As the repercussions of the COVID-19 pandemic endure, many organizations are still concerned about the pandemic’s effect on business operations, continuity, and service delivery.

Senior leadership must manage operational risk to mitigate those effects today and protect the organization from other unexpected shocks in the future. If executives don’t do that job well, their missteps could lead to risk events that disrupt operations, hurt the bottom line, and perhaps even cause organizational failure.

In this article, we share some key strategies to manage operational risk in a post-COVID world.

The Impact of COVID-19 on Operations and Supply Chains

The term “pandemic” is documented in the threat catalogs of nearly every organization’s third-party risk management program. In recent years, that theoretical threat became quite real, and tested operational continuity worldwide.

As a result, business continuity quickly supplanted cost-cutting, efficiency, and productivity as a top organizational concern. And operational continuity will keep getting tested as the pandemic continues; the delta variant demonstrates this.

In this challenging landscape, organizations must find ways to assure operational continuity. To do that, it’s crucial to manage operational risk.

Examples of Operational Risk

Before unpacking risk management process and strategies to manage operational risk, let’s first understand what “operational risk” really means. Simply put, operational risk is the risk of losses resulting from disruptions to operations and internal processes.

Considered a subset of enterprise risk management, operational risk can result from:

  • A breakdown in internal procedures
  • Human error
  • Disruption to business process controls
  • System failures
  • External events (such as natural disasters or, yes, a pandemic)
  • Inadequately trained staff
  • Employees’ participation in fraudulent activities
  • Cyberattacks and data breaches

In general, operational risk can come from:

  • Technology

    • Hardware
    • Software
    • Cybersecurity
    • Privacy
  • People

    • Employees
    • Vendors
    • Customers
    • Other stakeholders
  • Regulatory and compliance demands

Any operational risk can have a financial impact. Operational risk can also, however, have other repercussions that are more difficult to quantify. For example, disruptions to your delivery schedule might tarnish the organization’s reputation with customers.

The practical upshot: ongoing operational risk management is absolutely essential to minimize the impact of operational risks.

A Five-Step Process for Effective Operational Risk Management

It’s impossible to eliminate operational risk completely, so operational risk management (ORM) focuses on reducing and mitigating key risks related to the organization’s day-to-day operations. ORM is an ongoing activity since operational risks are constant, pervasive, and varied. The ORM process includes five stages:

  1. Risk Identification

    Identifying operational risks in the context of the organization’s objectives and goals is the natural first step to risk mitigation and reduction.

  2. Risk Assessment

    After all the operational risks (there will always be more than one) are identified, they are evaluated based on the potential harm and likelihood of occurrence. This activity helps the organization to understand which risks should be prioritized, and why.

  3. Risk Measurement and Mitigation

    In this stage, compare the cost of risk control to the cost of potential risk exposure. Then choose how to mitigate the risk:

    • Transfer the risk to a different organization, such as an insurance company;
    • Avoid the risk, such as by choosing a vendor with more robust internal controls for cybersecurity;
    • Accept the risk if the benefits outweigh the costs;
    • Control the risk to decrease its harm.
  4. Control Implementation

    Implement the necessary controls to mitigate or minimize the risk.

  5. Risk Monitoring and Reporting

    Operational risks are continuously monitored to determine whether there are any changes to their prevalence and severity. The original list of identified risks is modified accordingly (and regularly).

Operational Risk Management: Four Guiding Principles

The operational risk management process is guided by four guiding principles:

  1. Accept No Unnecessary Risk

    Any risk that will not contribute meaningfully to the task, project, or objective is unnecessary and may even jeopardize the organization. Such risks should not be accepted.

  2. Accept Risk When Benefits Outweigh Costs

    If the sum of benefits clearly outweighs the sum of costs, the risk should be accepted. If costs outweigh benefits, the risk should be rejected.

  3. Make Risk Decisions at the Appropriate Level

    The person who makes decisions about risk should understand the risk, allocate the right resources to reduce it, and implement the necessary controls.

  4. Anticipate and Manage Risk by Planning

    Plan thoroughly to identify possible future risks and create a proactive mitigation plan.

Operational Risk Management: Best Practices

Even though ORM is a compelling idea, several barriers make it challenging to manage operational risk: competing priorities, a lack of awareness, difficulty allocating resources, and an inability to perceive value in the operational risk framework.

The unavailability of standardized risk assessment processes and measurement methodologies, as well as complex ORM programs, can also hinder organizations’ ability to manage operational risk.

Nonetheless, by following these five best practices, enterprises can effectively manage operational risk and ensure business continuity:

  1. Implement Risk Accountability

    Every employee must be held accountable for risk management, although the extent can vary. Enterprise-wide accountability helps incorporate risk-based thinking into day-to-day activities and promotes a beneficial risk-aware culture.

  2. Champion ORM From the Top

    Senior management must champion the risk management program for it to be truly effective.

  3. Conduct Timely Risk Assessments

    Regular risk assessments help keep the enterprise risk profile up-to-date and allow ORM leaders to incorporate relevant changes without unnecessary delays.

  4. Quantify and Prioritize Risks

    All operational risks must be quantified in their probability, severity, and mitigation costs.

  5. Implement Strong Controls

    Controls and metrics help with the ongoing management and active mitigation of identified priority risks. Automation and artificial intelligence tools can perform continuous monitoring to reduce manual work.

    These best practices are a perfect starting point for any type of business. Individual industries may have additional considerations, whether a bank is trying to reduce operational risk or a manufacturing facility is looking to maintain production continuity.

Manage Operational Risk With Reciprocity

Evaluating your operational risks, developing internal controls, and creating documentation every step of the way can be cumbersome and time-consuming if you’re trying to do it all manually via spreadsheets.

ZenGRC is a governance, risk management, and compliance software that can enable you to streamline operational risk management by automating many of these manual tasks.

ZenGRC offers easy-to-use operational risk management templates that empower you to evaluate risk on a comprehensive level. At the same time, our user-friendly dashboard shows you where your gaps are and where you’re doing well, so you are always aware of your risk posture.

Say goodbye to the burden of operational risk management, and find your zen. Book a free demo of our software today to learn more.

From the Back Office to the Boardroom:
The Changing Role of the Security Executive