Operational Risk Management

The Chartered Management Institute

is the only professional awarding body
in the field of management and
leadership in the UK.

Challenges Catalyst is a CMI strategic

partner and accredited centre. We
have been delivering CMI
qualifications across Africa and Asia
since 2008.

Copyright © Challenges Catalyst 2020

All rights reserved. This document or any portion thereof may not be reproduced or used in any manner whatsoever without
the express written permission of the publisher except for the use of brief quotations in certain non-commercial uses
permitted by copyright law.
 Objectives
• Understand the scope and purpose of risk management,
• Evaluate types of risks, their governance and approaches
for managing these effectively,
• Understand how risk management can be implemented
within your organisation,
• Identify examples of good practices around risk
management from the international development sector,
• Understand how to go about assessing the risks
associated with the COVID-19 outbreak.
Context
 Operational Risk Management
Section 1 – Aspects of Risk Management
‘Behold the turtle. He makes progress only when he sticks his neck out’
James Bryant Conant

Aim
By the end of this section, you should be
confident in your knowledge of the
following three learning outcomes.

1 Outcome 1
Discuss the meaning of risk to an organisation.
 Outcome 2
2 Define the responsibilities for risk management
at operational management level.

3 Outcome 3
Explain a risk management model.
Risk Management
The consequences of failing to risk manage

Chernobyl Sub-prime Poor disciplinary

mortgage procedures

• Operational failures • Lowered lending • Morale and productivity

and poor safety culture standards and sold suffer due to
• Reactor in nuclear higher-risk mortgage perception of
power plant explodes products unfairness
• 56 killed • Many organisations • Litigation and
• Radioactive fallout collapsed associated costs
across 3 countries • Individuals lost savings • Bad publicity affects
• Ongoing health and investments talent acquisition and
problems affected • Worldwide recession dents customer
thousands confidence
• Loss of reputation
difficult to recover from

Managing risk is essential in an organisation. Failure to do so can lead to consequences from global health or
economic crises to long term organisational difficulties. These affects can last long after the event itself.
What is risk?
Attitudes to risk

Positive Balanced Negative

Many people see risk as Others may see risk as a For some risk is
a positive – as essential gamble - that can have something to be avoided
for success; ‘he who positive or negative wherever possible as it
dares, wins’. outcomes depending on connotes instability or
the circumstances. danger.
Arabic – risq: ‘anything
given by God from which Italian - riscare: to dare Latin - riscum: hazards
you draw profit’ sailors face at sea
What is risk?
Characteristics of risk Different sizes
From when to cross the road to
whether to go to war

Many people are drawn to

Fundamental part of life
it
We can’t avoid all risks
Often in business it is seen
as a way to make money
People’s attitudes
towards it differ Potential for favourable or
Regardless of the size of unfavourable outcomes
risk some people are more Must be prepared for the
risk averse worst to happen

Uncertain outcomes
We can’t know what will happen
What is risk?
Why do we take risks?

We set ourselves
challenges and goals
– and focus on/look
forward to the rewards
irrespective of the
risks

We calculate that the

We do things naively,
benefits of a risk that
because we want
ends well will
them to work out
outweigh the cost
What is risk?
Taking appropriate steps

Planning
Identification
Resourcing
Estimation
Controlling
Evaluation
Monitoring

Risks are threats that have not yet happened. These could result in failure to deliver objectives so they
need to be identified and strategies put in place to reduce the possibility of them occurring. Identifying
and evaluating risks before they happen, and then controlling and monitoring risks as projects develop,
are all essential steps. Ranking and recording risks can help devise contingency plans to reduce and
control threats. By documenting them it is possible to re-assess the situation after the event.
What is risk?
Categories of organisational risk

Strategic Risk Operational Risk Financial Risk Hazard Risk

⁻ Product portfolio ⁻ Financial ⁻ Credit ⁻ Environment

⁻ Market risks administration ⁻ Pricing ⁻ Workplace
⁻ Competition ⁻ Product/service ⁻ Inflation ⁻ Health
⁻ Technology quality ⁻ Hedging ⁻ Emergency/Disast
⁻ Political ⁻ Supply chain ⁻ Liquidity and cash er
⁻ Stakeholder ⁻ Customer service flow ⁻ Product safety
⁻ Brand ⁻ HR ⁻ Interest rates ⁻ Consumer safety
⁻ Reputation ⁻ Assets ⁻ Tax
⁻ Customer needs ⁻ IT ⁻ Currency rates
⁻ Mergers and ⁻ Compliance ⁻ Equity and capital
acquisitions ⁻ Processes
⁻ Governance

