Operational Risk

Management
If You Dont Actively Attack the Risks,
The Risks Will Actively Attack You.
-Tom Gilb

without risks there is no reward

The first step in the risk management
process is to acknowledge the reality of
risk. Denial is a common tactic that
substitutes deliberate ignorance for
thoughtful planning.

Charles Tremper
Definition

Risk
 Any anticipated unfavorable event or circumstances
that occur while the project is underway.

 If the risk become true

It can hamper the successful and timely
completion of a project.

 Therefore, it is necessary to anticipate and identify

different risks.
What is Risk Management?

Reducing the impact of all kinds of risks that might affect
a project.

Risk Management is a decision making process aimed at

reducing the number of losses of people, equipment and
material due to accidents.

It is a pro-active approach to accident reduction which

has been proven on the battlefield as well as in private
sector companies.
What is ORM?

Risk management is the process of
identifying, assessing, and controlling risks
arising from operational factors and
making decisions that balance risk costs
with mission benefits.

Risk is characterized by both the
probability and severity of a potential loss
that may result from hazards.
What is Operational Risk
Management?

The process of detecting, assessing, and controlling risk
associated with organizational operations.

It is a logic-based, common sense approach to making

calculated decisions on the various factors associated
with any kind of activity.

Operational Risk Management doesnt just reduce

mishaps, but it improves our ability to accomplish the
task efficiently and effectively.
What is Operational Risk
Management?

These factors include:
 human(s)
 machine(s)
 environment
 management
 and mission.
Why is ERM Important? Is this how you feel most ERM
Pathways look to you.
The regulators have given enough
guidance and direction on the
different elements of managing risk
at the enterprise level. There is
however no cohesive guidance or
model that applies to all sizes in all
industries when it comes to
Enterprise Risk Management
practices.

This leads to many challenges

within a franchise and within the
industry. Often to avoid obstacles
or traffic we listen to traffic news
and avoid congested
roadways..So the natural
question should be who is doing
ERM the right way? What is the
right way for ERM? Is there one
way to do ERM?
Why is Risk Management Important?

No issues loom larger today

than operational risk in all its
Excerpt from
dimensions Remarks by Thomas J. Curry
Comptroller of the Currency, OCC
May 2012

12
Why Care About IT-related Risk?

Enterprises are dependent on IT

Need to cross IT silos of risk management

Important to integrate with existing levels of risk
management practices

An IT risk management program is crucial in not only
managing the enterprises exposure to risks, but also
improving overall business decision making.

Enterprises must periodically assess and continuously
improve their risk management maturity levels
IT Risk Management: What?
Visibility on IT Risk

The domain of IT Risk can be visually represented as 4
intersecting landscapes of:
 Threat
 Asset
 Impact
 Control

The organizations capability to understand and manage
risk requires information from each landscape.

Security metrics, then, should create knowledge that
improves managements capability to make decisions
and execute on them.
Visibility on IT Risk

Business Impact
 Operational
 Legal
 Reputation

IT Control
 Preventative
 Detective
 Limitative

Asset Landscape:
 Information
 IT Infrastructure
 Business Processes

IT Threat
 Compromising Integrity
 Confidentiality Involving Data Breach
 Availability Disruption of IT Services
Operational Risk Management
Why ORM?

It is impossible to completely reduce all risk.

We must know to control hazards in order to decrease the amount of
risk that we are exposed to.

To ensure necessary risks are taken

ORM:

Is an important tool for training realism

Provides potential to expand capabilities

Assures necessary risk taking to enhance superiority

Natural evolution from traditional risk management

Systematic decision-making tool that balances risk cost & benefits
Operational Risk Management

OBJECTIVE of the ORM process:

 Protectingpeople, equipment and other resources,

while making the most effective use of them.

 Preventing accidents, and in turn reducing losses, is

an important aspect of meeting this objective.

 In turn, by minimizing the risk of injury and loss, we

ultimately reduce costs and stay on schedule.
Operational Risk Management
Applicability

Risk management assists management in:
 Conserving resources and avoiding unnecessary risk.
 Making an informed decision
 Identifying feasible and effective control measures where
specific standards do not exist.

