Operational risk managers manage operational risks such as losses due to errors, breaches, or damages that are caused by people, internal processes, systems, or external events. Operational risks range from the small, such as the risk of loss due to minor human errors, to the large, such as the risk of bankruptcy due to serious fraud.

Operational risk manager

Operational risk managers are a part of the operational risk team that manages the risk posture of the organization. Risk posture is the current risk profile for a company. As an operational risk manager, you must perform the following tasks.

Define the operational risk framework

Effectively manage the operational risks of an organization by defining a robust risk management framework. This framework helps to identify risks and to define the control framework to mitigate those risks. A risk management framework consists of the following components:

• Risk identification
• Risk measurement or scoring
• Risk mitigation
• Risk reporting and monitoring

Set up libraries

Set up comprehensive libraries by doing the following:

• Creating risk statements: A risk statement is used to record a risk in a way that everyone can reach a common agreement on its severity or relative priority.
• Creating control objectives: A control objective defines the aim or purpose of risk-mitigating controls. These controls need continuous monitoring.
• Defining entity classes, entity types, and entities: For more information on entities, see Understanding entities.
• Defining the upstream and downstream entities.

The first step is to set up risk statements so that your team has a specific idea of the risk. For example, simply calling a risk as a cybersecurity risk is not specific. Cybersecurity risks could mean different things to different people. Therefore, a common statement to define cybersecurity is created as a risk statement. To create risk statements and their hierarchy, clearly define the risk impact, the assets at risk, and the source of risk. By defining the risk statements and creating their hierarchy, you can ensure that the risk scores are aggregated thus giving the complete risk status.

Conduct risk assessments on a periodic basis

Perform the annual risk assessments according to your organization's policies. Also, ensure that the risk register is updated and accurate. Create risk assessment scopes and schedule assessments. To learn more about risk registers, see Risk register in the Risk Workspace.

Record and monitor risk events

Risk events are potential or actual financial and non-financial losses, near misses, and gains that occur within an organization. To effectively manage risks, it is essential to monitor risk events, perform a root-cause analysis, and track the remedial tasks. Organizations use risk events to understand their losses and analyze areas of improvement to reduce further losses. You must maintain the loss event register to capture complete event information and to suggest additional controls to mitigate risks in the future.

Define key risk indicators

Monitor the risk posture of your enterprise on a continuous basis. Continuous monitoring of risks and controls involves identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, signal a change in the risk posture, and to provide supporting information for audit activities and control testing. If the indicator thresholds are breached, you must escalate to the respective stakeholders.

Manage issues and incidents

An issue is created when there is a change in the environment, process, or system that poses a threat. An issue requires action to prevent an incident or loss. An incident is a successful outcome or event with a negative impact. As the operational risk manager, you can view, create, and manage issues and incidents. Ensure tracking, proper closure, remediation, and monitoring of issues and incidents.

Communicate the operational risk posture

Define dashboards to report data effectively and accurately. You must create the required reports which can be shared with the executives and the head of the operational risk team. The reports and dashboards ensure that the aggregated assessment results across the organization help to identify the top operational risks for the enterprise.

The following table lists the key tasks that you perform in your role as an operational risk manager.

Tabela 1. Tasks of an operational risk manager

Activity	Task
Define the operational risk framework	Create a risk statement Create a risk framework in the Risk Workspace Associate a risk statement with a control objective in the Risk Workspace
Communicate the operational risk posture	Operational risk heatmap for Advanced Risk Assessment in the Risk Workspace Risk heatmap for classic risk assessment
Monitor the critical incidents and issues	View, create, and manage issues
Define the key risk indicators	Risk indicators, control indicators, and indicator templates
Conduct the annual risk assessment process	Configure a risk assessment methodology Create factors Create risk assessment scopes Schedule risk assessments in the Risk Workspace Perform advanced risk assessment in the Risk Workspace
Facilitate recording and learning from loss events	Manage risk events Create a risk event in the Risk Workspace Analyze a risk event in the Risk Workspace Create a risk event entry in the Risk Workspace
Create aggregated risk reports	Reports in the Risk Management application

The following image shows the view for the operational risk manager.