Today, the management of operational risk is approached with the same rigor as that of credit, liquidity, and market risks. As it does with the management of these other risks, the board defines what constitutes operational risk and approves the framework for its control. Consequently, the mitigation of operational risk is similar to the risk management process that is used to control credit, liquidity and market risks.

Adequate risk management programs can vary considerably in sophistication, depending on the size and complexity of the banking organization and the level of risk that it accepts. For smaller institutions engaged solely in traditional banking activities and whose senior managers and directors are actively involved in the details of day-to-day operations, relatively basic risk management systems may be adequate. In such institutions, these systems may consist only of written policies addressing material areas of operations such as lending or investing, basic internal control systems, and a limited set of management and board reports.

On the other hand, large multinational organizations require far more elaborate and formal risk management systems to address their broader and typically more complex range of financial activities and to provide senior managers and directors with the information they need to monitor and direct day-to-day activities.

Despite differences in institution size, the underlying risk management framework is always the same:

• active board and senior management oversight,
• policies, procedures and limits,
• adequate risk measurement, monitoring and management information systems, and
• comprehensive internal controls.

Each of these process elements are discussed in more detail is available by clicking here:

In summary, the size and the complexity of a bank’s operations will determine how formal and sophisticated the bank is in its operational risk management. The risk exposures of a large, multinational bank will differ significantly for a small single office, as will the tools and techniques used to manage those exposures. Yet, in simple terms, the basic process is the same, and the bottom line is knowing the source of risk, controlling the risk and monitoring the risk to determine if controls are working or if additional controls are needed.