To manage operational risk we must determine a way to measure, prioritize, monitor, and reduce exposure.
The Operational Risk Management (ORM) lifecycle is divided in to five sections.
Program Design: ORM is potentially a significant undertaking. It demands a level of control, backing, structure and overall program design that aligns with other corporate initiatives. This framework helps insure that management and staff remain focused throughout.
Impact Analysis: Business Impact Analysis (BIA) is the technique used to determine the organization’s tolerance and characteristic pattern of loss arising from a disruption. The resulting data establishes timeframes for recovering functions, processes and systems, and is also used in the risk assessment.
Risk Assessment: Risk Assessment involves the collecting of data relating to people, processes, systems and environmental circumstances. The assessment combines BIA and probability data to prioritize the plugging of gaps, cost-justifying and competing strategies for mitigation.
Continuity Planning: The Business Continuity Plan (BCP) provides the ultimate backstop where risk mitigation measures have failed or were inappropriate and the organization faces potential disaster. The BCP identifies what people, processes, systems and other structures must be provided to the company in a timely fashion to ensure its survival.
Assurance: Assurance is a set of activities that help ensure that your continuity provisions work. Training encourages staff to develop a consistent understanding of risk and continuity issues and building familiarity with aspects that could affect them. Periodic review or audit ensures your continuity provisions still reflect the needs of the business.
Rehearsal and testing provide controlled means of simulating real incidents, finding and fixing problems under safe conditions.