Operational Risk Management and Compliance Methodologies: A Guide

Operational risk is the risk of losses from downtime or process disruptions. These risks arise from a broad range of sources: gaps in procedures or internal controls, system failures, human errors, external or internal fraud, changing regulations, cyberattacks, data breaches, new technology, or external events such as natural disasters.

For the most part, operational risk can be categorized into three groups:

• People
• Technology
• Compliance laws and regulations

Losses due to operational risk can be direct or indirect. Direct losses come from regulatory fines from compliance lapses or lost sales from system downtime. Reputational damage and loss of customer trust are examples of indirect losses.

Operational risk is often confused with strategic risk, although the two concepts are distinct. Operational risk affects an organization’s ability to perform daily business transactions. Strategic risk affects an organization’s long-term objectives and goals.

The main aim of ORM is to mitigate risks related to the organization’s daily operations. It has become more prevalent over recent decades. The release of COSO’s Internal Control-Integrated Framework in 1992 (subsequently updated in 2013) set the stage.

Operational risk – and by extension, operational risk management – affects every internal process in every organization. The management of operational risk enables firms to:

• Address critical vulnerabilities and risks
• Operate effectively in a risk environment
• Boost business resilience
• Create a more secure and profitable enterprise

ORM aims to identify and reduce risk through an iterative multi-step process, consisting of the following steps:

Risk Identification

ORM starts by identifying all the ways something could go wrong and disrupt enterprise operations.

Risk Assessment

Once risks are identified, each is assessed based on how likely the risk event is and its probable impact.

Risk Measurement and Mitigation

Risks are measured against a consistent scale so they can be prioritized into a logical hierarchy. Mitigation measures are developed for risks with the highest priority.

Risk Monitoring and Reporting

Ongoing risk assessment processes are essential to identify risks that change or emerge over time. Mitigation measures, internal controls, and decision-making processes should also be reviewed periodically to assure continued effectiveness.

Effective ORM helps organizations meet business goals and strengthen their risk profile. Still, ORM has its its challenges, especially in the post-COVID world:

New Remote Working Models

The increasing move to remote work creates new operational risks, particularly around cybersecurity and fraud. To mitigate these risks, organizations need stronger security controls and a more robust risk-aware culture.

Regulatory Deficit

Regulators relaxed some rules to support business and operational continuity during the COVID pandemic. Going forward, these rules will be tightened once again, and firms will have to re-adapt to pay back their “regulatory deficit.”

The pace of regulatory change might also pick up, and organizations will have to be prepared to readjust and comply.

Risk and Control Data Quality

In any environment, firms often struggle to produce timely, accurate, and validated risk data. It can be difficult to identify risks and establish consistent risk management objectives across the enterprise without reliable data.

Third-Party Risk

Cyber risks stemming from third-party relationships (such as outsourcing) can be challenging to identify and control. Since regulatory activity is increasing in this area, however, organizations need more visibility to the strategic importance of managing third-party risk.

As the number of laws, standards, and guidelines increases, the regulatory environment is growing more complex by the day. Organizations need to handle this complexity while maintaining operational performance.

Specifically, businesses need to manage their various compliance obligations, mitigate the risks of non-compliance, and streamline reporting to maintain their compliance posture. This is where compliance management comes in.

What Is Compliance Management and Why Is It Important?

Compliance management assures that the organization complies with relevant industry, legal, and corporate compliance requirements. A formal compliance management system allows organizations to:

• Identify compliance obligations and simplify complex requirements;
• Incorporate these responsibilities into business processes;
• Keep track of regulatory changes to assure up-to-date compliance knowledge;
• Identify, categorize and address compliance risk;
• Review operations to assure that regulatory activities, best practices, and corrective actions are carried out across the organization;
• Streamline compliance workflows to reduce the compliance burden;
• Connect data across business siloes to create detailed documentation for compliance audits.

Components of a Compliance Management System

Enterprise compliance management systems vary depending on their size, complexity, and industry. In general, compliance management consists of a compliance program and oversight by the board of directors and management.

