A key objective of an Operational Risk Management Framework (ORMF) is to identify, assess, monitor and report the risks to which an organisation may be exposed currently or potentially. To be effective, it is necessary for the framework to be cohesive, consistently applied and integrated with business processes if it is to be described as “embedded”.
Many organisations have developed a fit-for-purpose ORMF and this can be evidenced by the existence of appropriate documentation, e.g. risk strategy, risk appetite statement, policies and procedures. They have taken steps to implement these, delivering communications and training material to raise awareness and understanding across their business lines and functions.
Then they are presented with what could be the biggest challenge of all – “embedding”. This will ensure that business actions and decisions are demonstrably influenced by risk management considerations and risk management information, indicating integration of the framework itself and its alignment with business processes. The challenge may arise because the framework has been developed over a period of time and/or in separate component parts. In larger organisations, the framework may be managed in different parts of the business and perhaps different teams in central functions perform oversight of the outputs.
The aim is to attain a fully integrated and embedded ORMF that will bring benefits to the organisation in financial and non-financial terms. It will also provide a robust basis for demonstrating the value of operational risk management activity.
Therefore this guidance seeks to explore what “embedding” really means from business and regulatory perspectives. The paper examines the critical success factors involved in achieving an embedded ORMF, how framework components and activities can be integrated, and how they can be aligned with business processes. It also addressed how the effectiveness of embedding can be assessed.
The above text is the introduction to the full guide.