. Procter & Gamble (P&G) implements a multi-layered risk assessment strategy, including regular risk assessments and contingency planning. The company leverages data-driven insights to anticipate supply chain disruptions and develop response plans, maintaining operational stability. Amazon uses technology to enhance its logistics and supply chain management. Real-time tracking systems and predictive analytics optimize inventory management, reducing operational risks and ensuring smooth operations. Adopting industry best practices, leveraging technology, and learning from successful case studies strengthen risk management strategies. These approaches enhance the ability to manage risks effectively and ensure operational resilience. By embracing proven techniques and advanced tools, organizations can navigate uncertainties and achieve long-term success.

The Importance of Successful Risk Management

Successful risk management is crucial for organizational stability and growth. It helps identify potential threats and mitigate their impact. Effective risk management protects a company’s reputation and financial health. It enables organizations to respond proactively to emerging risks. By managing risks well, companies can ensure resilience and long-term success.

Key Takeaways from the Case Studies

Case studies of successful risk management highlight several key points. Toyota’s handling of the 2010 recall crisis demonstrates the value of a swift, transparent response. The company’s proactive measures and improved quality controls showcase the importance of learning from past issues. Another case study might illustrate how effective risk management strategies can prevent operational disruptions and protect brand reputation. These examples underline the need for comprehensive risk assessment and robust response plans.

Encouraging Organizations to Prioritize Risk Management

Organizations should prioritize risk assessment to achieve long-term success. Developing a strong risk management framework helps in anticipating and addressing potential threats. Investing in risk assessment tools and processes safeguards against unexpected challenges. Effective risk assessment not only protects assets but also enhances operational efficiency.

Global Opportunities for Risk Managers

Future of Risk Management in Finance

Common Misconceptions About Risk Management

Differences Between Financial and Business Risk Managers

Leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Your Name *

Email Address *

Save my name, email, and website in this browser for the next time I comment.

Submit Comment

The future of operational-risk management in financial services

New forces are creating new demands for operational-risk management in financial services. Breakthrough technology, increased data availability, and new business models and value chains are transforming the ways banks serve customers, interact with third parties, and operate internally. Operational risk must keep up with this dynamic environment, including the evolving risk landscape.

Legacy processes and controls have to be updated to begin with, but banks can also look upon the imperative to change as an improvement opportunity. The adoption of new technologies and the use of new data can improve operational-risk management itself. Within reach is more targeted risk management, undertaken with greater efficiency, and truly integrated with business decision making.

The advantages for financial-services firms that manage to do this are significant. Already, efforts to address the new challenges are bringing measurable bottom-line impact. For example, one global bank tackled unacceptable false-positive rates in anti–money laundering (AML) detection—which were as high as 96 percent. Using machine learning to identify crucial data flaws, the bank made necessary data-quality improvements and thereby quickly eliminated an estimated 35,000 investigative hours. A North American bank assessed conduct-risk exposures in its retail sales force. Using advanced-analytics models to monitor behavioral patterns among 20,000 employees, the bank identified unwanted anomalies before they became serious problems. The cases for change are in fact diverse and compelling, but transformations can present formidable challenges for functions and their institutions.

The current state

Operational risk is a relatively young field: it became an independent discipline only in the past 20 years. While banks have been aware of risks associated with operations or employee activities for a long while, the Basel Committee on Banking Supervision (BCBS), in a series of papers published between 1999 and 2001, elevated operational risk to a distinct and controllable risk category requiring its own tools and organization. 1 The standard Basel Committee on Banking Supervision definition of operational (or nonfinancial) risk is “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. See Basel Committee on Banking Supervision: Working paper on the regulatory treatment of operational risk , Bank for International Settlements, September 2001, bis.org. In the first decade of building operational-risk-management capabilities, banks focused on governance, putting in place foundational elements such as loss-event reporting and risk-control self-assessments (RCSAs) and developing operational-risk capital models. The financial crisis precipitated a wave of regulatory fines and enforcement actions on misselling, questionable mortgage-foreclosure practices, financial crimes, London Inter-bank Offered Rate (LIBOR) fixing, and foreign-exchange misconduct. As these events worked their way through the banking system, they highlighted weaknesses of earlier risk practices. Institutions responded by making significant investments in operational-risk capabilities. They developed risk taxonomies beyond the BCBS categories, put in place new risk-identification and risk-assessment processes, and created extensive controls and control-testing processes. While the industry succeeded in reducing industry-wide regulatory fines, losses from operational risk  have remained elevated (Exhibit 1).