Compliance Program

The compliance program usually includes:

• Policies and procedures that define the controls required to mitigate the risk of compliance violations;
• Training to ensure that employees can do their duties in a compliant manner;
• Compliance monitoring to identify and correct performance gaps in your compliance effort;
• Audits, which are independent evaluations to identify compliance gaps.

Board and Management Oversight

The organization’s board of directors and senior management team oversee the compliance program to assure:

• Ongoing commitment to compliance management;
• Proper identification and management of compliance risks;
• Corrective actions are taken to fix issues and risks.

Importance of Operational Compliance

It’s essential to consider the operational effects of compliance, so you can streamline activities and drive consistent processes. Operational compliance should:

• Prepare the organization for regulatory change and implementation;
• Simplify day-to-day compliance tasks and activities;
• Create consistent documentation to promote transparency and improve compliance;
• Align business processes and decisions with compliance requirements.

Various internal controls and checks and balances help the organization to manage compliance challenges and prepare for audits.

Compliance Risk

Compliance risk refers to the regulatory penalties and reputational harm an organization may face if it fails to comply with regulations and laws. Many compliance risks also affect enterprise operations, such as:

• Regulatory uncertainty;
• Data protection and privacy laws, such as the European Union’s GDPR;
• Market risks;
• Conflicts of interest;
• Non-compliance with internal codes of conduct, such as anti-discrimination and anti-harassment policies;
• Product or service quality requirements;
• Employees engaging in corrupt practices such as bribery or fraud.

Like ORM, compliance management is also an iterative and continuous process. Regulations are constantly changing; organizations must be diligent in keeping up. Only then can they prevent business disruptions and avoid the costly fines imposed for non-compliance.

The compliance management process includes these steps:

Assess

In this initial step, the organization identifies applicable laws and regulations and identifies non-compliant systems or business units accordingly.

Prioritize

To streamline remediation, it’s important to prioritize actions by issue severity and potential harm.

Remediation

Policies, procedures, internal controls, and training are essential elements when correcting compliance violations.

Report

Applied changes are validated and reported to senior management, leadership, and other stakeholders.

Monitor

The organization stays updated on changing laws and regulations. Ongoing metrics, internal audits, and external audits are used to monitor its compliance posture.

Compliance is important, but it can also be expensive and complex to manage, particularly due to these challenges:

Manual Processes

Spreadsheets, shared files, and manual cut-copy-paste activities are not practical to keep pace with the evolving regulatory landscape. Unfortunately, many companies continue to rely on legacy tools and cumbersome processes, making compliance difficult and painful.

Siloed Functions and Systems

Compliance responsibilities are often siloed across multiple business functions, departments, and locations. That makes it difficult to manage compliance across the enterprise efficiently. When the technology is equally siloed and disconnected, there is no easy way to exchange and aggregate data to improve organization-wide compliance initiatives.

Lack of Visibility

Since there is no integrated view of compliance-related activities, it’s impossible to identify gaps, much less fix them.

Incomplete Metrics

Multiple disparate systems mean that there is no unified compliance reporting structure or analytics to calculate risk or prioritize risk mitigation efforts.

For modern organizations, operational risk management and compliance management should go hand in hand.

Deloitte says, “Synergies may be garnered from the capabilities of operational risk and compliance.” McKinsey agrees: “The lines between operational risk management and compliance continue to shift.” McKinsey also states that an organization’s modern compliance framework must be integrated with its “operational risk view” of the world.

Commonalities Between Operational Risk Management and Compliance

Both ORM and compliance have a shared mandate to assure that the business lines that generate, own, and control risk should oversee that risk. To achieve this, they may both include processes such as:

• Risk identification;
• Risk assessment;
• Controls testing and verification;
• Issue identification;
• Issue reporting;
• Monitoring.

Even with these similarities, regulators generally agree that separate operational risk and compliance functions are essential and that organizations must maintain the integrity of each.

How Operational Risk Management and Compliance Impact Each Other

The connection between ORM and compliance is unsurprising. Undefined processes, process disruptions, and poor operational decision-making increase the risk that an organization may violate regulations, which in turn may lead to costly penalties, affect its financial standing and damage its reputation.

