[OR] [MAS] [E2] [C4] Operational Risk Management Integration

eBook 2: Chapter 4

 Operational Risk Management Integration

Introduction

Operational resilience cannot be achieved without a strong and well-integrated   Operational Risk Management (ORM) framework.

In Singapore, the Monetary Authority of Singapore explicitly positions ORM as a foundational pillar supporting resilience outcomes, ensuring that financial institutions can identify, assess, manage, and mitigate risks that threaten the delivery of Critical Business Services (CBS).

This chapter explains how ORM integrates into operational resilience by aligning:

• MAS Guidelines on Risk Management Practices – Operational Risk
• MAS Operational Resilience guidance
• BCM Institute’s Operational Resilience methodology

The goal is to demonstrate that operational resilience is not separate from ORM—it is the natural evolution of it.

Understanding Operational Risk in the Context of Resilience

Operational risk is broadly defined as:

The risk of loss resulting from inadequate or failed internal processes, people, systems, or external events.

This definition highlights that operational risk:

• Exists across all products, services, and processes
• Includes technology failures, cyber threats, human errors, and third-party disruptions
• Has the potential to escalate into major service disruptions affecting CBS

MAS emphasises that financial institutions must manage operational risk holistically, particularly given:

• Increasing digitalisation of financial services
• Growing reliance on third-party providers
• Rising cyber and systemic risks

Operational resilience builds on ORM by focusing on:

• Preventing disruptions (ORM)
• Ensuring service continuity despite disruptions (OR)

MAS Expectations for Operational Risk Management

The Monetary Authority of Singapore outlines clear expectations for an effective ORM framework.

Core Components of the ORM Framework

Financial institutions are expected to establish an ORM framework that can:

• Identify operational risks across all business activities
• Assess and measure risks (inherent and residual)
• Implement controls and mitigation measures
• Monitor and report risk exposures
• Review and continuously improve controls

This lifecycle mirrors the Plan → Implement → Test → Improve approach in operational resilience.

Governance and Oversight

MAS requires strong governance structures:

• Board of Directors
• Ultimate accountability for operational risk
• Senior Management
• Responsible for implementation and oversight
• ORM Committees
• Provide cross-functional coordination

Clear roles, responsibilities, and reporting lines are essential for effective ORM governance

Risk Appetite and Control Framework

Institutions must define:

• Operational risk appetite and tolerance levels
• Control frameworks and risk mitigation strategies
• Thresholds for monitoring risk exposure

This aligns directly with impact tolerance in operational resilience, ensuring consistency between risk and resilience metrics.

Risk-Proportionate Approach

MAS adopts a risk-proportionate implementation model, meaning:

• Larger and more complex institutions require more sophisticated ORM frameworks
• Smaller institutions may adopt simplified approaches

This ensures practical implementation while maintaining effectiveness

Integrating ORM with Operational Resilience

Operational resilience extends ORM by shifting focus from risk management to service continuity.

From Risk Identification to Service Protection

Traditional ORM asks:

• “What risks exist?”

Operational resilience asks:

• “Which risks threaten our Critical Business Services?”

Integration requires:

• Mapping operational risks to CBS
• Prioritising risks based on impact to service delivery
• Aligning mitigation strategies with service continuity objectives

Alignment with CBS and Impact Tolerance

ORM integration supports key resilience components:

This ensures that ORM is directly linked to protecting critical services, not just managing internal risks.

Integration with End-to-End Mapping

ORM must be embedded into:

• Dependency mapping
• Identifying risks across people, process, technology, and third parties
• Interconnection analysis
• Understanding concentration and systemic risks
• Third-party risk management
• Addressing outsourcing and vendor dependencies

MAS highlights the importance of managing third-party operational risks, particularly in digital ecosystems

Embedding ORM Across the Resilience Lifecycle

Plan Phase

ORM contributes by:

• Identifying key operational risks affecting CBS
• Defining risk appetite and tolerance levels
• Supporting CBS identification and prioritisation

Implement Phase

ORM enables:

• Development of controls and mitigation strategies
• Integration of risk controls into:
• Processes
• Systems
• Third-party arrangements

Test Phase

ORM supports:

• Scenario testing
• Simulating operational risk events (e.g., cyber-attacks, system failures)
• Control effectiveness validation
• Stress testing against impact tolerance thresholds

Improve Phase

ORM drives:

• Root cause analysis of incidents
• Enhancement of controls and processes
• Continuous refinement of risk frameworks

Key ORM Capabilities Supporting Resilience

To effectively integrate ORM into operational resilience, institutions should strengthen the following capabilities:

Risk Identification and Taxonomy

• Establish a consistent classification of operational risks
• Ensure alignment with CBS and resilience scenarios

Risk and Control Self-Assessments (RCSA)

• Identify control gaps
• Assess the effectiveness of existing controls

Key Risk Indicators (KRIs)

• Monitor early warning signals
• Provide proactive risk management

Incident Management

• Capture operational loss events
• Analyse trends and systemic weaknesses

Change Management

• Assess risks arising from:
• New products
• System changes
• Process redesign

MAS emphasises robust change management processes to address emerging operational risks

Challenges in ORM Integration

Financial institutions may encounter:Fragmented risk management frameworks

• Disconnect between ORM and business operations
• Limited visibility across end-to-end service delivery
• Underestimation of third-party and cyber risks
• Lack of integration with resilience testing

Overcoming these challenges requires:

• Enterprise-wide integration
• Strong governance and accountability
• Alignment between risk, IT, operations, and business units

Key Success Factors

Successful ORM integration into operational resilience requires:

• Strong leadership and governance
• Clear linkage between ORM and CBS
• Integration of risk data with resilience decision-making
• Continuous monitoring and improvement
• Alignment with MAS regulatory expectations

Operational Risk Management is the foundation upon which operational resilience is built.

While ORM focuses on identifying and mitigating risks, operational resilience ensures that critical services remain available even when those risks materialise.

Aligned with the expectations of the Monetary Authority of Singapore, integrating ORM into operational resilience enables financial institutions to:

• Proactively identify and manage threats
• Protect Critical Business Services
• Strengthen governance and accountability
• Enhance their ability to withstand and recover from disruptions

Ultimately, organisations that successfully integrate ORM into their resilience framework will move beyond compliance to achieve true resilience—where risks are managed, disruptions are contained, and essential services are sustained under all conditions.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.