Effective risk management is essential in establishing the risks and consequences around each of these
areas and calculating the likelihood of their occurrence. ISO defines risk management as: ‘coordinated
activities to direct and control an organisation with regard to risk’.
What is risk?
Risk management approaches

Establish
Ignore Accept Contain Transfer
Contingency
After becoming After becoming After becoming Setting aside Letting
aware of risk, aware of risk, aware of risk, funds to use if someone else
choosing to accepting the taking specific the risk ever take the risk, for
behave as if it consequences if actions to occurs example
wont happen. it ever happens minimise its through use of
occurrence and insurance
effect
Risk and Responsibility
Key stakeholders

Risk management is the responsibility of the whole organisation. It must start at the top and cascade down
to lower levels – with each level taking appropriate responsibility. Those who have accountability for the
risk and have the authority to manage it are known as the ‘risk owners’.

Board and
Executives
Strategic

Specialist Risk
Function

Functions/
Business Units

Line Managers/
Operational

Project Managers

Employees
Risk and Responsibility
Key stakeholders

The Board and Executives always have overall responsibility for risk, setting the framework and
managing risk processes.

Board and Overall framework

Executives
Strategic

Foundations for designing,

Specialist Risk
implementing, monitoring and
Function
improving risk management

Functions/ Principles, objectives, plans, codes

Business Units of practice, resources and
processes

Line Managers/
Ensure tie in to overall strategic aims
Operational

Project Managers
and organisational requirements

Employees
Risk and Responsibility
Key stakeholders
In larger organisations, there may be a number of specialist risk management jobs within a risk
management function. This will support senior management to meet responsibilities in managing
risk.

Board and
Executives Senior managers and Review internal and
Strategic

risk specialists review external audits,

risk issues and the compliance and risk
Specialist Risk strategic risk framework management issues
Function
Risk
Senior manager Audit
Functions/ Management
‘sponsors’ risk Committee
Committee
Business Units management Implement
across the Risk risk
Risk
organisation Manager strategy
Line Managers/ Champion
Operational

Project Managers
Specialist Risk Risk Manage
operational Officer Director strategic
Employees risk role– e.g. risk
health & safety
officer
Risk and Responsibility
Key stakeholders
Functions and business units are responsible for implementing the risk management framework at
the operational level.

Board and
Executives
Strategic

Establish a process for identifying,

assessing, controlling and monitoring
Specialist Risk their functions’ risks
Function
Develop specific policies, procedures
Functions/ and processes for establishing a
Business Units culture of risk

Provide resources to support the

Line Managers/ awareness, monitoring and response
Operational

Project Managers to risk

Employees
Risk and Responsibility
Key stakeholders
Line managers or project managers will lead risk management in their own team

Board and Assess, control and monitor

Executives risk in own area
Strategic

Specialist Risk Follow policies, processes

and procedures in the risk
Function
management framework

Functions/ Communicate with

Business Units employees about risk

Line Managers/ Empower team to monitor

Operational

Project Managers own risks

Report to senior
Employees management on level of risk
and response in own function
Risk and Responsibility
Key stakeholders
Employees have a duty to comply with risk management policies and procedures and report
incidents of risk to their line managers or the specialist risk function, as appropriate.

