MODULE 3

Operational Risk Management

This module is designed to assist a line or operational manager in managing the organization’s operational risks. It explores the concepts of operational management and risk. This module also focuses on understanding what managing operational risk means in this context, as well as the sources of operational risk. Finally, the module considers how operational risks can affect the organisation, and how the organisation must integrate the practice of the management of operational risk with governance requirements, and the responsibility and accountability for the cost of operational risk.

Module 3: Operational Risk Management is divided into six sections:

Section 1: Operational Management and Risk

This section provides a clear understanding of the concept of risk and development of skills in risk management, an essential for line and operational managers to ensure their operational areas contribute to creating the organisation’s vision of the future.

Learning outcomes:
Upon completing this section, the student should be able to:

  • Define operational management
  • Recall some examples of operational activities
  • State the main responsibility of the operational manager
  • List some common ways in which organisations structure their operational units
  • Describe the negative consequences of silo-oriented organizational cultures
  • Describe the factors operational managers need to identify and understand to be able to apply risk management within a wide range of organisations
  • Describe the most common organizational types
  • Describe the common organizational attributes
  • Describe the three major components of all organisations
  • Distinguish between inputs and outputs
  • Recall some of the categories for grouping organizational outputs
  • Define an organisation in the context of the business process between inputs and outputs
  • Recall some examples of opportunities of which organisations can take advantage in a changing market
  • Define strategic planning
  • Recall some of the areas in which strategic plans involve decisions
  • Distinguish between strategic and operational plans
  • Describe the key components of managing operational risk
  • Distinguish between past and present approaches to managing operational risks
  • Recall some typical sources of operational risk
  • Describe some of the consequences of losses resulting from operational risks
  • Describe the impact of seasonal variations on losses resulting from operational risks
  • Describe the two critical background issues associated with operational risk management.

Section 2: Operational Risk Context

This section outlines the steps, techniques and tools that can assist in establishing the context of operational risk exposures.

Learning outcomes:
Upon completing this section, the student should be able to:

  • Describe the purpose of establishing the context of operational risk
  • Identify some examples of the fundamental aspects of the operational risk context.
  • Describe the elements of an operation’s internal and external environment.
  • Explain the significance and role of internal and external stakeholders in establishing the operational risk context.
  • Define stakeholder pre-loss and post-loss objectives.
  • Describe the importance of a helicopter view of risk.
  • Describe various techniques for stakeholder consultation
  • Describe various techniques for stakeholder consultation.
  • Describe the ways in which stakeholders add value to the operational risk management process.
  • Recall the four types of operational risk.
  • Outline the importance of creating criteria for a hierarchy of risks.
  • Order the broader risk categories in the hierarchy of risks.
  • Recall some of the fundamental legislative Acts and regulations with which your operation is required to comply.

Section 3: Identifying Operational Risk

This section examines critical issues of which operational managers need to be aware as they undertake risk identification, a fundamental element in the operational risk management process.

The section also explores the need to describe, or express and communicate a risk, through statements highlighting the benefits of risk management for an operation.

Finally, this section analyses the application of a risk matrix.

Learning outcomes:
Upon completing this section, the student should be able to:

  • Recall some of the consequences of an operation failing to adequately identify its risk exposures.
  • Recall some of the open questions organisations can ask to begin the risk identification process.
  • Recall some of the stakeholders who could contribute to operational risk identification.
  • Describe some of the issues operational managers need to consider that may affect successful risk identification in their operations.
  • Identify some of the consequences of operational areas failing to communicate.
  • Recall key elements of a risk statement.
  • Describe the components of a well-written risk statement.
  • Recall the formula for a consistent risk statement.
  • Summarise the advantages of expressing risks in a simple narrative format.
  • Recall the key risk components a risk statement.
  • Define a risk matrix.
  • Identify inputs of the operation exposed to risk.
  • Identify generic sources of operational risk, which organisations can use to construct a typical risk matrix.
  • Recall some of the questions managers can ask to complete their identification of operational risks.
  • Identify independent risk identification techniques organisations can apply in the process of identifying risks in an operation.
  • Recall some of the typical techniques that designated risk managers or professionals can use to engage others in the risk identification process.