Intrinsic difficulties

While banks have made good progress, managing operational risk remains intrinsically difficult, for a number of reasons. Compared with financial risk such as credit or market risk, operational risk is more complex, involving dozens of diverse risk types. Second, operational-risk management requires oversight and transparency of almost all organizational processes and business activities. Third, the distinguishing definitions of the roles of the operational-risk function and other oversight groups—especially compliance, financial crime, cyberrisk, and IT risk—have been fluid. Finally, until recently, operational risk was less easily measured and managed through data and recognized limits than financial risk.

This last constraint has been lifted in recent years: granular data and measurement on operational processes, employee activity, customer feedback, and other sources of insight are now widely available. Measurement remains difficult, and risk teams still face challenges in bringing together diverse sources of data. Nonetheless, data availability and the potential applications of analytics have created an opportunity to transform operational-risk detection, moving from qualitative, manual controls to data-driven, real-time monitoring.

As for the other challenges, they have, if anything, steepened. Operational complexity has increased. The number and diversity of operational-risk types have enlarged, as important specialized-risk categories become more defined, including unauthorized trading, third-party risk, fraud, questionable sales practices, misconduct, new-product risk, cyberrisk, and operational resilience.

At the same time, digitization and automation have been changing the nature of work, reducing traditional human errors but creating new change-management risks; fintech partnerships create cyberrisks and produce new single points of failure; the application of machine learning and artificial intelligence (AI) raises issues of decision bias and ethical use of customer data. Finally, the lines between the operational-risk-management function and other second-line groups, such as compliance, continue to shift. Banks have invested in harmonizing risk taxonomies and assessments, but most recognize that significant overlap remains. This creates frustration among business units and frontline partners.

Taken together, these factors explain why operational-risk management remains intrinsically difficult and why the effectiveness of the discipline —as measured by consumer complaints, for example—has been disappointing (Exhibit 2).

Looking ahead

Against these challenges, risk practitioners are seeking to develop better tools, frameworks, and talent. Leading companies are discarding the “rearview mirror” approach, defined by thousands of qualitative controls. For effective operational-risk management, suitable to the new environment, these organizations are refocusing the front line on business resiliency and critical vulnerabilities. They are adopting data-driven risk measurement and shifting detection tools from subjective control assessments to real-time monitoring.

The objective is for operational-risk management to become a valuable partner to the business. Banks need to take specific actions to move the function from reporting and aggregation of first-line controls to providing expertise and thought partnership. The areas where the function will help execute business strategy include operational strengths and vulnerabilities, new-product design, and infrastructure enhancements, as well as other areas that allow the enterprise to operate effectively and prevent undue large-scale risk issues.

Defining next-generation operational-risk management

The operational-risk discipline needs to evolve in four areas: 1) the mandate needs to expand to include second-line oversight, to support operational excellence and business-process resiliency; 2) analytics-driven issue detection and real-time risk reporting have to replace manual risk assessments; 3) talent needs to be realigned as digitization progresses and data and analytics are rolled out: banks will need specialists to manage specific risk types such as cyberrisk, fraud, and conduct risk; and 4) human-factor risks will have to be monitored and assessed—including those that relate to misconduct (such as sexual harassment) and to diversity and inclusion.

The evolution includes the shift to real-time detection and action. This will involve the adoption of more agile ways of working, with greater use of cross-disciplinary teams that can respond quickly to arising issues, near misses, and emerging risks or threats to resilience.

1. Develop second-line oversight to ensure operational excellence and business-process resiliency

The original role of operational-risk management was focused on detecting and reporting nonfinancial risks, such as regulatory, third-party, and process risk. We believe that this mandate should expand so that the second line is an effective partner to the first line, playing a challenge role to support the fundamental resiliency of the operating model and processes. A breakdown in processes is at the core of many nonfinancial risks today, including negative regulatory outcomes, such as missing disclosures, customer and client disruption, and revenue and reputational costs. The operational-risk-management function should help chief risk officers and other senior managers answer several key questions, such as: Have we designed business processes in each area to provide consistent, positive customer outcomes? Do these processes operate well in both normal and stress conditions? Is our change-management process robust enough to prevent disruptions? Is the operating model designed to limit risk from bad actors?