Board and
Executives
Strategic

Specialist Risk
Function

Functions/
Business Units

Line Managers/
Line Managers/
Operational

ProjectProject Managers
Managers

Employees
Types of Risk
Different types of organisational risk
Basel II defines operational risk as : ‘the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events’

Compliance
Financial
Supply Chain
Administration

Organisational
Risk

Product or Human
Service Resources
Asset and IT

Risks may overlap and are not mutually exclusive. Risks in one area may impact on another area. For
example, poor human resources may affect the quality of your product or service, as may an IT breakdown.
Types of Risk
Different types of organisational risk

Compliance Risk Financial Administration Asset and IT Risk

risk
Risk from the organisational Risks to physical assets
and legal regulatory Risk of control issues such as: including land, buildings,
environment: • Internal and external fraud equipment, inventory, office
• Managers and employees • Poor accounting supplies, utilities etc. Risks
breaking rules, standards, • Reporting and auditing include:
codes of conduct and practices • Fire, flood, power failure
employment laws they • Lack of financial cash • Mechanical breakdown
work under handling measures • Obsolescence
• Mismanaging budgets • Contract procurement and
Flat organisational structures renewal
can increase risk due to Requires cash management • Rises in costs of
flexibility in interpreting rules procedures such as ‘dual overheads
control’ measures ensuring no • Theft, vandalism, loss,
member of staff is alone with damage
large amounts of cash. • Building and facilities
deterioration
Types of Risk
Different types of organisational risk

Human Resource Risk Health, Safety and Product or Service Risk

Environment risk
• Recruitment, training, • A product needs to deliver
succession planning, pay, • Requires a working customer requirements –
contracts, performance, environment in which all failure to do so is a
disciplinary & grievance, reasonable measures are fundamental operational
attendance etc in place to keep employees risk
• Costs if wrong person and customers safe and • Requires consideration of
hired in terms of time well safety, durability, price,
spent coaching, training, • Includes day to day issues warranty, ease of use,
performance managing from desk set-up to quality
• Employment law must be protective equipment
followed and can have • Also includes procedures
huge financial and in the event of
reputational risk emergencies and disasters
Types of Risk
Different types of organisational risk

Supply Chain Risk

• Procurement – loss of suppliers,

advertising, negotiating, contracting,
lead times
• Production - quality of people,
processes, support systems, equipment,
machinery, back-up etc.
• Distribution - reliability of distribution
services, quality of customer service

E.g. organisations like Amazon relied on

Royal Mail but reacted to the supply chain
risk posed by the 2009 postal strikes and
sought alternative carriers to mitigate the
risk of future strike action
Risk Management Processes
What a good job looks like
The ISO define the risk management process as the: ‘systematic application of management policies,
procedures and practices to the activities of communicating, consulting, establishing the context and
identifying, analysing, evaluating, treating monitoring and reviewing risk’.

Establish the context

Risk assessment
Risk identification

Communication
Risk analysis Monitor and review
and consultation

Risk evaluation

Risk treatment
Self Reflection Questions
Use these questions to check your understanding of
this section's key learning

1. Why is risk management important and what are

the consequences of failing to manage it?

2. What is ‘risk’ and why do we take risk?

3. What responsibilities do people have in

organisations for dealing with risk?

4. What are the major types of organisational risk?

5. What is the ‘risk management’ process and what

are its key elements?

Once you have answered these self assessment questions, you are ready to move to the
next section: Risk Assessment
 Operational Risk Management
Section 2- Risk Assessment

Aim
By the end of this section, you should be
confident in your knowledge of the
following four learning outcomes.

1 Outcome 1
Develop and justify risk management criteria against which
risks can be assessed.
2 Outcome 2
Identify and evaluate techniques to specify
risk and risk interdependences.

3 Outcome 3
Analyse a risk management model to
quantify risk.

4 Outcome 4
Evaluate the level of risk against pre-established
criteria.
Risk Identification
Finding, recognising and identifying risk

Brainstorming HAZOP
Free form generation of creative ideas – Hazard and Operability Studies used
needs to be facilitated and follow up to mainly in engineering. Structured and
evaluate ideas afterwards systematic examination of a complex
process to identify and evaluate
problems that may represent risks to
Checklists personnel or equipment
Structured list of statements requiring
yes/no to identify gaps in existing
Delphi Technique
processes
Structured questionnaire for experts.
Several rounds of questionnaires are
Questionnaires sent out, and anonymous responses
Using open questions to uncover risks aggregated and shared after each round.
with staff at all levels Experts are allowed to adjust their
answers in subsequent rounds

Root Cause Analysis Benchmarking

Use techniques such as 5 ways to Compare against partner or competitor
identify root cause of risk. These root organisations and industry best practise
causes can be used to identify additional
risks
Risk Identification
Finding, recognising and identifying risk

Consultation and Discussion Workshops

Often used in conjunction with other Format for brainstorming or consultation.
methods to gather in-depth feedback Supports cross departmental learning
from across the organisation and team building

Incident Investigation SWOT Analysis

Analysing past incidents for trends and Stregnths, Weaknesses, Opportunities
patterns to highlight gaps and and Threats are identified for the project
opportunities in current processes or and thus, risks are determined.
strategy

Inspection
Auditing and Reviews Visual walk around to assess risks
Audit previous projects, documentation operational risks practically
and systems to identify future risks.

