IT Audit Manager City National Bank California State Polytechnic University, Pomona
Enterprise risk management (ERM) is a relatively new discipline that focuses on identifying, analyzing, monitoring, and controlling all major risk classes (e.g., credit, market, liquidity, operational risk classes). Operational risk management (ORM) is a subset of ERM that focuses on identifying, analyzing, monitoring, and controlling operational risk. The purpose of this paper is to explain what enterprise risk management is and how operational risk management fits into the ERM framework. In our conclusion, we discuss what is likely to happen in the ERM / ORM environment over the next 5 years. Introduction As the Internet has come of age, companies have been rethinking their business models, core strategies, and target customer bases. “Getting wired,” provides businesses with new opportunities, but brings new risks and uncertainty into the equation. Mismanagement of risk can carry an enormous cost. In recent years, business has experienced numerous, related risk reversals that have resulted in considerable financial loss, decrease in shareholder value, damage to company reputations, dismissals of senior management, and, in some cases, the very dissolution of the business. This increasingly risky environment, in which risk mismanagement can have dire consequences, mandates that management adopt a new more proactive perspective on risk management. What is Enterprise / Operational Risk Management? Clearly, there is a correlation between effective risk management and a well-managed business. Over time, a business that cannot manage risk effectively will not prosper and, perhaps fail. A disastrous product recall could be the company’s last. Rogue traders lacking oversight and adequate controls have destroyed old well-established institutions in a very short time. But, historically, risk management in even the most successful businesses has tended to be in “silos”—the insurance risk, the technology risk, the financial risk, the environmental risk, all managed independently in separate compartments. Coordination of risk management has usually been non-existent, and identification of emerging risks has been sluggish. This paper espouses a recent concept—enterprise-wide risk management—in which the management of risks is integrated and coordinated across the entire organization. A culture of risk awareness is created. Companies across a wide crosssection of industries are beginning to implement this effective new methodology.
Enterprise / Operational Risk Management At first glimpse, there is much similarity between operational risk management and other classes of risk (e.g., credit, market, liquidity risk, etc.) and the tools and techniques applied to them. In fact, the principles applied are nearly identical. Both ORM and ERM must identify, measure, mitigate and monitor risk. However, at a more detailed level, there are numerous differences, ranging from the risk classes themselves to the skills needed to work with operational risk. Operational risk management is just beginning to define the next phase of evolution of corporate risk management. Should firms be able to develop successful ORM programs, the next step will be for these firms to integrate ORM with all other classes of risks into truly enterprise-wide risk management frameworks. See Exhibit 1 for an example of an ERM / ORM organizational structure representative of the banking industry: ERM Organization Chart
Group Risk Director (ERM)
Economic Capital (Planning) & Risk Transfer
Group Risk Executive Committee
Credit Risk *
Operational Risk (ORM)*
IT Security and Business Continuity
Corporate Risk Evaluation (Audit)
Note – the major categories of risk to which financial services firms expose themselves are credit risk, market risk and...