Untransformed operational-risk-management functions have limited insight into the strength of operational processes or they rely on an extensive inventory of controls to ensure quality. Controls, however, are not effective in monitoring process resilience. A transaction-processing system, for example, may have reconciliation controls (such as a line of checkers) that perform well under normal conditions but cannot operate under stress. This is because the controls are fundamentally reliant on manual activities. Similarly, controls on IT infrastructure may not prevent a poorly executed platform transition from leading to large customer disruptions and reputational losses.

New frameworks and tools are therefore needed to properly evaluate the resiliency of business processes, challenge business management as appropriate, and prioritize interventions. These frameworks should support the following types of actions:

• Map processes, risks, and controls. Map the processes, along with associated risks and controls, including overall complexity, number of handoffs involved, and automation versus reliance on manual activities (particularly when the danger is high for negative customer outcomes or regulatory mistakes). This work will ideally be done in conjunction with systemic controls embedded in the process; end-to-end process ownership minimizes handoffs and maximizes collaboration.
• Identify supporting technology. Identify and understand the points where processes rely on technology.
• Monitor risks and controls. Create mechanisms and metrics (such as higher-than-normal volumes) to enable the monitoring of risk levels and control effectiveness, in real time wherever possible.
• Link resource planning to processes. Link resource planning to the emergent understanding of processes and associated needs. Be ready to scale capacity up or down according to the results of process monitoring.
• Reinforce needed behavior. Ensure reinforcement mechanisms for personal conduct, using communications, training, performance management, and incentives.
• Enable feedback. Establish feedback mechanisms for flagging potential issues, undertaking root-cause analysis, and updating or revising processes as needed to address the causes.
• Establish change management. Establish systematic, ongoing change management to ensure the right talent is in place, test processes and capacity, and provide guidance, particularly for technology.

2. Transform risk detection with data and real-time analytics

In response to regulatory concerns over sales practices, most banks comprehensively assessed their sales-operating models, including sales processes, product features, incentives, frontline-management routines, and customer-complaint processes. Many of these assessments went beyond the traditional responsibilities of operational-risk management, yet they highlight the type of discipline that will become standard practice. While making advances in some areas, banks still rely on many highly subjective operational-risk detection tools, centered on self-assessment and control reviews. Such tools have been ineffective in detecting cyberrisk, fraud, aspects of conduct risk, and other critical operational-risk categories. Additionally, they miss low-frequency, high-severity events, such as misconduct among a small group of frontline employees. Finally, some traditional detection techniques, such as rules-based cyberrisk and trading alerts, have false-positive rates of more than 90 percent. Many self-assessments in the first and second line consequently require enormous amounts of manual work but still miss major issues.

Targeted analytics tools

Advanced analytics has applications in all, or nearly all, areas of operational risk. It is creating significant improvements in detecting operational risks, revealing risks more quickly, and reducing false positives. Whether in information security, data, compliance, technology and systems, process failure, or even personal security and other human-factor risks, the advanced-analytics advantage is becoming increasingly evident. Some applications are described below:

• Anti–money laundering. Replacing rules-driven alerts with machine-learning models can reduce false positives and focus resources on cases that actually require investigation.
• Conduct. Analytics engines can identify suspicious sales patterns, connecting the dots across sales, product usage, incentives, and customer complaints (for example, increases in nonactivated deposits, accounts sold by a retail banker, or trades triggered by a wealth-management adviser as they approach compensation breakpoints). Trade-monitoring analytics can mine trading and communication patterns for potential markers of conduct risk.
• Cyberrisk. Machine learning can analyze sources of signals, identify emerging threats, replace existing rules-based triggers, and reduce false-positive alerts.
• Fraud. Machine learning, including unsupervised techniques, can identify fraudulent transactions and reduce false positives; synthetic-ID-fraud analytics use external, third-party data, in accordance with all local regulation, to analyze the depth and consistency in the identity profiles of new customers.
• Process quality and regulatory risks. Automated call surveillance using natural-language processing can monitor adherence to disclosure requirements. Systemic quality-control touchpoints can check the accuracy of decisions, disclosures, and filings against customer-provided information and regulatory rules (for example, the accuracy of a bankruptcy filing against the system of record information).
• Third-party risk. Models can be developed that quantify the reliance on key third parties (including hidden fourth-party exposures) to drive better business-continuity planning and bring a risk-based perspective to vendor assessment and selection.