Interdependency
PEST Analysis If one thing happens, how will if affect
Analysing the external environment everything else? What other risks would
(Political, Economic, Social, arise? This gives more detail on each risk
Technological) to identify external risks and can help to spot new ones
Risk Identification
Selecting the best technique

Techniques recommended
The type and range of by industry standards or the The degree of expertise
risks being analysed. organisation itself. in the organisation.

The complexity of The size of your The availability of The costs and
the risks in your organisation/area of existing risk data. resources needed.
organisation/area responsibility.
of responsibility.
Risk Criteria
Establishing a framework

Nature and types of potential How to determine the level or

consequences severity of risk

Set the level at which risk becomes

How consequences will be measured
unacceptable

How likelihood will be defined What level of risk requires treatment

The time frame of the likelihood Whether the combinations of risk

and/or consequence should be taken into account

Risk criteria are the standards by which you assess the level of risk in your organisation so that you can
manage it. You need to develop criteria that are used to evaluate the significance of the risk. The criteria
can reflect the organisation’s values, objectives and resources and will be in line with legal and regulatory
requirements. Risk criteria should be continually reviewed.
Risk Analysis
The likelihood-consequence matrix
Assessing risk has two crucial factors – the likelihood something will happen and the severity of
consequences if it does. Consequences are often defined against several measures, such as financial,
health and safety, environmental, legal and reputational.

Consequences
Insignificant Minor Moderate Major Catastrophic

Almost certain Medium High High Very High Very High

Likely Medium Medium High High Very High

Likelihood

Moderate Low Medium Medium High High

Unlikely Low Medium Medium Medium High

Rare Low Low Low Medium Medium

Once the likelihood of a risk occurring is assessed, and combined with the severity of the consequences which
would be felt as a result, it will be placed in an appropriate cell – this helps to prioritise risk management.
Risk Analysis
Risk scoring

Score Probability Severity

Likely to cause serious,

Highly likely to occur (almost significant disruption to
High (3 points)
certain) schedule, increased costs, or
degradation of performance
Has potential to cause some
Reasonable chance of disruption to schedule,
Medium (2 points)
occurrence increased costs, or degradation
of performance
Has little potential to cause
Very unlikely to occur (almost disruption of schedule,
Low (1 point)
never) increased costs, or degradation
of performance

Risk scoring serves the same function. For each risk the score for probability should be multiplied by the
score for severity ( you can choose the scale, many use a 5 point scale for risk and severity). These should
then be ranked in score order with the highest scoring risk being dealt with first.
Risk Evaluation
Does a risk require action
The final stage in risk assessment is risk evaluation. This is defined by ISO as the: ‘process of comparing
the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is
acceptable or tolerable’.

Managed by May not require

Low Risk standard treatment
procedures

Existing control Update as

Medium risk measured may necessary
not be adequate

Senior
New controls management
High Risk
needed informed and
involved

All levels of
Disaster planning
Very High Risk organisation
needed
involved
Risk Evaluation
Does a risk require action

Raw Risk Residual Risk Effect of Magnitude

Score Risk Score Tolerance internal of
controls treatment
required
Risk 1 20/25 16/25 6/25 4/25 10
Area: Financial Health High High Low
Owner: Vice President
Risk 2 12/25 8/25 6/25 4/25 2
Area: Administrative Systems Medium Medium Low
Owner: Registry

Raw risk score: level of risk faced before controls have been applied
Residual risk score: level of risk faced after existing controls have been applied
Risk tolerance rating: the amount of risk tolerated before action is required
Effect of internal controls: raw risk – internal controls = residual risk
Magnitude of treatment required: Difference between risk tolerance and residual score

If the magnitude of treatment required is high then action needs to be taken quickly to manage
the risk
Self Reflection Questions
Use these questions to check your understanding of
this section's key learning

1. What is meant by risk assessment?

2. What is risk criteria and how do they relate to the

assessment?

