Anthony Tarantino, PhD
14.2 DEFINING OPERATIONAL RISK
14.3 TONE AT THE TOP AND CORPORATE CULTURE
14.5 POLICIES AND PROCEDURES
14.6 INDEPENDENT AUDIT
(a) Business Resiliency Planning (BRP)
14.7 MANAGEMENT OVERSIGHT
Risk and opportunity go hand in hand—two sides of the same coin. There are risks in all activities, and opportunities always come with inherent risks. It is not possible to completely eliminate risks. The goal is to identify, manage, and mitigate risks, and do so in a cost-effective manner. Operational risk is caused by the failure of internal controls over people, process, technology, and external events. It can include a wide variety of problems: external fraud, internal fraud, inadvertent errors, technology failures, incorrect data entry, natural disasters, regulatory changes, terrorism, and so on.
Interest in operational risk management (ORM) best practices will continue to grow in importance as organizations realize the limitations of the Committee of Sponsoring Organizations (COSO) framework, which lacks a means to measure and quantify risk. The 1992 COSO framework was updated in 2004 with Enterprise Risk Management (ERM), also know as COSO II. ERM would appear on the surface to have addressed operational risk, but falls short in not providing a means to quantify and measure risk. Both COSO I and II provide only a simple pass-fail evaluation of risk. ...