Operational-risk managers must therefore rethink their approaches to issue detection. Advances in data and analytics can help. Banks can now tap into large repositories of structured and unstructured data to identify risk issues across operational-risk categories, moving beyond reliance on self-assessments and subjective controls. These emerging detection tools might best be described in two broad categories:

• Real-time risk indicators include real-time testing of operational processes and controls and risk metrics that identify areas operating under stress, spikes in transaction volumes, and other determinants of risk levels.
• Targeted analytics tools can connect the data dots to detect potential risk issues (see sidebar “Targeted analytics tools”). By mining sales and customer data, banks can detect potentially unauthorized sales. Machine-learning models can detect cyberrisk levels, fraud, and potential money laundering . As long as all privacy measures are respected, institutions can use natural-language processing to analyze calls, emails, surveys, and social-media posts to identify spikes in risk topics raised by customers in real time.

Exhibit 3 shows how a risk manager using natural-language processing can identify a spike in customer complaints related to the promotion of new accounts. Looking into the underlying complaints and call records, the manager would be able to identify issues in how offers are made to customers.

A number of banks are investing in objective, real-time risk indicators to supplement or replace subjective assessments. These indicators help risk managers track general operational health, such as staffing sufficiency, processing times, and inventories. They also provide early warnings of process risks, such as inaccurate decisions or disclosures, and the results of automated exception reporting and control testing.

Together, analytics and real-time reporting can transform operational-risk detection, enabling banks to move away from qualitative self-assessments to automated real-time risk detection and transparency. The journey is difficult—it requires that institutions overcome challenges in data aggregation and building risk analytics  at scale—yet it will result in more effective and efficient risk detection.

3. Develop talent and the tools to manage specialized risk types

Examples of specialized expertise.

Risk category: Cyberrisk

Expertise needed for challenge and oversight

• Pathways to vulnerability (such as the impact of a threat like NotPetya)
• The bank’s most valuable assets (the “crown jewels”)
• Sources of exposure for a given organization

Talent profiles

• Cybersecurity background
• Senior status to engage the business and technology organizations

Risk category: Fraud

• Fraud patterns (for instance, through the dark web)
• Technology and cybersecurity
• Interdependencies across fraud, cybersecurity, IT, and business-product decisions
• Former senior technology managers
• Cybersecurity professionals, ideally with an analytics background

Risk category: Conduct

• Ways employees can game the system in each business unit (for instance, retail, wealth, and capital markets)
• Specific behavioral patterns, such as how traders could harm client interests for their own gain
• Former branch managers and frontline supervisors
• Former traders and back-office managers
• First-line risk managers with experience in investigating conduct issues

A range of emerging risks, all of which fall under the operational-risk umbrella, present new challenges for banks. To manage these risks—in areas such as technology, data, and financial crime—banks need specialized knowledge and tools. For example, managing fraud risk requires a deep understanding of fraud typologies, new and emerging vulnerabilities, and the effectiveness of first-line processes and controls. Similarly, oversight of conduct risks requires up-to-date knowledge about how systems can be “gamed” in each business line. In capital markets, for instance, some products are more susceptible than others to nontransparent communication, misselling, misconduct in products, and manipulation by unscrupulous employees. Operational-risk officers will need to rethink their risk organization and recruit talent to support process-centric risk management and advanced analytics. These changes in talent composition are significant and different from what most banks currently have in place (see sidebar “Examples of specialized expertise”).

Bank employees drive corporate performance but are also a potential source of operational risk.

With specialized talent in place, banks will then need to integrate the people and work of the operational-risk function as never before. To meet the challenge, organizations have to prepare leaders, business staff, and specialist teams to think and work in new ways. They must help them adapt to process-driven risk management and understand the potential applications of advanced analytics. The overall objective is to create an operational-risk function that embraces agile development, data exploration, and interdisciplinary teamwork.

4. Manage human-factor risks

Bank employees drive corporate performance but are also a potential source of operational risk. In recent years, conduct issues in sales and instances of LIBOR and foreign-exchange manipulation have elevated the human factor in the nonfinancial-risk universe. In the past, HR was mainly responsible for addressing conduct risk, as part of its oversight role in hiring and investigating conduct issues. As the potential for human-factor risks to inflict serious damage has become more apparent, however, banks are recognizing that this oversight must be included in the operational-risk-management function.

Developing effective risk-oversight frameworks for human-factor risks is not an easy task, as these risks are diverse and differ from many other operational-risk types. Some involve behavioral transgressions among employees; others involve the abuse of insider organizational knowledge  and finding ways around static controls. These risks have more to do with culture, personal motives, and incentives, that is, than with operational processes and infrastructure. And they are hard to quantify and prioritize in organizations with many thousands of employees in dozens or even hundreds of functions.

