Which of the following steps of operational risk involve going through the audit report

What Is Operational Risk?

Operational risk summarizes the uncertainties and hazards a company faces when it attempts to do its day-to-day business activities within a given field or industry. A type of business risk, it can result from breakdowns in internal procedures, people and systems—as opposed to problems incurred from external forces, such as political or economic events, or inherent to the entire market or market segment, known as systematic risk.

Operational risk can also be classified as a variety of unsystematic risk, which is unique to a specific company or industry.

What Is Operational Risk?

Understanding Operational Risk

Operational risk focuses on how things are accomplished within an organization and not necessarily what is produced or inherent within an industry. These risks are often associated with active decisions relating to how the organization functions and what it prioritizes. While the risks are not guaranteed to result in failure, lower production, or higher overall costs, they are seen as higher or lower depending on various internal management decisions.

Because it reflects man-made procedures and thinking processes, operational risk can be summarized as a human risk; it is the risk of business operations failing due to human error. It changes from industry to industry and is an important consideration to make when looking at potential investment decisions. Industries with lower human interaction are likely to have lower operational risk.

Operational risk falls into the category of business risk; other types of business risk include strategic risk (not operating according to a model or plan) and compliance risk (not operating in accordance with laws and industry regulations).

Examples of Operational Risk

One area that may involve operational risk is the maintenance of necessary systems and equipment. If two maintenance activities are required, but it is determined that only one can be afforded at the time, making the choice to perform one over the other alters the operational risk depending on which system is left in disrepair. If a system fails, the negative impact is associated directly with the operational risk.

Other areas that qualify as operational risk tend to involve the personal element within the organization. If a sales-oriented business chooses to maintain a subpar sales staff, due to its lower salary costs or any other factor, this behavior is considered an operational risk. The same can be said for failing to properly maintain a staff to avoid certain risks. In a manufacturing company, for example, choosing not to have a qualified mechanic on staff, and having to rely on third parties for that work, can be classified as an operational risk. Not only does this impact the smooth functioning of a system, but it also involves additional time delays.

The willing participation of employees in fraudulent activity may also be seen as operational risk. In this case, the risk involves the possibility of repercussions if the activity is uncovered. Since individuals make an active decision to commit fraud, it is considered a risk relating to how the business operates.

key takeaways

• Operational risk summarizes the chances and uncertainties a company faces in the course of conducting its daily business activities, procedures, and systems.
• Operational risk is heavily dependent on the human factor: mistakes or failures due to actions or decisions made by a company's employees.
• A type of business risk, operational risk is distinct from systematic risk and financial risk.

Operational Risk vs. Financial Risk

In a corporate context, financial risk refers to the possibility that a company's cash flow will prove inadequate to meet its obligations—that is, its loan repayments and other debts. Although this inability could relate to or result from decisions made by management (especially company finance professionals), as well as the performance of the company products, financial risk is considered distinct from operational risk. It is most often related to the company's use of financial leverage and debt financing, rather than the day-to-day efforts of making the company a profitable enterprise.

Are you using operational risk management (ORM) as an organizational imperative? Effective management of operational risks will increase C-suite visibility and encourage more informed risk taking. Integrating ORM strategy, tools, and processes into your organizational goals will lead to improved product performance, greater brand recognition, and deliver sustainable financial results.

Explore content

The risk of doing business

Organizations in industries face operational risk wherever they turn. To the left lie ever-present risks from employee conduct, third parties, data, business processes, and controls. To the right are inherent cultural, moral, and ethical risks. Layered on top are technology risks—which are compounded as organizations embrace new technologies like automation, robotics, and artificial intelligence.

In short, operational risk is the risk of doing business. Small control failures and minimized issues—if left unchecked—can lead to greater risk materialization and firm-wide failures. It’s a chain reaction that can be fatal to a company’s reputation and possibly even to its existence. The maturity of operational risk varies by industry but one constant is a greater awareness and appreciation across boards and C-suite executives to better recognize, manage, and understand operational risk management steps. Despite its pervasive nature, many organizations treat the operational risk process as an obligation, adding more risk to an already risky endeavor.

To prevent an event that could cripple or kill the business, organizations should consider gaining a better understanding of their operational risk profiles as well as their risk appetite and tolerance. Leaders should formulate and adopt their own risk culture in addition to setting a much-needed compass of moral and ethical guidance for their organizations. They also need to prioritize, understand and better articulate the materiality of risks in an effort to make informed decisions that balance organizational needs, client and customer demands, product and service specifications, and shareholder requirements.

With stakes this high, it’s time to make ORM an organizational imperative and recognize the operational risk management process as a critical C-suite tool. Effective management of operational risk management steps can encourage greater risk taking and increased visibility. Well-informed C-suites can then the leverage operational risk management process to drive competitive advantage.

Back to top

Painful lessons, common challenges

For many organizations, ORM is the weakest link to building a sustainable, reliable organization that meets the demands of customers, regulators, shareholders, and internal and external stakeholders. Organizations struggle to support a risk culture that empowers risk accountability, encourages the organization to escalate risks appropriately, and understands operational risk losses. They’re not yet able to promote organizational resilience to build client and consumer trust in the company and its brand. Some continue to operate on “blind faith” when it comes to understanding their control environment and the subsequent material operational risks to which their firms are exposed.

