A document that lays out the operational risk management objectives of the firm, defines the tools and techniques to be used for risk management, describes the firm’s approach to risk appetite and tolerance, and prescribes escalation and reporting requirements. An operational risk framework is typically supported with individual policy documents for its different elements.

There are eight key elements needed for a robust operational risk framework within a financial services firm. These include:

• Policy and procedures – Firms should have an overarching operational risk policy, as well as policies around specific areas such as third-party risk, cyber risk, and business continuity risk. A policy will set out principles to guide decision making. A procedure will set out practical steps the follow a policy or to operate a process.
• Governance – The foundation of operational risk management, which should include robust oversight at both the board and senior management levels. Well-run firms will have a Governance Map and the Risk Management Governance will form part of the overall firm’s governance.
• Risk appetite – The amount and type of risk that an organization is willing to pursue or retain to achieve its objectives. It is set by the board, agreed with the executive committee, and is usually articulated in the form of a Risk Appetite Statement (RAS).
• Control environment – The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. It is much broader than the ORMF. The board of directors and senior management establish the “tone at the top” regarding the importance of internal control including expected standards of conduct.
• Culture – Closely linked to the control environment, culture and conduct are of growing importance to both firms and regulators. Culture is established through the “tone at the top” by the board of directors and senior management, and then nurtured throughout the organization.
• Identification and assessment – Risk identification reviews both internal and external factors to identify individual risks that could prevent attainment of stated objectives. Evaluation or assessment of risks enables better understanding of a financial services firm’s risk profile. Tools used for both activities include internal and external loss data, risk and control self-assessments (RCSAs), control monitoring, metrics, scenario analysis, and benchmarking or comparative analysis. Having identified and assessed a risk, it is then evaluated against appetite to determine what steps are required, if any, to bring that risk exposure to an acceptable level.
• Monitoring and reporting – Stakeholders across the organization need timely and accurate reporting on the state of the operational risks the firm faces in order to manage those risks effectively. This data is also needed to meet regulatory requirements.