3. What is risk interdependency and what is meant by

risk identification?

4. What techniques are available to help identify risks

and how do they work?

5. What is meant by risk analysis and what techniques

are available?

6. What is meant by risk evaluation and how does it

help determine the level of treatment required?

Once you have answered these self assessment questions, you are ready to move to the
next section: The Risk Response
 Operational Risk Management
Section 3 – The Risk Response

Aim
By the end of this section, you should be
confident in your knowledge of the
following two learning outcomes.

Outcome 1

1 Select and evaluate

activities to eliminate,
mitigate, deflect or
accept risk.

Outcome 2
2 Determine process for implementing and managing a
disaster recovery plan.
Risk Treatment
Risk mitigation, risk control, risk prevention or risk elimination
The risk response is the organisation’s answer to identified risk. Risk treatment is defined by the ISO as
being the ‘Process to modify risk’.

Avoid the activity

Remove the source

Retain the risk

Change the likelihood

Share the risk

Change the consequence

Seek an opportunity
Risk Treatment
Risk management approaches explained

Avoid the activity Remove the source Retain the risk

• Conservative approach • Drills down to the root • When you want to
• Lose opportunities cause of the risk manage risk
associated with the • Substitutes with a less consequences yourself.
risk. risky alternative • E.g. If insurance costs
• E.g. 100% drop in • E.g. swapping are too high
sales from closing a disposable carrier bags • You can introduce ‘fail-
store for reusable ones to safe’ and ‘self-
save on overheads insurance’ mechanisms
Risk Treatment
Risk management approaches explained

Change likelihood
This is often the most favoured option. The risk is reduced by adopting ‘control’ measures to
lessen the likelihood of occurrence. May include:
• Design controls – factoring risk in the design of a product, service or operation. E.g.
recruitment screening and product safety measures
• Process & quality controls – methods and means to control a whole process such as data
management, managing employee performance or TQM
• Financial controls – cost control, accounting rules, cash management etc.
• Auditing & review – a monitoring process to check that risk controls are being used
• Standards, policies & procedures – guidelines for controlling behaviour at work such a code
of conduct, disciplinary procedures etc.
• Systems of work – precise working instructions or rules for operating machinery or working in
dangerous environments e.g. permits-to-work
• Technological innovation – a type of design control such as replacing a dangerous substance
with a benign equivalent
• Training – control the risks from poor employee and management performance
Risk Treatment
Risk management approaches explained

Share the risk Change the Seek opportunity

• Risk can be shared consequences • Emphasises the
financially or in other • An emergency opportunities, rather
ways procedure is a typical than drawbacks of risk
• E.g. Insurance, example of this type of • E.g. The negative risks
outsourcing services, risk treatment associated with global
dividing responsibilities • Consequence-limiting warming are well
with suppliers procedures do not stop publicised, but even this
• No risk is ever fully the event from subject comes with
transferred (you still happening, but will potential opportunities,
have to pay insurance reduce the damage it such as:
premiums) may do • Lower utility bills and
• Sometimes the risk • E.g. Fire extinguishers, reduced usage of fossil
treatment is a risk in fire drills, alarms, fuels as central heating
itself protective equipment stays off for longer
 Risk Treatment
Selecting the best option

Nature of the risk Cost v Benefit Practicality Risk of treatment

Less complex risk A cost benefit analysis Don’t look to eliminate every Is the cure worse
requires less treatment shows if you can risk – reducing risk through than the disease?
afford to take the risk control measures is ok

Risk v Opportunity Appropriateness Acceptability

What is your organisations Not all risk treatments are Needs to be in line with
risk tolerance? What can be appropriate for all categories – organisational values
afforded in each area? e.g. compliance can’t be
avoided
Risk Treatment
Factors of a risk treatment plan

Summarise risks and treatment

What resources are required?
options chosen

Why was that treatment chosen? How will performance be measured?

What monitoring and reporting

What are the proposed actions?
requirements are there?

Who is accountable? What is the timing and schedule?

