Top 5 Factors Driving the Need for a Future-Ready Operational Risk Management Strategy

5 min read


In today's increasingly volatile business landscape, operational risk has emerged as a critical concern within the banking and financial services sector. Operational risk encompasses the potential for financial losses due to errors, breaches, disruptions, or damages. Whether they are caused intentionally or accidentally by individuals, internal processes, systems, or external events, from asset misappropriation and control failure to system breaches, product failure, and natural disasters, operational risk incidents can result in substantial failures. According to the Banking Operational Risk Loss Data Report 2022, published by ORX, the global banking database, more than 65,000 loss events, on average, occurred from 2016 to 2021. This resulted in losses totaling close to $600 billion over the six-year period. Direct financial losses are only a part of the impact, as operational risk incidents can inflict enduring damage upon an organization's reputation, trigger heightened regulatory scrutiny, and introduce a host of other complexities. 

So, what’s driving an urgent need for businesses to cultivate a future-ready operational risk management strategy? In this blog, let’s explore the top five challenges that have increased the complexity of operational risk management (ORM).

  • A Post-Pandemic Regulatory Emphasis on Operational Risk 

    Post the COVID-19 pandemic, there has been an increased regulatory focus on operational risk, especially from an operational resilience perspective. Whether it’s the Operational Resilience guidelines by the Bank of England, the Digital Operational Resilience Act (DORA) for the EU financial sector, the soon-to-be-finalized Australian Prudential Regulation Authority’s (APRA’s) Prudential Standard CPS 230 for Operational Risk Management, or even the US Federal Reserve’s joint paper on sound practices to strengthen operational resilience – the regulatory discussion around resilience, what it means and how to manage it is constantly evolving. Building operational resilience needs to be aligned with strong operational risk management practices, and banks and financial organizations will need to pivot their strategic initiatives to focus on how their ORM strategy can better support firm-wide resilience. 

  • New Risks Introduced by Digitization, Ease of Doing Business, and a Global Customer Base 

    Banks are reinventing themselves using digitization and automation to drive digital change, streamline their operations, and provide enhanced customer journeys to a global customer base. This has created new growth opportunities as well as risks. For example, partnerships with fintech, while creating a competitive differentiator in their customer experiences, can introduce new cyber risks and produce new single points of failure. Similarly, the application of machine learning and artificial intelligence in banking operations will need to be assessed for decision bias, ethical use of customer data, and other such scenarios. With most banks adopting cloud architectures, emerging risks associated with third-party, regulatory compliance, and data sovereignty issues need to be monitored and mitigated.

    Additionally, cryptocurrencies and quantum computing are also creating new risks for banks and financial institutions. 

  • Unstructured Data Hampering Accurate Visibility into Risk Exposures 

    Harmonized data structures are the foundation of effective operational risk management. However, over the years, organizations have accumulated a large amount of unstructured data that is inconsistent and without a uniform approach to data management, which is often compounded by global operations and diverse products and services. There is an urgent need to curate and harmonize data to convert them into insights to make the right decision at the right time. Centralized risk libraries, with a common taxonomy that defines business objectives, processes, products, risks, and controls and maps the relationships across these data elements, is a vital first step. Unlike other financial risk types (credit risk, for example), operational risk requires a universal language to be set up that is understood and accepted by the risk practitioners in an organization. 

    Read more on how AI Knowledge Graphs can shed light on the intricate relationships between a multitude of entries, helping fortify risk management practices in GRC.

  • Challenges in Determining Capital Adequacy, Risk Appetite, and Impact Tolerances  

    One of the primary values of a well-integrated ORM strategy is to assist in evaluating the adequacy of capital in relation to the bank’s overall risk profile. The Basel II revised capital framework included three distinct methodologies to calculate the operational risk capital charge: the basic indicator approach, the standardized approach, and the advanced measurement approach (AMA). The most recent Basel Accord replaces all three Basel II methodologies for operational risk with a new standardized measurement approach (SMA). However, operational risk practitioners still find it challenging to determine not just capital adequacy but risk appetite and impact tolerances as well. While the industry has widely accepted universal methods to calculate other risk types, like credit risk, for example, most traditional approaches are able to provide only a partial view of the operational risk landscape.

  • Lack of Real-Time Visibility at Each Level, Along with Limited Participation from the Frontline 

    A lack of real-time visibility at each level, coupled with limited participation from the frontline, presents a multifaceted challenge to operational risk management. Without real-time visibility, managing operational risks becomes a reactive process. Risks may go unnoticed until they escalate into more significant issues or turn into an incident. Such a reactive stance can lead to increased losses, compliance fines, and reputational damage. Limited participation from the frontline results in those closest to the day-to-day operations not actively contributing to risk assessment. Frontline employees often possess critical insights into operational vulnerabilities. Their absence from the risk management process can result in incomplete risk assessments. Organizations need a positive risk culture and user-friendly tools to encourage the frontline to take a proactive approach toward risk management.

Power Your ORM Strategy with MetricStream

To address these factors and ensure resilience in the face of uncertainty, organizations need operational risk management strategies that are adaptable, forward-looking, and integrated across all levels of the business. Establishing an ORM architecture that includes organizational culture, governance, strategy, and execution and reporting processes is a vital first step. In addition, an effective ORM tool can help drive risk-intelligent, real-time business decisions to accelerate business performance and reduce losses. 

With MetricStream’s Operational Risk Management software, your organization is empowered with: 

Interested to learn more? Request a demo now. 


Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.