Section 4: Analysing and Treating Operational Risks

This section considers the techniques by which the operational manager can find a practical balance between the many risks and few resources inherent in the risk management process.

Learning outcomes:
Upon completing this section, the student should be able to:

  • Define operational risk analysis.
  • Describe the process of analysing identified risks against goals and objectives.
  • Recall some of the outcomes of a critical risk analysis.
  • Describe the purpose of measuring levels of impact.
  • Define the components which determine the level of risk.
  • Identify sources of information about how often a particular risk is likely to occur and the potential consequences if the risk does occur.
  • Recall the most frequently used types of analysis.
  • Describe some of the factors which can influence the organisation’s selection of a particular analysis method.
  • Define qualitative risk analysis methods.
  • Define semi-quantitative risk analysis methods.
  • Define quantitative methods of analysis.
  • Describe what is involved when beginning the operational risk treatment process.
  • Describe the major objective of the risk treatment process.
  • Outline the importance of a board-level defined risk appetite and tolerance in operational decision making.
  • Recall some of the abilities associated with selecting and implementing operational risk treatments.
  • Recall some of the factors on which selecting the most suitable risk treatment options depend.
  • Describe some of the categories organisations can use to classify identified risk treatments.
  • Outline what the operational manager need to do if the organisation requires new risk treatments.
  • Recall some examples of resources organisations can draw upon in the risk treatment phase.
  • Recall some of the elements a typical risk treatment plan may include.
  • Recall some of the aspects of the operation’s normal management plans and processes that organisations must integrate into their risk treatment action plans
  • List some of the elements that a typical one-page risk treatment action plan contains.

Section 5: Evaluating Operational Risk

This section provides an overview of evaluation techniques for identifying the cost of high and low-level risks and losses.

Learning outcomes:
Upon completing this section, the student should be able to:

  • Describe the broader definition of operational risk management.
  • Describe the critical elements or concepts in the evaluation process.
  • Describe the importance of evaluating high level risks.
  • Recall key steps of the risk review session.
  • Recall typical examples of acceptable sustainable losses.
  • Recall some of the factors that could cause a sudden shift in the level of a risk considered low.
  • Identify scenarios for which organisations may need to re-evaluate the appropriateness of treatments for low risks.

Section 6: Implementing Operational Risk Control and Management

This section tackles the final operational management step within the risk management process -implementing systems, processes and procedures to control and monitor operational risks.

Learning outcomes:
Upon completing this section, the student should be able to:

  • Explain the different characteristics of known (type 1) and unknown (type 2) risks
  • Identify some ‘checks and balances’ an operation can adopt to integrate type 1 risk control and monitoring into its activities.
  • Distinguish between risk treatment assurance measures for type 1 and type 2 risk treatments.
  • Describe the elements of a treatment implementation plan.
  • Distinguish between measures of activity and measures of outcomes.
  • Describe the purpose of using KPIs in operational environments.
  • Describe characteristics of KPIs appropriate to use in an operational setting.
  • Recall some of the factors which form an important part in monitoring how well a risk treatment implementation program contributes to risk mitigation.
  • Describe key information incident reports should capture.
  • Recall some auditing tools organisations can use in addition to mini-reviews and general auditing.
  • Describe the purpose of implanting the operational risk treatment plan in conjunction with other operational units.
  • Locate resources to assist in integrating risk management into the operational framework.
  • Describe the criticality of employee acceptance of the operational risk management process.
  • Describe the different approaches in implementing risk treatment plans required for each risk type
  • Identify the key elements of the process for implementing and monitoring risk treatment actions and activities
  • Undertake the steps required to carry out the process for implementing and monitoring risk treatment actions and activities
  • Describe a structure or framework for integrating a risk treatment implementation and monitoring program into different operational environments
  • Describe and apply a systematic process for effectively integrating the management of risk into operational systems, culture and management.