job Kvalitet og metode

An Introduction to Operational Risk Management

IIA Norge (IIA Norway) has recently developed a new guidelines document concerning operational risk management.

At the initiative of the Risk Management Network of IIA Norge a working party was formed consisting of the following four members of IIA Norge Mazhar B. Ahmad (project manager), Alf Olav Uldal, Roger Ølstad and Martin Stevens (project secretary).

The aim of the guidelines was to give the user a broad introduction to operational risk management. The document’s structure was inspired by the PDCA model for quality management systems (Plan-Do-Check-Act).

It is the hope of the working group that IIA members, GRC community and other stakeholders will find the document useful to support design and implementation of operational risk management.

There must be business objectives, goals, or targets to work with operational risk in an enterprise. This can be as simple as ensuring that operational risk shall support the enterprise in a number of areas such as:

  • Improvement of business processes: with a goal of designing effective and cost-efficient business processes.
  • Quality: with a goal of controlling business processes from start to finish and not just in the enterprise’s own value chain.
  • Knowledge: with a goal of ensuring that the employees and managers receive satisfactory training as to how the various activities shall be carried out in line with requirements, legal obligations,  and internal standards/procedures.
  • Information security with a goal of the development of robust IT systems (security by design) and that there exist plans for crisis management and disaster recovery.

There must be a game plan for work with operational risk which ensures management and control over a given area in a systematic and structured way to avoid that the outcome is a result of pure random chance.

It has been a challenge to balance both the breadth and depth of this risk category/group which encompasses a major part of the risk universe in many enterprises. For this reason, we believe that operational risk must be managed as an integral part of the total management system and value chain of an enterprise. Management of operational risk deserves its rightful place in the overall governance of an enterprise and should assist in supporting, maintaining, and creating values in the day-to-day operations of both large and small, private, and public organisations.

Processes, people, protection of assets and the use of technology is key to the work of achieving sound operational risk management!

You may download the document HERE.