Explore how operational risk management (ORM) can evolve from a compliance-heavy support function into a strategic driver of business performance by aligning ORM with organizational objectives to enhance decision-making, build resilience, and protect value.
Operational risk management (ORM) has increasingly become a vital component of enterprise-wide risk frameworks, especially in financial institutions. Historically treated as a compliance necessity, ORM today offers significant strategic value when appropriately realigned. This article explores how organizations can transform their ORM function from a passive cost center into an active value driver. By repositioning ORM within enterprise structures, redefining roles, and reinforcing ownership, banks and businesses can reduce losses, increase efficiency, and enhance organizational resilience.
Defining Operational Risk and the ORM Framework
Operational risk refers to the potential for loss resulting from failures in internal processes, human error, system malfunctions, or external events. To manage this effectively, organizations implement an ORM framework, which provides a structured approach to identifying, assessing, monitoring, and reporting operational risks. A comprehensive ORM framework relies on a shared risk language and aligns with the institution’s overall risk appetite. Managed by an independent ORM unit, the framework includes policies, procedures, loss event reporting mechanisms, risk assessments, key indicators, and scenario planning. Its purpose is to support a consistent and enterprise-wide view of operational risk.
Reassessing the ORM Unit’s Organizational Role
Under regulatory mandates, the ORM function has become a permanent fixture within banks. However, it often operates as a cost center with limited impact on profitability. This limited view undermines its true potential. A realigned ORM unit, equipped with the right authority and positioned strategically, can help organizations identify loss drivers, mitigate risk exposures early, and ultimately contribute to profitability by supporting better decision-making and safeguarding assets.
The Pitfalls of Incorrect Structuring
In many institutions, the ORM unit is incorrectly placed under Group Risk or Compliance. Both of these are control functions, and their traditional mandate limits the ORM unit’s ability to interact meaningfully with front-line operations. This misplacement leads to confusion over responsibilities, duplication of effort, and unproductive spending. Moreover, without the necessary operational insights and expertise, the ORM unit ends up overextending itself to meet responsibilities that it is neither trained for nor structured to fulfill effectively.
Repositioning ORM Under Enterprise Risk
To enhance effectiveness, the ORM unit should be repositioned as a core part of Enterprise Risk. This recognizes the unit’s real role as a data-driven reporting and advisory function. Its primary contributions should include collecting and analyzing granular operational loss data, coordinating operational risk committees, moderating risk control self-assessments and scenario analysis sessions, providing staff training on ORM principles, maintaining comprehensive risk and control taxonomies, and managing enterprise-wide data tools for capturing loss events and near misses. This repositioning aligns ORM with its strengths in data consolidation and risk communication.
Strengthening Risk and Control Ownership
The ORM framework promotes a model in which business units are the risk owners, while control functions act as control owners. Business units should take the lead in identifying and reassessing risks, working closely with ORM and control owners. The control functions, in turn, should focus on evaluating the adequacy of controls and recommending new ones when required. ORM’s role is to facilitate structured discussions through monthly operational risk management committee (ORMC) meetings, maintain proper records, and ensure the availability of reliable risk data to all stakeholders involved in the risk management process.
Establishing Business Operational Risk Managers
For ORM to become more embedded in business processes, each business line should appoint dedicated Business Operational Risk Managers (BORMs). These individuals would be responsible for leading monthly risk meetings, conducting risk and scenario assessments, agreeing on mitigation strategies, and obtaining necessary management approvals. The presence of BORMs ensures that risk management is not only centralized but also closely aligned with the actual operational realities of each business area.
Incentivizing Effective Risk Management
Institutions should consider developing reward systems for proactive risk management. When operational risks are identified and addressed before causing harm, those efforts should be recognized. For instance, if a front-line staff member identifies a fraudulent pay order and prevents a loss, such vigilance should be incentivized. Recognizing these contributions not only encourages a culture of accountability but also motivates continuous improvement in risk practices.
The Importance of Near Miss Reporting
Near misses—incidents that did not result in actual losses but could have—are often overlooked in ORM practices. However, these events provide essential insights into weaknesses in control design and offer a valuable opportunity for redesign and testing of controls. Capturing and analyzing near misses can help institutions prevent more severe losses in the future. Recording such events systematically and rewarding staff for flagging them reinforces a strong internal control culture.
Rebuilding Governance and Risk Hierarchies
Risk identification and assessment should occur not just at the departmental level but across all tiers of management. Many institutions rely on fragmented or function-specific risk management approaches, with no overarching governance framework. A more integrated model—applying both top-down and bottom-up approaches—is essential. Senior management should articulate strategic risk concerns while enabling all departments and functions to play their role in mitigation. This ensures a unified, organization-wide approach to operational risk management.
Operational risk management needs to evolve from a passive compliance function into an active, business-oriented capability. This transformation requires realignment in structure, clearer ownership roles, proper incentives, and the systematic use of data. By doing so, institutions can not only meet regulatory expectations but also turn ORM into a strategic function that protects value and drives performance. Now is the time to realign operational risk management for impact.