For these reasons, it’s more important than ever for organizations to develop strong ORM programs. Yet, despite the urgency, leaders face a number of ORM-related challenges:

• The process is varied and complex: Operational risk has become more complex to manage as organizations are driven by advancements in technology, globalization, competition, and shrinking profit margins.
• The function is hidden: The identity crisis that surrounds operational risk has grown because many organizations incorporate risk management in their compliance, IT, or other functions.
• Systems and programs are disconnected:  Because ORM grew up as a largely reactive function, many firms find themselves besieged with manual and disjointed systems, over-engineered programs, and metrics that are reported for the sake of regulations or compliance.

For many organizations, ORM is the weakest link to building a sustainable, reliable organization that meets the demands of customers, regulators, shareholders, and internal and external stakeholders.

Back to top

Steps for driving better business decisions

To develop strong ORM programs, organizations should:

• Establish ORM as an integral function: Establishing ORM as a central function and promoting firm-wide understanding of the program’s responsibilities are key to the ORM program’s value proposition.
• Leverage technology for change, not simply reporting: Technology can increase ORMs value to the business, the C-suite, and the organization.
• Let ORM stand alone: One of the main functions within an operational risk program is capturing and aggregating operational risk data.
• Focus ORM on risk, not rule breaking: ORM functions add real business value when they refrain from testing for violations of the rules and focus on helping the business reduce material risk exposures and extend risk-taking activity where the business benefits outweigh the risks.
• Position ORM as a partner, not a competitor: The effectiveness of an ORM team is, in part, dependent on its ability to partner with other functions within the organization.

Back to top

Using operational risk management as a competitive differentiator

• Change the perception of operational risk from risk prevention to calculated risk enabler: Embrace the value of strong ORM intelligence to encourage better risk taking and improve competitive advantage. 
• Align the maturity of the risk framework to the complexity of organization’s strategic objectives: Choose ORM tools necessary to support the organization's strategic objectives.
• Embed ORM into the fabric of the organization: By integrating ORM governance, oversight and challenge functions in all aspects of the business lifecycle, organizations can take advantage of an independent view without retribution. 
• Develop automated approaches to monitor and collect control behavior data aligned to material risks in the firm: Build, buy or leverage systems and programs to gather, aggregate and interpret information to ensure compliance with employee ethical behavior.
• Empower boards and C-suite to hold the organization accountable for decisions that generate heightened risks, control failures, and losses: Information is power, by using the power of the information that ORM provides boards and C-suite executives can create the “tone at the top” message that resonates with the organization. 
• Provide flexibility to meet regulatory changes and expectations: Develop a broad ORM framework that considers regulatory requirements now and into the future. 
• Achieve transparency within the product lifecycle: Build awareness of operational risks from product development through product end of life to make better product decisions. 
• Support strong assurance relationships to develop a results-driven culture: Partnering ORM and the businesses encourage a culture focused on organizational success.

Back to top

More prepared, more effective

Organizations that successfully implement a strong ORM program can realize big benefits. Here are some of the advantages:

• Better investments
• Stronger brands
• More effective performance reporting
• Greater customer loyalty and relationship confidence

ORM earns client respect by demonstrating the company’s preparedness to handle loss or crisis events.

Back to top

What’s the right size?

When executives look at ORM programs, they should strive to build the strongest, best function for their company. For executives to build the strongest ORM programs, they should think about the limited resources they have and “right-size” them to help meet their most pressing business objectives. This includes leveraging resources, technology, and program management.

For example, from a personnel and human resources perspective, companies may be able to execute the ORM program by making modifications to existing resources. Looking across the technology landscape, organizations might consider using a united technology platform to aggregate the technology solutions that support different operational risk components (including risk control selfassessments, key risks, performance, control, and loss scenario analysis). As for the operational risk program itself, depending on regulatory requirements and rationales for certain components, organizations may look to reduce unnecessary components and re-prioritize risks to identify and build a comprehensive approach to managing material risks.

Considering these factors—with an eye toward rightsizing—is an important component of ORM program success. With the correct tools, talent, and support, the ORM function can build and sustain the value proposition that they advance as an integral corporate function.

Back to top

How Deloitte can help

Deloitte Risk and Financial Advisory helps organizations turn critical and complex operational risks into opportunities for growth, resilience, and long-term advantage. We challenge conventional thinking regarding ORM by reshaping or tailoring the design, focus, and capabilities of the typical operational risk framework. 

The result? Organizations that partner with Deloitte to implement ORM programs are often better positioned to gain competitive advantage, a stronger brand reputation, and sustainable financial returns. Learn more about Deloitte's solutions to operational risk management.

Back to top

Get in touch

Nitish Idnani

Principal | Deloitte Risk & Financial Advisory

Nitish is a Deloitte & Touche LLP principal with Deloitte Risk & Financial Advisory. He leads the Operational Risk Management Services group. He has more than 20 years of experience in capital markets... More

What steps of operational risk go through audit report?

What are the 4 main types of operational risk?

What are the 5 steps of the ORM process?

What is the 4 step risk management process?