Google the word “Risk” and you’ll see more than half a billion results. So what does it mean to manage operational risk and what does it mean to be a resilient organization? It seems that every industry, company, and academic discipline has their own interpretation of “risk” and its implications. Additionally, the increase in regulations specifically focused on operational risk obligations is expected to drive the number of implications even higher in the years ahead (in fact as you read this, I’m sure the number of Google results for “risk” have grown by a million or so.) To help you think more clearly about operational risk, I thought I’d share a little about our operational risk framework in today’s post.
For organizations looking to understand what risk means to them, and how best to manage it, they must first ask themselves a basic question: What are we trying to protect? For most organizations, this consists of some or all of the following key considerations:
- Our Reputation
Applying the operational risk framework
As a risk management consultant for the last 10-plus-years, my approach is to focus on protecting my client’s business by assessing the impact to their organization. Usually, I work on a team of experts to apply a scalable resiliency model that aligns directly with the client’s core business operations. The operational risk framework we use first considers the threats to the company and their impact across the entire organization, including facilities, people (workforce), IT/technology operations, and vendors/suppliers. Then, we assess the controls (preventive/reactive) currently in place to manage or mitigate risk, benchmarked against best practice principles and procedures. Finally, this operational risk framework provides for a rigorous analysis of the data above and outputs a comprehensive view of the organization’s current risk profile, as well as a roadmap for lowering operational risk based on control recommendations.
As you ask yourself what are you trying to protect and what risk means to your business, consider an approach that aligns with your objectives, drives integration among key disciplines across the organization, and provides a holistic, scalable, and actionable framework for managing operational risk. Finally, don’t worry about the number of Google results, just focus on a practical and transparent approach that works for your organization…and go from there.
Read the free SunGard white paper, “This is NOT a Test! Taking a Risk-based Approach to Validating Resilience and Recoverability.”
For more informative blogs from my colleagues, check out:
1. Nicole Hoyle:
- Business Continuity and Disaster Recovery Planning: How to Get Your Organization Moving in the Right Direction, Part 1
- Part 2
2. Gary Kenick:
- ISO 22301: Is aligning or certifying your Business Continuity Management Program to the Standard the right thing to do? (Part 1)
- Part 2
3. Jon Murry: