Solving the Puzzle of the Operational Risk Management Lifecycle

operational risk management

When you’re completing a jigsaw puzzle, it is a lot easier to grasp how the pieces fit together if you have a picture of the completed puzzle to go by.

By the same token, it would be easier for an organization to implement a program to manage operational risk if it had access to an overview of just what such a program would look like.

In today’s post, I am going to provide just such an overview, in the form of a high-level description of the Operational Risk Management (ORM) lifecycle.

I hope this nudges your organization toward considering implementing a program to manage operational risk, if you do not have one already.

Before we begin, here are a few basics about operational risk, in case the topic is new to you or you need to refresh your memory.

Operational Risk, Defined

Operational risk is the possibility that things might go wrong as your organization goes about its business. It reflects the unavoidable fact that assets, processes, and people can fail. Such failures can lead to consequences for the business ranging from negligible to sizable to catastrophic.

Here are a few examples of operational risk:

  • One of your organization’s computers might fail, costing a day’s work for the employee using it and necessitating overtime to catch up.
  • A manager responsible for estimating the time and resources needed to complete a task might underestimate the task’s complexity, leading to project overruns.
  • One of your buildings might experience a problem that leads to its being declared unsafe, requiring the occupants to evacuate.

(Operational risk is often seen as being relevant only to banks and the financial industry, but as you can see from the above examples, such risk and the importance of managing it are not limited to those sectors.)

ORM is the process of managing all elements that fall within the business operational responsibility. These include:

  • Process and procedural robustness and integrity
  • People, skills, and training
  • Insurance and self-insurance
  • The supply chain, outsourcing, and inherent risk
  • Infrastructure, systems, and telecommunications
  • Physical and information security

Note: Operational risk is recognized as being distinct from market risk and credit or trade risks.

So how do we manage operational risk?

In short, we must figure out a way to measure, prioritize, monitor, and reduce our exposure to potential negative events.

Want to know more about how to build a business continuity program based on risk?

The ORM lifecycle is divided into five stages.

So if your organization were to implement an operational risk management program, you would be looking to create a program which encompassed all of those stages.

They are:

Program Design

ORM is a potentially significant undertaking, one demanding a high level of control, backing, structure, and overall program design in order to ensure success. Careful program design is important to make sure the measures you implement are in alignment with your other corporate initiatives.

Impact Analysis

The Business Impact Analysis (BIA) is a tool used to determine the organization’s tolerance and characteristic pattern of loss arising from a disruption to specific processes. The resulting data establishes timeframes for recovering functions, processes, and systems and is also used in risk assessment. (For more on BIAs, see this recent post.)

Risk Assessment

Risk Assessment involves the collecting of data relating to people, processes, systems, and environmental circumstances. The assessment combines BIA and probability data to prioritize the plugging of gaps, the justifying of costs, and the search for mitigation strategies.

Continuity Planning

The Business Continuity Plan (BCP) provides the ultimate backstop where risk mitigation measures have failed or were inappropriate and the organization faces a potential disaster. The BCP identifies what people, processes, systems, and other structures must be provided to the company in a timely fashion to ensure its survival.


Assurance is a set of activities that help ensure that your continuity provisions work. One of these is training that encourages the organization’s staff to deepen their understanding of risk and continuity issues and to increase their familiarity with aspects of risk that could affect them. Another Assurance activity is periodic reviews or audits which ensure that your continuity provisions still reflect the needs of the business. Additionally, rehearsal and testing provide controlled means of simulating real incidents, enabling you to find and fix problems under safe conditions.

This concludes our brief introduction to operational risk management and the ORM lifecycle.

Consider this blog post the picture on the cover of the jigsaw puzzle box, which can help your organization quickly comprehend the basics of an ORM program and begin envisioning and implementing one, if you do not have one already.

Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.

Business continuity consulting for today’s leading companies.

Follow Us

© 2024 · MHA Consulting. All Rights Reserved.

Learn from the Best

Get insights from almost 30 years of BCM experience straight to your inbox.

We won’t spam or give your email away.

  • Who We Are
  • What We Do
  • Blog