Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.


Operational risk management (ORM): An overview

· 13 minute read

· 13 minute read

Explore operational risk management's vital role, processes, and challenges, urging organizations to adopt thorough, automated practices in today's dynamic landscape.

Jump to:

 What is operational risk management?

 The difference with ERM

 Steps to the ORM process

 Benefits and challenges of ORM

 Final words


This blog is part of this series.


Risk is a fact of life for any organization, whether that’s a business or a government agency. And in fact, risk can be an opportunity. It can inspire businesses to innovate and to grow in new, lucrative ways. And it can push all types of organizations to improve and better meet their goals and missions. Many types of risk could lead to a potential risk of loss, damaging an organization’s operations and derailing its success.

That’s why all organizations need to identify and manage operational risk through an operational risk management (ORM) program. With the ongoing and accelerating proliferation of new technologies, new regulations, new opportunities, and new dangers, the need for managing operational risk is as great as it has ever been. In fact, it may be greater than ever. With competition keen in most industries, enterprises need to choose the right risks and sidestep the wrong ones. Government agencies must protect taxpayer money from unnecessary losses and more effectively fulfill the agency’s mission.

Operational risk management can provide improved risk control and position organizations to perform better mitigation when a risk becomes unavoidable. It can also lead to better decision-making about the business or agency’s future direction. But to be effective, such a process needs to be rigorous and thorough. And it will most likely require organizations to introduce automation into their risk control practices and business workflows.

What is operational risk management?

Operational risk management (ORM) is a process focused on identifying, assessing, prioritizing, and mitigating risks that arise from an organization’s day-to-day operations and business workflows. It involves the systematic process of understanding, managing, and monitoring risks to minimize the potential negative impact on an organization’s objectives and outcomes.

As the name implies, operational risk is the risk associated with the execution of an organization’s operations. Operational risks can originate from a variety of sources, including human error, third parties, cybersecurity threats such as data breaches or ransomware attacks, external events such as political turmoil and natural disasters, and government regulations. If not properly managed, operational risk could result in financial losses, reputational damage, legal liability, or business disruption–or any combination of these.

Thorough internal controls, especially in areas like compliance and technology, are essential for minimizing operational risks within an organization. Internal processes within an organization are fertile ground for potentially damaging risks. Take, for instance, customer and vendor onboarding procedures or credit risk. A lack of sufficient due diligence when deciding whether to work with a new customer or an external partner can expose an organization to a number of negative consequences. A new customer or vendor could fail to pay bills or provide contracted goods and services. It could also use an enterprise for money laundering or for disguising illegal activities. And any type of organization can be vulnerable to negative consequences if it outsources key activities such as data storage or cybersecurity.

Another potentially damaging source of operational risk is compliance risk–specifically, a less-than-thorough compliance process. Compliance covers the procedures and practices needed to fully meet the requirements of the government and industry regulations, such as creating a strategy for the supply chain industry. If compliance is conducted incompletely, an enterprise could face millions of dollars in fines and other losses.

Then there’s technology risk, a source of innumerable risks. New or evolving technologies can disrupt an organization’s business model, the markets in which it operates, or the processes an organization uses to manage its operations. An obvious example that has recently exploded onto the scene is ChatGPT. This chatbot is the most high-profile example of generative artificial intelligence (AI), which has the capability to generate text, images, and other types of content—even computer code. It also could shake up or even shatter business models in numerous industries. Keeping track of how generative AI could impact operations is becoming crucial for nearly all organizations.

And since processes and technologies are managed by employees, there is also the source of employee risk. Some types of risk are obvious, such as embezzlement or other malfeasance. Often, the operational risks due to an organization’s people are unintentional ones. An example is work-from-home (WFH) staff. These employees often use their own electronic devices at home or on the road, and they’re accessing their organization’s IT systems. If these devices aren’t sufficiently secure, it could result in the loss of valuable information–or could allow cybercrooks to access the organization’s data.

To be sure, some organizations are especially vulnerable to operational risk with industry risk. For companies in highly regulated industries such as financial services and financial institutions, failure to develop a thorough risk management process can result in costly fines or other regulatory sanctions. Operational risk management seeks to reduce unintentional risk, including managing financial risk associated with potential financial losses or business disruption.

The point is, that every organization has its particular types of operational risk, and it therefore needs to establish its own risk control protocols. In seeking to manage those vulnerabilities, it has to tailor its risk management process to its specific situation.

The difference with enterprise risk management

Operational risk management (ORM) can be considered a subset of enterprise risk management (ERM). Generally speaking, ERM looks to optimize what is called intentional risk. Under this category fall the types of risks that businesses want to take because they are likely to lead to successful results. Some corporate examples include mergers and acquisitions, incorporating new technologies, and pursuing new lines of business. They are risks because there’s no guarantee that they’ll pay off. But assuming the enterprise conducts a careful assessment of a particular risk and determines that the pros outweigh the cons, it can decide to move ahead and take the chance. The organization also can develop processes and strategies to improve the odds that the risk-taking will be rewarded.

By contrast, operational risk management seeks to reduce unintentional risk. It does this by identifying procedures that can minimize the likelihood and impact of unnecessary risks on the organization and thus ensure that it can continue operating even in the face of unpredictable events. As noted earlier, these unintentional risks usually involve internal processes, systems, and people, though some external events (particularly if the organization has overseas operations) can also negatively affect an organization’s ability to maintain its operations on an even keel.

It should be clear that operational risk management needs to be conducted thoroughly, with processes and protocols in place to identify and address all known risks.


