Operational risk management

Easily identify, measure, control and monitor the operational risks of your organization→


security risks

Ensures the confidentiality, integrity and availability of your information assets →



Keep track of all regulations and regulations that your organization must comply with →


Anti-Money Laundering

Easily identify, establish controls, and monitor AML risks→



Improve your internal audit processes, support regulatory compliance, and generate value for your organization through continuous improvement →

What will you learn? Learn with our experts about critical topics on Risk Management that will be useful in your daily work.

Download a free e-Book
Download a free Excel Risk Matrix Template
Free e-book Prevention & Correction of Human Error For Risk Management

How To Manage Operational Risks in The U.S



A key factor for the healthy functioning of business organizations is operational risk management. However, implementing it is a complex task, as figures show that since 2008 operational risk has increased rapidly, causing companies in Europe and the United States to have losses exceeding $80 billion. The main reason is that this is a complex risk encompassing different types of threats. Hence, companies have yet to learn where to start or what process to apply to detect, prevent and mitigate these potential risks. 

Another common problem is that even when companies establish an operational risk management method, they rely on outdated or ineffective strategies, which negatively impacts their performance, and leads to severe financial losses, opportunities, profits, and even worse, customer dissatisfaction. So if a company ignores management or does it poorly, the chances of something terrible happening are high. 

There is no single cause for the potential risks that can diminish an organization's capacity and proper functioning. Several events can represent an operational risk, such as natural disasters, a technological failure, or a failure in a process, and one of the most unpredictable is human error. So, while there is no single path to follow, there are specific steps that companies can take in the right direction to be prepared for the uncertain and to face operational risk before the consequences become more serious.  

Because of the intrinsic difficulties associated with operational risk, organizations must include efficient processes based on oversight and transparency that allow them to remain in the marketplace. To do this, they must understand this type of risk, its consequences for organizations in the financial public and private sectors, and the benefits of good operational risk management.

Find out how you can be prepared!

FREE EBOOK How To Manage Operational Risks in The U.S Pirani

Historical Context: Operational Risk Management in America 

Today, it is estimated that large financial institutions invest around $2-7 trillion of their capital to mitigate operational risk.

How and why has it become a priority for companies in the USA? 

In the 1990s, financial institutions faced losses of over $100 million. It caused business organizations to start worrying about avoiding these losses and began establishing standardized methods for monitoring and controlling operational risk. 

Without government regulation to provide more significant guarantees against this type of risk, institutions such as banks, credit agencies, and investment groups have set a methodology to control their daily business activities. It led to the publication of the COSO Internal Control-Integrated Framework in 1992 and the Sarbanes-Oxley Compliance Act of 2002.

However, financial fraud situations such as Enron and Allfirst Financials’ $691 million loss due to deceptive practices, as well as Bank of America's $140 million loss due to 9/11, demonstrated the ineffectiveness of previous regulations and have forced executives of institutions to be concerned with establishing better audit methods based on reliable data from their operations to avoid suffering losses. 

Today, companies are still trying to quantify operational risk. In the constant search for better practices for their management, they have incorporated technological solutions that collect and analyze the data generated at each stage of the process to facilitate its ability to measure and control potential risks. Banks use a Value at Risk (VAR) model to estimate their exposure and collect market statistical data. However, the main problem in U.S. institutions is that they do not keep a complete history of their loss data, both large and small, which makes detecting operational risk before it occurs and making decisions based on reactive rather than a proactive response to danger a problematic task.

Let's see the importance of operational risk management!

Importance of risk management

The importance of risk management lies in the fact that it allows organizations to fulfill their product and service production processes optimally. In addition, it will enable you to have greater control over your business operations, understand your market, detect and eradicate threats, and even take advantage of potential opportunities. It facilitates informed decision-making within the organization based on data and facts to maintain and optimize its performance. 

Efficient risk management enables companies to create an organizational infrastructure and strategic methodology that allows them to understand the context of operational risk, which can affect their performance, identify it, analyze it, and take a course of action while monitoring and prioritizing daily business activities. 

  • Critical features of operational risk management 
  • Company's capital and revenues protection
  • Employees safety.
  • Safe working environment.
  • Business processes compliance.
  • Customer satisfaction. 
  • Permanence in the market competition. 

However, there is more behind operational risk management. It allows data collection on all types of losses, sets methods of self-assessment and control of internal processes, analyzes activities, anticipates possible scenarios through crucial risk indicators, and improves performance.

Its fundamental relevance is that it prevents companies from suffering severe financial losses derived from the materialization of facts or events that hinder or prevent the execution of their business processes. It focuses on planning efficient responses to crises, ensuring you have the resources and metrics to deal with them.

Risk Management in the public and private sector in the U.S.