Risk management does not:
 Inhibit the management's flexibility and initiative.
 Remove risk altogether, or support a zero defects mindset.
 Require a GO/NO-GO decision.
 Remove the necessity for standard practices.
Principles

Making risk decisions at the appropriate
level.

Accepting no unnecessary risk
The five steps
1. Identify hazards
2. Assess hazards to determine risk
3. Develop controls and make risk
decisions
4. Implement controls
5. Supervise and evaluate
Importance of Software Risk

Addresses Complex Software Systems

Focuses Projects on Critical Risk Items

Provides Techniques for Handling Risk Items

Reduces Software Costs by Reducing Rework
 Usually 40-50% of software costs

Making informed decisions involves the evaluation of
risk improvement
 Costs, benefits, and risks
 The evaluation of the impact of current decisions on future
options
Risks within a system Context

This process of risk management embodies
Process of Risk Management

This process of risk management embodies the
identification, analysis, planning, tracking, controlling, and
communication of risk.

A continuous set of activities to identify,

confront, and resolve technical risk
Risk Assessment and Control
Risk assessment
 The objectives of risk assessment is to rank the risks in
terms of their damage causing potential.

 Forrisk assessment, each risk should first be rated in two

ways:

The likelihood of a risk coming true (r)

The severity of damage caused due to the risk (s)

Based on these factors

 The priority of each risk can be computed as

p =rs
Risk identification

 The project manager needs to anticipate the risks in

the project as early as possible so that the impact of
the risk can be minimized by making effective risk
management plans.

 In order to be able to systematically identify the

important risks, it is necessary to categorize risks
into different classes.

 Main categories of risks

Project risks

Technical risks

Business risks
Main categories of risks
 Project risks

Concern various forms of
 Budgetary, Schedule, Personnel, Resource and Customer-
Related Problems.
 e.g. schedule slippage
 Software is intangible, it is very difficult to monitor and
control software projects.

 Technical risks

Concern
 Potential design, implementation, interfacing, testing, and
maintenance problems.
 E.g. incomplete specification, changing specification, etc.

 Business risks

Includes
 An excellent product that no one wants, losing budgetary,
etc.
 Risk Containment
 After all the identified risks are assessed, plans must be made to control
the most damaging and the most likely risks.

 Strategies used for risk

containment:
Avoid the risk
Discuss with customer to
reduce the scope of the work
Giving incentives to
engineers to avoid the risk of
manpower turnover, etc.

Transfer the risk

Getting the risky components
developed by a third party
Buying insurance cover, etc.

Risk reduction
Planning ways to control the
damage due to a risk
If there is risk that some key
personnel might leave, new
recruitment may be planned.
Techniques for Handling Risks
 Cost Factor
 To choose between the different strategies of
handling a risk, the project manager must
consider the cost of handling the risk and the
corresponding reduction in risk.
Risk exposure before reduction risk exposure after reduction
Risk leverage =
Risk reduction of cost
Operational Risk Integrated
Approach
Control
Operational
Operational Self- Business
Insurance Risk
Risk Assessment Continuity
Capital

Proactive identification of risks

Assessment and evaluation
Scenario analysis
Operational Risk Integrated
Approach
Control
Operational
Operational Self- Business
Insurance Risk
Risk Assessment Continuity
Capital

Assess controls
CSA process
Review control weaknesses
Track actions
Link control evidence to risks
Review incidents as evidence of control failures
Operational Risk Integrated
Approach
Control
Operational
Operational Self- Business
Insurance Risk
Risk Assessment Continuity
Capital

Mitigation of operational risks

Crisis Management Team & Plan
Incident Management Teams
Crisis Management Centre
Work-Area Recovery
Disaster Recovery strategy
Operational Risk Integrated
Approach
Control
Operational
Operational Self- Business
Insurance Risk
Risk Assessment Continuity
Capital

Risk transfer
Placement
Claims Handling
Specific perils e.g. Buildings/Contents, Business
Interruption Insurance
Advice & Guidance
Operational Risk Integrated
Approach
Control
Operational
Operational Self- Business
Insurance Risk
Risk Assessment Continuity
Capital

Capital against unexpected losses

Calculation
Planning