The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Sources of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.
For many organizations, effective operational risk management is inherently complex. As organizations grow in size and complexity, convert to digital, move into new markets, introduce new, more sophisticated or novel products and services, becomes subject to more regulatory obligations, or extends its third party dependencies, it becomes much more difficult for the organization’s management and board of directors to understand and manage its risks. Without a clear understanding of their risks, these organizations tend to experience more surprises and losses, and have a more difficult time achieving their objectives and strategies. Some operational risks may threaten the very existence of the organization, or the livelihood of its managers and board members. Consequently, these risks must be effectively identified, assessed, and managed by business unit leaders (the first line of defense) and executive management to adequately protect the organization’s leadership and ensure the organization can meet its objectives.
Without engaging the first line of defense in identifying risk, and using consistent methodologies and measurements to assess risk, there is no way to provide executive management and the Board with an accurate and aggregated view of risk across the business. Good operational risk management protects the organization from operational losses and surprises.
RSA Archer Operational Risk Management is a combination of use cases that are core to a typical operational risk management program. These elements include: Top-Down Risk Assessment, Bottom-Up Risk Assessment, Loss Event Management, Key Indicator Management, Risk and Control Self-Assessments, Issues Management, and Scenario Analysis. RSA Archer Operational Risk Management enables cataloging business processes and sub-processes, documenting risks associated with business processes, and control procedures. Risk self-assessments can be performed on a top-down basis, through first line of defense self-assessments, and through targeted bottom-up assessments. Loss events can be cataloged, root-cause analysis performed and routed for review and approval. Key risk and control indicators can be established and associated with risk and control registers, respectively, and monitored to provide early warning of changes in the organization’s risk profile. By integrating these use cases, risk managers have a comprehensive operational risk management program that reinforces desired accountability and risk management culture throughout the organization, providing necessary transparency through reporting, dashboards, and notification alerts.
Key features include:
- Consolidated view into business processes, risks, controls, loss events, key indicators, and outstanding issues; an understanding of how they are all related; and accountability for each
- Support for first line of defense self-assessments, and top down and bottom up risk assessments
- Efficient management of self-assessment campaigns by second line of defense stakeholders, including necessary workflow to vet and challenge first line of defense assessments
- Capture and perform root cause analysis on internal losses and near misses, and relevant external loss events, routing loss events to stakeholders for review and approval consistent with delegated authorities and loss type.
- Enforce consistency in creation of risk and control registers through the use of risk and control libraries
- Catalogue risk scenarios and capture and perform scenario risk assessments
- Understand inherent and residual risk and observe changes in calculated residual risk while rolling up risks by business unit and enterprise risk statement
- Robust key risk and control indicator program management to provide early warning and remediation
- Consolidated issues management with a clear understanding at all times of the status of all open remediation plans and exceptions
- Visibility into operational risk via predefined reports, risk dashboards, workflow, and notifications
- Perform risk assessments qualitatively, quantitatively using monetary values, and support Monte Carlo simulation based on expert elicitation and loss events.
RSA Archer Operational Risk Management enables:
- Better understanding of risks and controls throughout the organization
- Improved risk management and risk management culture by engaging the first line of defense (business users) to take ownership of their risks and controls
- Quicker detection and management of changes in risk profile
- More efficient administration of the operational risk management program, allowing second line of defense teams to spend more time on analysis and less time on administration and reporting
- Less time required to identify and resolve operational risk-related problems
- Reduction in audit findings, surprises, loss events, and incidents,
- Ability to clearly demonstrate the design and effectiveness of your organization’s risk management program
Today, organizations are faced with complex and fast moving challenges. RSA Archer Operational Risk Management addresses the core requirements of an effective Integrated Risk Management program. Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.
As your organization drives business growth through an extended ecosystem strategy, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effective risk management is essential for improving an organization’s risk profile. RSA Archer can help your organization better understand and manage its risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.