To prioritize areas of oversight and intervention, leading operational-risk executives are taking the following steps. They first determine which groups within the organization present disproportionate human-factor risks, including misconduct, mistakes with heavy regulatory or business consequences, and internal fraud. Analyzing functions within each business unit, operational-risk leaders can then identify those that present the greatest inherent risk exposure. The next step is to prioritize the “failure modes” behind the risks, including malicious intent (traditional conduct risk), inadequate respect for rules, lack of competence or capacity, and the attrition of critical employees. The prioritized framework can be visualized in a heat map (Exhibit 4).

The heat map provides risk managers with the basis for partnering with the first line to develop a set of intervention programs tailored to each high-risk group. The effort includes monitoring, oversight, role modeling, and tone setting from the top. Additionally, training, consequence management, a modified incentive structure, and contingency planning for critical employees are indispensable tools for targeting the sources of exposure and appropriate first-line interventions.

A brighter future

Through the four-part transformation we have described, operational-risk functions can proceed to deepen their partnership with the business, joining with executives to derisk underlying processes and infrastructure. Historically, operational-risk management has focused on reporting risk issues, often in specialized forums removed from day-to-day assessment. Many organizations have thus viewed operational-risk activities as a regulatory necessity and of little business value. The function is accustomed to react to business priorities rather than involve itself in business decision making.

To be effective, operational-risk management needs to change these assumptions. When equipped with objective data and measurement, the function well understands the true level of risk. It is therefore in a unique position to see nonfinancial risks and vulnerabilities across the organization, and it can best prioritize areas for intervention. Together with the business lines, operational-risk management can identify and shape needed investments and initiatives. This would include efforts to digitize operations to remove manual errors, changes in the technology infrastructure, and decisions on product design and business practices. By helping the business meet its objectives while reducing risks of large-scale exposure, operational-risk management will become a creator of tangible value.

The relationship between operational-risk management and the business can also integrate operational-risk reporting and executive and board reporting—including straight-through processing rates, incidents detected, key risk indicators, and insights from complaints and customer calls.

Progress will require time, investment, and management attention, but the transformation of operational-risk management offers institutions compelling opportunities to reduce operational risk while enhancing business value, security, and resilience.

Joseba Eceiza is a partner in McKinsey’s Madrid office; Ida Kristensen and Dmitry Krivin are both partners in the New York office, where Hamid Samandari is a senior partner; and Olivia White is a partner in the San Francisco office.

Explore a career with us

Related articles.

Transforming risk efficiency and effectiveness

Financial crime and fraud in the age of cybersecurity

Insider threat: The human element of cyberrisk

Operational Risk Management: A Complete Guide to a Successful Operational Risk Framework by Philippa X. Girling

Get full access to Operational Risk Management: A Complete Guide to a Successful Operational Risk Framework and 60K+ other titles, with a free 10-day trial of O'Reilly.

There are also live events, courses curated by job role, and more.

Case Studies

In this chapter, we dig deeper into four case studies: JPMorgan Whale, UBS Unauthorized Trading, Knight Capital Technology Glitch, and Standard Chartered Anti–Money Laundering Scandal.

JPMORGAN WHALE: RISKY OR FRISKY?

Are large losses at banks always a sign of poor governance, or are they sometimes merely the realization of losses that were expected, and even planned for, in the well-governed risk management of the firm? In May 2012, JPMorgan announced that it had lost $2 billion (possibly much more), on a hedging strategy that was being driven by Bruno Michel Iksil, aka “The London Whale” in its chief investment office. Was this poor governance, or were these losses predictable under JPMorgan's risk management practices? Was this acceptable risky behavior, or was it frisky misbehavior?

You can't win the game all of the time, and for every winner, there is a loser somewhere in the financial system. For each loss event that happens, we should ask the same question: Were these losses within the boundaries of the bank's known risk, or were they out of control?

We have all heard the worn out caveats “investments may go down as well as up,” and we all know that the banking industry sometimes makes money on its risk-taking activities and sometimes loses it on those same activities. So why all the noise in the press about these JPMorgan losses?

• “London Whale Harpooned” 1
• “JPMorgan's ‘Whale' Causes a Splash” 2
• “Beached London Whale” 3

Anything over a billion dollars ...

Get Operational Risk Management: A Complete Guide to a Successful Operational Risk Framework now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Don’t leave empty-handed

Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact.

It’s yours, free.

Check it out now on O’Reilly

Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day.