What is operational risk management?

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

It is crucial to understand the benefits of operational risk management before implementation.

  • Prevent and minimise financial cost of operational losses
  • Improving the reliability of business operations
  • Strengthening the decision-making process where risks are involved
  • Reduction of losses caused by poorly identified risks
  • Improving the effectiveness of the risk management operations
  • Lower compliance costs
  • Early identification of unlawful activities
  • Reduction in potential damage from future risks


Not all risk is foreseeable, but a thorough risk analysis can still uncover potential risks for the best possible results.


Routine safety checks or reviews undertaken along the cycle of a project.


Operational risk management of this type is usually more urgent and performed during operational changes when time is limited. The potential consequences of not performing in a time-critical manner can be the creep of non-identified risks.

  • Risks arising from catastrophic events (e.g., hurricanes)
  • Computer hacking or cyberattacks
  • Internal and external fraud
  • The failure to adhere to internal policies

Governance, risk, and compliance

A set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organisation manages its unique set of risks.

Risk identification & assessment

There are multiple things that pose a risk to an organisation, both internal and external. The most risk possible needs to be identified, utilising all levers of the business. The risks to be identified need to be both one-off risks and recurring risks. Assess the risks once they have been identified from both a qualitative and quantitative perspective. Think about frequency of risk, severity and the actions that need to be taken in order to prevent and mitigate risk.

Control environment

Apply controls to limit an organisation’s exposure to risk and increase the chance of risk mitigation.

Monitoring and reporting

Effective risk management means constantly monitoring risk and reporting on the risks when necessary in order to track the effectiveness of a risk management plan.

Quantification, measurement and modelling

Organisations can use the output data from a risk assessment model as inputs into a model that measures risk exposure. Quantification systems should be validated in order to ensure that they are sufficiently robust, which provides assurance that the inputs, assumptions, processes and outputs are accurate.

Risk-related decision-making

Risk frameworks should be periodically reviewed by the board of directors. This helps them oversee senior management to ensure that each part of the policies and processes are implemented at all decision levels. The board of directors should also establish a risk tolerance stance that articulates the types, levels and nature of operational risks that are willing to be assumed.

Behaviour incentivisation

Ensure that inherent risks and incentives are well understood by members of the staff by ensuring that all materials, activities and processes identify and assess operational risks. There should be an established culture that supports processes that promotes an understanding of operational risks that are inherent in strategies and daily activities of the organisation.

The three lines of defence

Management and governing bodies are accountable for setting the organisation’s objectives and outlining strategies to achieve objectives. Part of the objectives include managing risk to best accomplish the objectives using the three lines of defence model, which requires active support from senior management and the organisation’s governing body.

  • First line: Operational management
    A function that owns and manages risk, operational management is the first line of defence that operational managers must own. This makes them responsible for implementing actions to correct deficiencies. The process includes the identification of risk, assessment of risk, controlling risks and mitigating risks while guiding the implementation of internal policies to verify that activities are consistently aligned with objectives.

  • Second line: Risk management and compliance
    The second line of defence typically includes a risk management function to monitor the implementation of risk management practices while assisting operational managers in defining target exposures while reporting risk-related data.

  • Third line: Internal audit
    Auditors provide assurances to the senior management and governing body. The purpose of the audit is to provide information on risk management, internal controls and the effectiveness of governance. The scope usually covers efficiency of operations, assets, reliability and integrity of the reporting process, and compliance.

Expand practices to include second-line oversight

Operational risk management should focus on detecting and reporting risks of all types and it should be expanded to include a second line that works in partnership with the first line to create an effective resiliency in operations and processes.

There are necessary tools that are needed to evaluate a business process and its resiliency, challenge business management as needed and manage priorities.

  • Map processes and controls: Take the time to map out processes alongside the relevant risks and controls. Include their complexity in the map, each handoff along the process and whether the management is automated or manual. The goal is to outline process ownership along the way while maximising productivity.

  • Identify the necessary technology: Understand the points along the way that involve technology and the type of technology that is needed.

  • Monitor: Watch risks and controls while making mechanisms that can help track metrics in order to watch for unusual risk levels.

  • Link resources: Connect resource planning to processes to form an understanding of associated processes and the process needs. Build capacity to scale based on the results that are found.

  • Reinforce behaviour: Ensure that proper individual conduct is reinforced through training, incentives and performance management.

  • Change management: Create systems of change management to make sure that the proper talent is in place. Work with processes and capacity and ensure that the proper guidance is given.
  • Feedback: Set up constant feedback to flag issues, perform root-cause analyses and revise processes as the data are gathered.

Real-time, analytics-driven detection will replace manual reporting

Progress in analytics tools can assist with risk management—both structured and unstructured data are more available as time passes. Advanced analytics tools are applicable in nearly every area of risk management, including the detection of risk, identification of false positives, compliance, process failure and human risk.

  • Real-time indication: Testing risk management in real time to find and analyse risk metrics. Ideally, anomalies or unusual activities can indicate areas of risk or areas that need to be addressed in real time.
  • Targeted tools: Specially targeted data tools can detect risk issues in certain identified areas. Machine learning can also help with targeted analytic tools, as machine learning and artificial intelligence systems can learn to better detect areas of risk or indicators of risk activities within a data set.

Assign talent to key areas in data and analytics

Risk management requires a special set of skills and understanding of risk to spot risk activity, interpret the data and provide a thorough analysis. Managers, teams and individuals need to approach risk in new ways, including adaptation to processes and an understanding of how advanced analytics are becoming more and more relevant, especially with the implementation of machine learning and artificial intelligence systems.

Human-factor risks should be addressed

Humans can be highly effective for operational risk management, but part of risk management is identifying and analysing how human error can affect operational risk management and pose its own unique risks.

Risk avoidance

After initially identifying risks, most risks should ideally be avoided. Risk avoidance works to minimise vulnerabilities and address risks that are identified as threats. Part of avoidance is providing the proper training and setting up the right policies and procedures.

Risk reduction

Risk should ideally be avoided, but that isn’t always possible. Risk reduction is the understanding of risk and liabilities and the strategies implemented to reduce the risk and liabilities. Usually, risk is quantified, analysed and assigned certain levels of risk in order to create reduction priorities and operations for risk reduction.

Risk sharing

Shared risk isn’t the transferral of risk. Risk sharing is meant to reduce the impact of uncertain events or certain risks. Tasks or responsibilities can be divided between departments or individuals within an organisation, which distributes the risk between several parties and assigns individual responsibilities in wider risk management practices.

Risk retaining

Transferring risk is when one doesn’t take responsibility for risk—risk retaining is the opposite. An organisation retains risk by self-funding the risk and any subsequent consequences of the risk. Risk retaining is usually chosen after a financial analysis indicates that it is less expensive to retain risk than to transfer risk to a third party.

Get started with ServiceNow Governance, Risk, and Compliance

Manage risk and resilience in real time with ServiceNow.

Loading spinner