CHAPTER 14

OPERATIONAL RISK MANAGEMENT (ORM) BEST PRACTICES

Anthony Tarantino, PhD

14.1 INTRODUCTION

14.2 DEFINING OPERATIONAL RISK

14.3 TONE AT THE TOP AND CORPORATE CULTURE

14.4 DOCUMENTATION

14.5 POLICIES AND PROCEDURES

14.6 INDEPENDENT AUDIT

(a) Business Resiliency Planning (BRP)

14.7 MANAGEMENT OVERSIGHT

14.1 INTRODUCTION

Risk and opportunity go hand in hand—two sides of the same coin. There are risks in all activities, and opportunities always come with inherent risks. It is not possible to completely eliminate risks. The goal is to identify, manage, and mitigate risks, and do so in a cost-effective manner. Operational risk is caused by the failure of internal controls over people, process, technology, and external events. It can include a wide variety of problems: external fraud, internal fraud, inadvertent errors, technology failures, incorrect data entry, natural disasters, regulatory changes, terrorism, and so on.

Interest in operational risk management (ORM) best practices will continue to grow in importance as organizations realize the limitations of the Committee of Sponsoring Organizations (COSO) framework, which lacks a means to measure and quantify risk. The 1992 COSO framework was updated in 2004 with Enterprise Risk Management (ERM), also know as COSO II. ERM would appear on the surface to have addressed operational risk, but falls short in not providing a means to quantify and measure risk. Both COSO I and II provide only a simple pass-fail evaluation of risk. ...