Risk & Compliance Report

A delicate balance between risk and reward

View report




Steps to the operational risk management process

An effective operational risk management framework establishes an in-depth ORM process that includes policies, processes, and procedures designed to reduce or eliminate potentially damaging risks. The following steps provide a standardized approach to crafting risk management framework:

What are your operational risks?

Thorough risk identification is the first initiative for this risk management process, helping organizations identify vulnerabilities and potential threats. In developing an operational risk management strategy, an organization begins by identifying all vulnerabilities and potential risks, particularly those that could disrupt any of its key operations.

How likely and impactful are those risks?

The next step is to determine the level of risk: how likely these vulnerabilities and threats are to cause disruptions, and how damaging those disruptions could be. Thorough risk assessment protocols can provide benefits such as speeding up the onboarding of new customers and vendors and positively impacting business practices and customer satisfaction.

Understanding risk exposure using the “risk assessment matrix” can help reduce disruptions. The risk assessment matrix is developed that categorizes the types of risks in terms of probability and potential impact, using categories such as high, moderate, and low. This aggregate view helps an organization prioritize the risks—in other words, which ones it should focus on.

How can you mitigate those risks?

Once risks are prioritized, the organization can begin to determine how they should be avoided or at least reduced. Effective risk mitigation strategies, such as cybersecurity measures, are crucial for reducing the chance of disruptions from operational risks. In developing a mitigation strategy, organizations should consider comparing the costs of controlling the risk to the costs of handling the harm a risk could cause. For relatively minor risks, acceptance may be the less costly option.

How frequently will you monitor your risks?

Organizations can keep regular tabs on operational risks by putting together a list of key risk indicators, or KRIs. A KRI is a metric that measures not only the likelihood of a particular “risk event” but also how seriously the effects of that event will hurt the organization’s operations. KRIs can include HR measurements of the effect that high absenteeism or the loss of key employees could have on operations. Process KRIs can measure operational objectives such as production and sales levels. KRIs for technology can focus on cybersecurity objectives and backup levels. Some organizations also include regulatory and reputation risks as KRIs.

When will you report your findings?

Regular reporting of risk-related events, changes in these events, and their potential effects on the organization’s top leadership can help maximize an operational risk management program’s effectiveness and guide decision-making for senior management. Reporting should connect with all departments with potential vulnerability to operational risk, including sales and marketing, finance, IT, product development, and collaborating with the legal team. These various business operations should collaborate on risk management strategies.

Benefits and challenges of operational risk management

What are the benefits of operational risk management?

Rigorous operational risk management can provide organizations with numerous benefits. It can help reduce costs, increase efficiency, improve decision-making, and protect and improve reputation. Above all, it can help an organization respond resiliently to any unavoidable disruptions that might affect its operations.

Risk management also can boost relationships with stakeholders—whether those are customers, investors, vendors, the public, or governments—by showing that the organization has taken threats to its operational capacity with utmost seriousness. For enterprises with legal matters, it can help businesses improve not only their operations but also their products and services. It can help them better identify intentional risks–that is, the risks that could be worth taking for the business to continue flourishing.

Many of the benefits of risk assessment and risk control can be determined with specific metrics. When used for purposes such as customer due diligence and anti-money laundering, the effectiveness of an operational risk management program is something that an organization can measure. But there also are benefits that are less easy to quantify but that can still be crucial to an organization’s ongoing success. For instance, thorough risk assessment protocols can help speed up the onboarding of new customers and vendors. That, in turn, can boost customer satisfaction.

What are the challenges of operational risk management?

The benefits of operational risk management (ORM) are significant. So are the challenges in conducting it with the necessary level of rigor. These challenges include complexity (the size of a business and the number of processes), risk data quality, resistance to change, and the cost of implementing a thorough ORM program. Again, ORM starts with developing a thorough framework and identifying the risks that could disrupt an organization’s effective functioning. Once identified, risks should be prioritized–what are the operational risks that are most likely to occur, and which ones could cause the most damage?

It’s not a once-and-done process, nor is it a simple one. Operational risk needs to be continually monitored since the sources of risk are ever-changing. That’s certainly true of technology and regulation. But talent pools and processes also change and evolve. Organizations need to be prepared.

There are several other challenges and pitfalls organizations need to face as they seek to develop effective operational risk management (ORM). Identifying, assessing, and mitigating risk is highly complex. Some organizations may believe they lack the funding to establish a truly effective management framework. In some organizations, leadership may not believe ORM is necessary to the company’s success or would require too significant a hit to the bottom line. Even organizations that are aware of ORM’s importance may not have an effective program in place, or they may spread out these efforts across separate departmental silos. Many of these organizations may use time-critical“manual” approaches to ORM that are both time-consuming and out-of-date.

All this is why organizations should consider incorporating automation into their operational risk management efforts. Digital tools can gather and analyze large amounts of data from a variety of sources. For enterprises, this data can help the organization conduct proper due diligence on potential customers and vendors, as well as identify and assess sources of potential high risk. It can also help keep the business current on regulatory matters. Government agencies can use such digital data-gathering capabilities when determining whether an applicant for benefits is who he or she says–and not a fraudster looking to access public funds illicitly.

Leveraging technology can help organizations establish an effective framework for identifying and assessing operational risk. It also can allow them to better set up metrics for evaluating those risks and to keep track of changes in the areas (such as technology and regulations) that affect its operating processes.

Final words

Operational risk originates from many sources, both internal and external. A thorough, well-conceived operational risk management process is crucial for any organization. Risk control can lead to better mitigation outcomes and better organizational decision-making. With risks ever-changing and increasingly complex, organizations will need to turn to automation solutions to ensure that they’re truly protecting themselves while still pursuing opportunities and technologies that could benefit their stakeholders.

More answers