What’s arguably the most important risk you should avoid? It’s the risk of doing nothing, to remain idle, Mihai Stroe, who helped us put this article together, told us. That’s why this blog is a go-to guide for your organisation to review key aspects of the Operational Risk Management (ORM) Framework in place.
When the world almost shut down in March 2020, a month carved in our collective memory, organisations had to act as fast as possible to ensure business continuity. Because of their preparedness and flexibility, some dealt with the crisis better and even saw it as an opportunity for transformation and the creation of innovative products or services. Since then, operations, digitalisation, cybersecurity, risk management, to name a few, have become a priority on the growing list of “things to change” in the business realm.
However, in most organisations, a COVID-19-pandemic type of crisis was barely incorporated in their risk management framework or in their internal control environment (or not at all). During the first months of the “coronavirus”, most organisations had to improvise and come up with a workaround to spade the rapid development of the crisis. They only started to adjust their way of doing business in a second stage.
Sometimes at a medium pace, sometimes galloping, business transformation started to happen, but soon the new setting and the new ways needed to be harmonised and aligned with the entire governance and internal control frameworks.
COVID-19 pandemic, like any other challenging business experience, has a silver lining. The coronavirus’ lessons learnt are definitely strengthening the ORM function. At this point, a few business leaders, if any, could question the importance of effective ORM, fully embedded in the organisational culture.
ORM englobes business continuity plans and risks linked to the environment, process systems, third-party fraud, workforce and technology (including cybersecurity and cyber fraud). All of them have been in the spotlight over the last 15 months, playing a critical role for all organisations.
When thinking of implementing new processes or for the ones newly implemented as a result of a crisis situation, reflect on these questions:
Is this new process workaround which I was forced to implement in line with my risk appetite or is the organisation taking additional unwanted risks?
What is the impact of these new activities on my other processes and controls? Have any of them been bypassed?
Has any new conflict of interest arisen after these new/revised processes?
Advice, even from the “cheap seats” (or a virus): reflecting on ORM in times of pandemic
You may have thought quite differently about the ORM that your organisation had put in place before the pandemic took us by surprise. Likely, we all thought we were well-prepared to deal with any risk bigger than a tiny piece of RNA that, according to science, isn’t even fully alive.
But COVID-19 came and what could have taken months or years to happen in terms of digitalisation and innovation, was accelerated. Businesses finally came around to the fact that transformation wasn’t a nice-to-have but a must.
The sui generis context in which we have all had to work, the situations that businesses had to face in terms of operations, procurement, supply chain, people management and security among others, and the personal and work experiences that each and everyone of us lived, have provided us with valuable insights into how robust or agile our organisations are, their strengths and weaknesses.
It’s time to reflect on what made our organisations survive, bet on innovation, fail on some aspects or shut down certain units or even entirely. These experiences should be capitalised and enhanced because the sustainability, resilience and flexibility criteria you will embed in your strategy as of now are greatly influenced by the COVID-19 crisis.
See, these questions are handy to guide your reflection exercise:
What were the positive aspects of the crisis?
What were the main issues encountered when taking action to face the pandemic?
In case of limited possibility to act, what were the causes?
Based on the previous answer, what should be the areas of improvement?
What should be definitely changed in the future so the business’s ORM strategy upgrades and strengthens?
Recharging the ORM batteries
ORM has, in a way, a lot to thank the COVID-19 pandemic, as bizarre as it may sound. After all, the latter has been a booster, a fact that has made more obvious the importance of ORM to us all, but especially to the organisations whose attention to it was little or insufficient.
It’s time to grasp the nettle without further delay. Start by performing an overall risk assessment of your organisation, analysing not only how ready it was at the beginning of the pandemic and through the crisis, but also how it is today andfor the future to come. Think of your readiness in the context of new types of crisis or disruptions.
The in-depth assessment will unequivocally result in a set of lessons learnt. Then, enhance the positive aspects and define actions to take to avoid what went wrong.
Let’s take a dive into the assessment.
We recommend you consider the following key areas (see the infographic below) that give you an eagle-eye view on how to overcome challenges that your organisation have likely encountered during the pandemic. It includes specificities determined in the assessment phase.
Keep the focus on risk indicators
The entire assessment process needs appropriate monitoring. A set of relevant key risk indicators (KRI) will ensure that all potential perils the organisation might be exposed to, are taken into account.
By definition, any change in the KRIs setup should be supported by aligning and strengthening the data collection process.
You want to address all the above focus areas in a more comprehensive and thorough way than in the past. This is precisely the right moment to put in to practice the lessons that the last challenging months have taught us.
When performing this exercise, your organisation has the chance to identify and discontinue processes that aren’t working as expected and to replace them with effective, robust and sustainable ones.
The result of these assessments should strengthen each component of your ORM framework, making your organisation more resilient and mature, and ready to face new challenges.
For the last 2 years (i.e. even before the pandemic hit), we have observed a strong renewed focus on operational risk from regulators and supervisors alike. Working remotely arrangements that have happened over the past year will only make this focus stronger.
Have a look at our Operational Risk Management website and discover our services!
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.