How to Develop an Operational Risk Management Plan

Successful organizations identify, evaluate, and manage their operational risks. What are operational risks? These risks include inadequate or failed business processes, people risk, system risk, and external events.

Photo courtesy of DollarPhotoClub.com (edited in Canva)

Photo courtesy of DollarPhotoClub.com (edited in Canva)

Business Process Risk

Process risk includes the processes organizations use to deliver products and services. Consider some insurance company processes — handling customer calls, changing a policyholder’s address, quoting a policy, handling personal auto claims, creating financial statements, and executing system batch jobs, to name a few. Operational processes are the lifeblood of organizations and are meant to provide strength and vitality.

Processes should be created with industry best practices to ensure efficiency and economy. We must consistently review and refine the processes. 

People Risk

Organizations are made of people including boards, employees, third-party vendors, and clients. People risk include risks such as:

  • Employee theft
  • Errors and omissions
  • Disability
  • Death
  • Resignations
  • Poor service from a third party
  • Poor employee performance

People risk can be mitigated through the selection and hiring processes, training and development, and succession planning.

System Risk

System risk includes equipment and software. Think about what happens if a payment processor isn’t working. What happens if a Claims Service Center doesn’t have access to the claim systems or the phone system.

Systems are increasingly at risk to cyber attacks resulting in a data breach. Customer records may be stolen and cause adverse impacts to the customer as well as to an organization’s reputation.

External Event Risk

Every organization is subject to external factors such as tornadoes, supply-chain issues, vendor response time, and regulatory requirements.

Developing an Operational Risk Management Plan

Before we dive into the ingredients of the plan, allow me to make the following points:

  • Risk management plans may be created at different levels of an organization such as divisions, business units, and teams.
  • The risk management plan should be created to add value, not to check a checkbox.
  • Consider someone who has risk management training and experience to develop the plan, if possible. Tip: Assign the task to someone with a risk management designation such as the Associate in Risk Management (ARM).
  • A risk management plan describes your approach to risk management; it is not a risk register (we’ll talk risk registers in another post). A risk management plan does not have to be lengthy to be effective.

Let’s take a look at what to include in the plan:

  • Risk environment. Describe how your division, business unit, or team supports the organization’s goals and strategic plan. Is the group performing standard activities or is the group performing activities out of the ordinary and, therefore, riskier? How complex is your role? What parts are most tricky? How much experience does the team have in managing operational risks?
  • Methodology. Describe the methods of how you will identify, evaluate, respond to, and control risk.
  • Roles and responsibilities. Who will perform which risk management activities? Consider designing a responsibility chart/matrix. List roles such as risk manager, risk owners, and stakeholders along with their responsibilities.
  • Timing. Define how often you will perform risk management activities such as monthly or quarterly.
  • Risk categories. Define the risk categories. Standard operational risk categories include people, process, system, and external.
  • Risk measures. Determine which measures you will use such as probability and impact.
  • Risk evaluation scales. Define the scales that you plan to use for probability and impact such as a scale of 1 to 5 or 1 to 10 and what each number represents, which minimizes bias in the risk ratings.
  • Risk scores. Define how you will calculate the risk score. A common way is to multiply probability times impact (e.g., 4 x 5 = 20).
  • Definitions. Define risk management terms such as probability, impact, risk, issues, risk appetite, and risk tolerance.
  • Risk attitude, appetite, and tolerance. What is management’s attitude toward risks? Where do they want to take risks? Where are they risk adverse?
  • Reporting formats. What formats will you use to report risks? What will you include in each report? Who will receive the reports? How often will the reports be distributed?
Click here for a FREE Operational Risk Management Template (Word format).

Connecting Project Risk Management to Operational Risk Management

An operations manager has the responsibility of aligning operational activities with the organization’s objectives. Daily operations differ from projects.

Where operations are concerned with the ongoing production of products and services, a project is “a temporary endeavor undertaken to create a unique product, service, or result” according to the Project Management Body of Knowledge. Operations never end; projects have a definite beginning and end. How can we leverage project management to improve daily operations? I’m glad you asked. Here are some examples:

Where operations are concerned with the ongoing production of products and services, a project is “a temporary endeavor undertaken to create a unique product, service, or result” according to the Project Management Body of Knowledge. Operations never end; projects have a definite beginning and end.

How can we leverage project management to improve daily operations? I’m glad you asked. Here are some examples:

  • Imagine an insurance company with claims processes that are taking too long and producing errors resulting in lots of customer complaints. You could plan and execute a project to re-engineer the claims processes to be more efficient and to create a higher level of accountability.
  • Perhaps you are concerned about cyber attacks. You could initiate a project to develop an operational response plan for a data breach.
  • Your company may have a high level of billing errors. You could complete a project to modify the billing system or to implement a commercial-off-the-shelf (COTS) system.

You get the idea. Once an organization kicks off a project, the project manager serves as a risk manager. The project manager develops a project risk management plan to ensure the project is delivered successfully.

Project management provides a competitive advantage for companies. Imagine one company that completes 30% of their projects successfully — on time, on budget, and as promised. Compare this to a competitor who consistently completes 70% of their projects successfully. It doesn’t take a rocket scientist to figure out who will win this race.

Best wishes in your race!

Question: What do you include in your risk management plans?

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 thoughts on “How to Develop an Operational Risk Management Plan