 Risk Treatment
Risk register

Action
Risk Category Severity Probability Mitigation Contingency Owner
By

Reserve
Hotel rooms will
hotel Back up hotel
be hard to find for
Operational High Medium rooms in list in case Grace Now
attendees, due to
advance issues occur
tourists

If attendees’ Ensure
Provide
flights are late, we flights are 2 weeks
handouts for
won’t be able to Operational Medium Medium booked James before
late arrivals
start the workshop with time event
on time to spare

Once risks have been identified and analysed a risk register tracks all the risks and assigns an
owner to each one – they are responsible for monitoring and mitigating the risk. Headings can also
include tolerance, remaining risk after treatment, current controls and any additional controls.
Disaster Recovery
Managing the disaster recovery plan
‘Disaster recovery’ is a consequence-limiting risk treatment. It ensures that the organisation can survive
following a disaster – implementing basic processes or returning operations to normal. It should form part of
the organisations business continuity strategy.

1 Identify key personnel

2 Map priorities to be dealt with

3 Ensure floor plans are accessible

4 Practice evacuation procedures

5 Identify precautionary measures

6 Clear instructions on where further information can be found

7 Processes in place for recovery tasks

8 Directory of suppliers who can provide essential resources

Disaster Recovery
Three stage testing process

A disaster recovery plan is only needed if there is a disaster. Because of this it can often be created once
and then never looked at again. It’s important that organisations create and test one regularly, ensuring
that it works and improving any weaknesses.

Commit
Review testing
stakeholders and Implement testing
and update plan
plan testing

The main reasons organisations don’t test are costs, time issues and employee/customer disruption.
Disaster Recovery
Three stage testing process

Commit stakeholders and plan Implement testing Reviewing testing and

testing updating the plan
• Can focus on people (e.g.
• Communicate the plan to fire drills) or systems– • Each specific test should be
everyone in the sometimes both reviewed
organisation. • Involves scenario and • Full review of the plan to
• Brief key personnel on their physical walk throughs check its feasibility
roles and responsibilities • Only needs to include those • The plan should then be
• Provide training directly involved – e.g. just updated
• Ensure suppliers are testing IT data recovery • Further tests should be
contacted systems carried out in response to
• Ensure appropriate • Tests can vary in scale from new threats or changes in
agreements are in place whole organisation to single components of the existing
with relevant public bodies department process
(e.g. fire service) • Can be discrete or collective • All new aspects of the
• Identify objectives for testing • Can be as long or short as disaster recovery plan
• Schedule testing and required should be communicated to
communicate this to all everyone in the organisation
affected
Monitoring and Review
Are the treatments working

The ISO identifies the purpose of monitoring and review as:

Ensuring controls are effective and efficient in both design and

1
operation

2 Obtaining further information to improve risk assessment

Analysing and learning lessons from events (including near

3
misses), changes, trends, successes and failures

Detecting changes in the external and internal context, including

4 changes to risk criteria and the risk itself, which can result in the
need to revise risk treatment and procedures.

5 Identifying emerging risk.

Monitoring and Review
Typical activities
Techniques used in the risk identification process are also useful in risk monitoring and review. This is not
surprising as updating a risk assessment and monitoring and reviewing are closely linked processes.
Typical monitoring and review techniques include:

Inspection

Consultation Incident
and discussion investigations

Questionnaires
Checklists
and interviews

Audits and
formal reviews

Communicating regualarly with key stakeholders is essential throughout risk management. Conducting
reviews regularly can make them much easier, and more likely to reduce risk.
Self Reflection Questions
Use these questions to check your understanding of
this section's key learning

1. What is meant by the ‘risk response’?

2. What is meant by ‘risk treatment’ and what are the

options for risk treatment?

3. How do you select and implement risk treatment

options?

4. What is a disaster recovery plan and how do you

manage it?

5. What information should the risk register contain?

6. What part is played by communication and

consultation in managing risk?

Once you have answered these self assessment questions, you have completed the unit
 Copyright © Challenges Catalyst 2020

All rights reserved. This document or any portion thereof may not be
reproduced or used in any manner whatsoever without the express written
permission of the publisher except for the use of brief quotations in certain
non-commercial uses permitted by copyright law.