These challenges are severe for organizations in heavily regulated industries such as financial institutions and healthcare, with a higher burden of compliance. Further, non-compliance can create significant financial and reputational risk for such organizations.

On the other hand, compliance with established rules and regulations can protect organizations from many risks. Furthermore, ORM helps defend organizations from threats that could lead to non-compliance, which itself is now an increasingly serious risk.

Ultimately, organizations can’t have a robust operational risk management program without compliance, and vice versa. Both compliance and ORM are essential, since together, they help organizations maintain their operational stability and integrity.

Despite the commonalities between ORM and compliance, different regulators view operational risk and compliance differently.

For instance, the Basel Committee on Banking Supervision (BCBS) includes compliance as a sub-category of operational risk and takes a measurement approach to risk. U.S. regulators, however, on the other hand, define compliance as its own separate risk discipline.

Compliance and operational risk management differ in these ways:

Tactical vs. Strategic

ORM takes a more strategic approach with longer-term objectives, such as improving product quality, profitability, and customer satisfaction. It relies more on analysis to circumvent, avoid, or mitigate operational risks.

Traditionally, compliance functions have followed a more check-the-box approach to assure that the enterprise remains compliant with prescribed rules and regulations. That’s why compliance management is often considered a more tactical function.

In a tactical environment, compliance professionals are not focused on identifying or managing risks. They have a limited understanding of the risk exposures underlying business operations. As a result, they may not have much influence on actual business practices.

Today’s stricter compliance environment, however, has made it necessary for organizations to move past the check-box approach and adopt compliance frameworks. These frameworks drive compliance activities that are closely tied to day-to-day operations. Hence the link between compliance and the broader ORM program.

Siloed vs. Integrated

The most effective ORM programs are implemented across the organization. It’s vital to integrate different departments, technologies, and processes to identify and mitigate risks. Coordination across departments is crucial to achieving maximum benefits and minimum operational risk losses.

Compliance processes can benefit from broad enterprise-wide transparency, but traditionally they often function in silos, with each location or business unit managing its own compliance requirements.

Prescriptive vs. Predictive

ORM is predictive since it involves understanding risk, forecasting its possible impact, and influencing processes to either minimize a negative impact or maximize a positive one.

Compliance, however, is prescriptive, since it requires organizations to adhere to rules and regulations that are already in place.

Rule-Following vs. Value-Creation

ORM focuses on protecting the organization from operational disruptions from many sources. It can also improve business decisions and drive a more significant competitive advantage. ORM brings a lot of value to the enterprise, particularly if enabled by technology. In fact, the right ORM technology can:

• Establish effective risk management capabilities;
• Enhance consistency and quality of products and services;
• Asure that risk controls and risk assessment processes are applied consistently;
• Improve SOX and cybersecurity compliance programs;
• Drive operational audits.

Compliance is more about verifying that the organization follows a particular rule or law to avoid risk.

The above differences notwithstanding, a robust ORM program can address both ORM and compliance. It can:

• Uncover both threats and opportunities for the organization;
• Consolidate risk and compliance information with real-time analytics to support strategic and predictive risk management;
• Serve as a compliance repository with change tracking and monitoring;
• Provide a complete audit trail;
• Interface with other systems to update relevant compliance regulations automatically;
• Automate and streamline administrative tasks related to ORM and compliance.

Every organization has to contend with operational risk and an evolving compliance landscape. It can be tough to keep up with these challenges without the right amount of visibility.

Get the visibility you need to streamline your operational risk management and compliance management programs with Reciprocity ROAR. This integrated platform enables you to see evolving threats and changing risks, get complete views of control environments, and access information to evaluate your risk and compliance programs.

Document and track internal controls that protect your business and meet compliance requirements. The platform’s workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

With our comprehensive product suite, which includes ZenComply and ZenRisk, you can move from check-the-box compliance to compliance-driven operational risk management. Consolidate efforts to minimize loss events and ensure business continuity.

Schedule a free demo to see how Reciprocity can help your organization achieve operational compliance.