Understanding Operational vs. Enterprise Risk Management on Audit Board Essentials (Full Transcript)

Speaker 1: So, what exactly is Operational Risk Management and how is it different than Enterprise Risk Management? That's what we'll discuss today on Audit Board Essentials, so let's get into it. Senior management typically has one of two perspectives on risk. In the traditional Enterprise Risk Management view, the goal is to find the perfect balance of risk and reward. Sometimes, the organization will accept more risk for a chance to grow the business board quickly, while other times the focus switches to controlling risk with slower growth. The Operational Risk Management, or ORM perspective, is more risk-averse focusing on protecting the organization. As the name suggests, the primary objective of Operational Risk Management is to mitigate risks related to the daily operations of a company, such as ineffective or failed internal processes, people, systems, or external events that can disrupt the flow of business operations. These operational losses can have a direct or indirect financial impact. For example, a poorly trained employee may directly lose the company a sales opportunity, whereas the company's reputation can suffer indirectly from poor customer service. Operational risk can be viewed as part of a chain reaction. Overlooked issues and control failures, whether small or large, can lead to greater risk materialization, which may result in an organizational failure that can harm a company's bottom line and damage its reputation. Additionally, while Operational Risk Management is considered a subset of Enterprise Risk Management, it focuses on unsystematic risks and excludes other risk areas, such as strategic and financial risks. Examples of operational risks include employee conduct and error, breach of private data resulting from cybersecurity attacks, technology risks tied to automation, robotics, and artificial intelligence, business processes and controls, physical events such as natural catastrophes, internal and external fraud, and workplace safety risks. Since operational risk is so pervasive, the goal is to control risk by reducing it to an acceptable level through a linear process of risk identification, risk assessment, measurement and mitigation, monitoring, and reporting. These stages are further guided by four principles. Accept risk when benefits outweigh the costs, accept no unnecessary risks, anticipate and manage risks by planning, and make risk decisions at the right level. In the last five years, U.S. organizations have experienced significant increases in the volume and complexity of risks, with 32% of companies experiencing an operational surprise in that time period. In fact, losses from failure to properly manage operational risks have led to the downfall of many financial institutions. Recent bank collapses are speculated to have been caused by poor operational risk management and decision-making around the valuation of assets. Having a strong ORM program also demonstrates to clients and other stakeholders, like shareholders, that a company is well-prepared to handle upcoming crises. That's it for this episode of Audit Board Essentials. Be sure to subscribe and tune to our channel for future episodes where we'll be covering the nuts and bolts of a foundational knowledge of audit, risk, and compliance.