Risk management in the U.S.'s public and private financial sectors has had its ups and downs, with significant actions in the first decade of the 2000s in which financial organizations recognized the importance of identifying and controlling the materialization of losses. However, in the last few years alone, the frequency and complexity of risks have increased. Thirty-two percent of U.S. financial institutions were surprised by operational risk

What is the reason for the increased incidence of operational risk?

The problem is poor operational risk management. As an organization grows and advances in the marketplace, potential risks evolve. Still, if it maintains the same measures as at the beginning, they must be sufficient to identify, address and mitigate the threat. 

How much do financial institutions in the United States lose?

The lack of adequate operational risk management has generated over $100 million in losses, and others cannot recover. An emblematic case of companies that did not make it is that of LTCM (Long Term Capital Management). This hedge fund even had the direction of two economics Noble Prize winners, Myron Scholes and Robert Merton, that reached a profitability margin of 40% per year. Still, in the face of the crisis, it did not know how to face the devaluation of the Ruble, the currency with which it leveraged its operations. They needed more liquidity since they had invested in purchasing treasury bonds. The result was a loss of $600 million and 90% of its shares

What is the percentage of companies that correctly manage this type of risk?

Only 30% of financial institutions in the U.S. have implemented an effective operational risk management process that fully understands what may be at risk to them and, from there, creates strategies to mitigate it. What are the rest of the organizations not seeing? 

Discover the advantages of efficient operational risk management!

There are thousands of known variants of cyber-attacks; below, we describe the ones that affect companies most frequently.

Benefits of implementing an operational risk management program

Implementing a functional risk management program is very useful for achieving a company's objectives and, at the same time, ensures the continuity of operations. A solid management program demonstrates to customers that the company is prepared to deal with potential crises and demands. 

Companies that can effectively implement a sound operational risk management program can experience a wide variety of benefits, such as:



Practical operational risk management guide 

The following will explain how an operational risk management process works. Before implementing a strategy, you should consider the five steps of the process, which are of great value.

Step 1: Risk identification 

Before applying the operational risk management process, you must know the project's objectives and what each consists of. Therefore, identifying all the risks linked to the project is the first step to follow when you decide to apply ORM. 

After getting the identification, you have to list the risks that may occur in each project phase. Such as: 

  • Hazardous risks related to fire or injury.
  • Operational risks related to staff turnover or supplier bankruptcy. 
  • Financial risks related to the economic downturn.
  • Strategic risks related to brand reputation or new competition.

To create a practical risk analysis, you must describe each risk in as much detail as possible. Then, based on this, you should prepare a risk assessment.

Recommendation: to collect all risks more efficiently, ask yourself, "what if...". This will make it easier for you to identify all operational risks.   

Be specific when identifying operational risks; your subsequent assessment will be adequate. In addition, it will be beneficial for the creation of risk controls. The three essential elements of the ORM process are communication, assessment, and validation, as they greatly facilitate risk identification. 

1. Communicate intentions to the team

Maintaining constant communication with the members of your company is indispensable because it allows everyone to have a complete understanding of the situation, reducing the chances of error and helping teams to share their intentions and objectives effectively. 

In general, all team members, regardless of their rank, have the responsibility to comply with good communication practices, such as:

  • Asking questions in case of uncertainty or confusion.
  • Thanking through messages or short emails.
  • Informing about possible operational risks.
  • Communicating the actions to be implemented and telling others if necessary. 

2. Evaluate activities and changes 

to understand each situation accurately, the company's decision-makers must evaluate the conditions of a constantly changing operating environment. Considering all actions and changes is crucial to developing the ORM process. 

3. Validate assumptions

Every business operating environment is complex. Most people need help obtaining all the information they need. Therefore, confirming the accuracy of the data used to make decisions is essential to reduce the chances of unforeseen outcomes. 

Over time, situations can change as more information is gathered. In this way, the decision-maker in the company is driven to confirm the accuracy and relevance of the information collected and, subsequently, to determine its effectiveness.

Step 2: Risk assessment 

After identifying the risk, proceeding with a risk assessment is necessary. It would help if you considered the operational risks that meet the objectives established in your company. Before the risk assessment, you should investigate the probability of the risk occurring and its consequences. 

To obtain information about the probabilities and outcomes in the event of an event, you can ask an industry expert to conduct a risk analysis. Due to different factors, such as individuals, risk analysis is subjective. 

Some of the tools used to assess operational risks are:

  • Risk Assessment Matrix: This provides risk assessment codes for each operational risk encountered during the development of a task. 
  • Risk Assessment Tool (RAT): establishes a total risk score, provides quick operational assessment mechanisms and equates all the information obtained to the relative risk assessment.

