Because firms, particularly those in the financial sector, face increasingly complex, interlinked and sophisticated challenges, effective risk management is a key element of good governance. Having a risk register and completing the FCA’s REP018 is necessary, but not entirely sufficient.
For a start, a firm should have two perspectives on risk: Enterprise Wide and Operational. Therefore, it follows that its management of such risk falls into two distinct but related categories: Enterprise Risk Management (ERM) and Operational Risk Management (ORM). Therein lies an immediate challenge for the firm – coordination - as will be discussed in this article.
ERM vs. ORM – Similar but different
ERM takes a holistic view of risk across an entire firm. It involves identifying, assessing, and managing enterprise-wide risks. It seeks to align risk management with strategic objectives, enhancing decision-making and optimising resource allocation. It is, if you like, the “big picture” take on risk. It is sometimes also referred to as Enterprise Wide Risk Management (EWRM) or GRC (Governance Risk & Compliance).
Sometimes, a firm is prepared to accept more risk for the chance to grow faster or be more profitable. There is nothing wrong with this - if the decision is a conscious one and has been taken having assessed the risks involved fully (in other words the firm has set and agreed a defined risk appetite).
ORM, on the other hand, has a narrower, somewhat more granular focus - this being, those risks arising from the ongoing execution of the business. ORM identifies and mitigates risks within specific processes, systems, and activities. It aims to ensure operational resilience, protect assets and, crucially, maintain business continuity.
This perspective is more risk-averse than that of ERM, with an emphasis on protection and cost-effectiveness.
By extension, it follows that ORM can be seen as a subset of ERM, contributing to the overall risk management framework. Thus, to improve overall ERM practices, understanding the operational risk fully is an important starting point.
The challenge of harmony
Sadly, it’s not all that uncommon for those responsible for ERM to have an incomplete understanding of ORM: all too often, high-profile firm problems reveal that what an organisation believes to be a comprehensive ERM framework is anything but.
For example, last year Metro Bank became the latest of several financial entities in the UK to be fined for financial crime failings. In this case, the fine arose because an automated monitoring system was not working as intended. As a result, the firm was subject to financial and reputational pain (i.e. the crystallisation of operational risk led to the adverse outcome for the firm as a whole).
A common challenge, and a reason why this sort of example occurs, is the disconnect between the ERM team — typically a small, highly specialised group of risk professionals — and the front-line business managers responsible for executing day-to-day business processes.
The reasons for this can be varied and multiple (and often overlap): poor communications and a lack of collaboration between teams; poor understanding by ERM teams of the execution level risks that arise; and, of course, resource constraints.
Simply recognising such problems should itself go a long way to suggesting solutions for the problem but, at the very least, establishing good lines of communication between risk specialists and business managers jumps out as a key solution.
Getting the risk register right
As a final, more general point regarding risk management, let us return to the risk register itself. The risk register is a tool commonly used in both the ERM and ORM process.
It is, on the face of it, a deceptively simple document (“does what it says on the tin” one might say). Yet it contains some of a firm’s most important and crucial information that enables management to understand the risks and required mitigation strategies. It should be a living document, updated in real time and a firm’s management board should be intimately familiar with it.
Crucially, a good risk register will also allow its users to drill deeply into individual risk categories and events, giving the firm the knowledge needed to make better informed risk management decisions.
With this in mind, a risk register will, at a minimum, follow good risk practice in identifying cause, event and consequence thus allow a mitigation strategy to be put in place.
Furthermore, identification of risk ownership is crucial and should be clearly indicated. Risk ownership will typically lie with the person who is most likely to feel the impact of the consequences. Importantly though, this does not mean that the risk owner must personally complete all of the activities to treat the risks. There are usually several other parties who support the risk owner in this respect.
Key takeaways
- ERM and ORM are similar processes (focused on managing risks) but they differ in their objectives
- Both practices utilise various tools and techniques, and there is some overlap (such as the risk register)
- While an ERM team (a function that comes with many nomenclatures) tends to be smaller and more specialised, ORM is typically more diffuse, falling within the remit of the front-line managers
- However, harmonising the two risk management processes is key for commercial and regulatory success
If you’d like to discuss your approach to risk identification, mitigation and management, and how Cosegic can support you, please do get in touch.
Related resources
All resources
Ensuring fair treatment: Vulnerable Customers and the Vulnerability Registration Service
Payment Services Newsletter - March 2025
DORA - Exploring Firms' Readiness
Talking Regulation: Cosegic's response to FCA CP 24/28