New Guidance on Operational Risk

The guidelines make good points on how to manage risk but miss a key question: When should an organization <em>seek</em> risk?

The Risk Management Association has published Key Principles of Operational Risk Management. Designed by practitioners at financial services organizations, the document makes a number of good points. But let me start with what is missing: guidance on when to take risks. When an organization is focused on avoiding failure, it is very hard to be successful. Operational risk is basically about the things that can go wrong in day-to-day processes that can trip you up. It is impossible to eliminate such risk. The best you can hope for is to take a level of risk that is appropriate given the business and what it takes to be successful. The issue is not even about “balancing” risk and reward. The potential for reward should always be higher than the potential for loss – but the key is to use the same assessment methods to understand the potential range of positive effects or outcomes as is used to assess the potential harms. See also: A Revolution in Risk Management   Recognize that it’s not either/or, reward or loss. It is highly likely that both will occur! Anyway, the guidance makes some good points:
  • Risk management is an integral part of business management and should be incorporated into overall business and financial planning.
  • Business culture within institutions must embrace the value of risk escalation and welcome independent challenge of risk decisions. Soliciting multiple points of view and engaging in debate result in better, more informed decisions.
  • Senior management should provide direct oversight of current and emerging exposures. Meanwhile, risk management should be part of the normal management process and governance, not be made a separate, adjunct function.
  • Risk teams should be established with qualified, high-performing professionals who are closely integrated with business operations and the decision-making processes.
  • Effective risk management is a basic responsibility of business leaders and managers.
  • Risk management activities dictated solely by remote oversight functions lacking detailed execution experience are highly prone to error and inefficiency.
But I have a problem with the traditional perspective in this section: As part of sound business and strategic decision-making, operational risk implications must be assessed and considered to determine whether to
  • Manage the risk.
  • Tolerate the risk.
  • Transfer the risk (for example, by insuring against the risk).
  • Decline the risk.
To be successful, sometimes you need to take the risk, even to embrace the risk because of the potential for reward. See also: Risk Management, in Plain English The attitude of tolerating or even accepting the risk is simply wrong. Take it happily! If financial services organizations fail to take the right level of the right risks, they will fail and fade away. I welcome your comments.

Norman Marks

Profile picture for user NormanMarks

Norman Marks

Norman Marks has spent more than a decade as a chief audit executive (CAE) for major companies, with as much as $28 billion in annual revenue. He has implemented risk management, ethics programs and disclosure processes at multiple organizations.


Read More