Step 3: Risk mitigation 

Risk-informed decision-making is the third step you need to follow for proper management. To achieve effective mitigation of operational risks in a company, you must follow three actions:

  • Establish strategies: identifying operational risk is only the beginning of the process. Determining the actions to reduce the company's risk significantly is essential. The control options require the implementation of strategies for better management. 
  • Evaluate the possible effects of the control and risks involved. Identify the possible results from the application of controls. 
  • Analyze the risk and decide the best way to proceed: it is essential to choose a risk decision authority or a person authorized to approve projects at all risk levels, i.e., a person who ensures that all employees in the company understand the approval process.

Operational risk management: tools and resources

Proper preparation increases the value that Operational Risk Management provides to the enterprise. Therefore, for management planning, it is necessary to consider the creation of a risk library, controls, and risk assessment process in a dedicated application. 

Professional risk management training is essential to making better business decisions and is a crucial tool that allows one to have a competitive advantage. Integrating these processes with technology ensures they are applied consistently, increasing efficiency. 

In addition, having a robust Operational Risk Management infrastructure allows having continuous operational audits, a sound risk library, companies SOX, and Cybersecurity compliance programs. 

Discover how Pirani can help you manage, automatize, and streamline your operational risk management program to turn operational risks into opportunities and gain a significant advantage over your competition.

Guiding principles of operational risk management

There are general principles that must be applied to manage operational risk effectively. Here are the four main ones:

Avoidance of unnecessary risk

As with all things in investing, risk, and return usually have a positive relationship. If the company takes more risk, it should be rewarded with higher returns. For this reason, companies can manage operational risk well by eliminating processes that do not cite the company and only cause unnecessary trouble.

One example is to avoid suppliers that are likely to default on contracts. You can work with suppliers equally well as your company or even better suppliers with a better credit history. In that case, the company should refrain from taking the risk of working with inferior suppliers.

Evaluating costs and benefits

When managing risk, companies must frequently consider and evaluate the relationship between cost and benefit. Therefore, to do this analysis, professionals must compare the risk they assume with the help they receive. Instead of focusing only on the risk, in this step, you have to be aware of the benefits the company gets. 

For example, if the company expands into an international market, it may represent a substantial operational risk. However, if the market is untapped and thorough research has been conducted, the reward of expanding the business outweighs the operational risk. For that reason, to manage risk, companies must be transparent that there are times when risk-taking is necessary.

Evaluating costs and benefits

For proper decision-making in companies, only top management should make decisions related to the approach to operational risk. Team members in senior management positions are usually more knowledgeable about the company and know the most effective strategies for each case. 

Continuing with the previous example, a senior management team member should make the decisions in this international expansion. This executive should work with all company areas to better understand the logistical, legal, procurement, and shipping risks. The reason for this is that this type of responsibility is not appropriate for an individual worker at a lower level.

Risk anticipation

One of the most critical aspects of risk management is knowing the possible outcomes in advance. Knowing all this information, companies usually decide preventively whether it is best to accept, mitigate or avoid the risk.

In the above example of a possible international expansion, the company can efficiently conduct various investigations to learn more about geographical boundaries, political risks, or consumer preferences in this new market. The first step in accepting risk and managing it properly is knowing what may happen in the future and establishing a plan to overcome it.


How to create a risk culture in the company 

To be genuinely involved in risk management, all company members must have the necessary knowledge to identify and report on time events that can disrupt the operation, finances, reputation, and process development. For that reason, it is advisable to implement actions such as:

  • Having the full support of top management is critical.
  • Having an interdisciplinary team with an excellent capacity for innovation that can generate strategies that can impact all personnel. 
  • Working together with all areas of the company.
  • Communicate clearly, directly, and assertively to create awareness about the relevance of risk management. 
  • Constantly train all employees, raise their awareness, and appropriately educate them. 
  • Provide specialized support from internal control area personnel to all employees.
  • Develop risk management programs for each of the areas.
  • Provide incentives and bonuses adjusted to the employee's expectations, which can generate value. 
  • To have an adequate means for the personnel to report freely and in total confidentiality all events, failures, or threats that may put the company at risk. 

In addition to these good practices, it is essential to implement a technological tool such as Pirani so that all employees can get involved more quickly and effectively with risk management, helping to achieve the objectives and the continuity of the business in the long term. 

Operational risk management Pirani


Implementing an effective operational risk management process is the best way to mitigate risk. The above guidelines will help you create a viable plan for your company.

Operational risk management is critical to any business, especially in today's digital economy. To help you get on the right path to implementing the active risk management process, follow some of the above best practices that have been proven to work repeatedly for companies like yours.

Bibliographic references


Let's start now!

Take your company's risk management to another level using specialized software that fits your needs.

Get started