[OR] [Pillar] [E1] [C2] Role of Operational Risk Management in Operational Resilience

eBook 1: Chapter 2

Understanding the Role of Operational Risk Management in Operational Resilience

Introduction

Operational resilience has emerged as a critical capability for organisations operating in an increasingly volatile, uncertain, complex, and ambiguous (VUCA) environment.

While resilience focuses on the organisation’s ability to withstand, adapt to, and recover from disruptions, this capability does not exist in isolation. It is built upon a foundation of well-established risk management disciplines.

At the core of this foundation lies Operational Risk Management (ORM)—a structured and systematic approach to identifying, assessing, managing, and monitoring risks arising from internal processes, people, systems, and external events.

Understanding the role of ORM within operational resilience is essential, as it provides the risk intelligence and control environment necessary to support resilience outcomes.

Operational Resilience and Its Core Components

Operational resilience is not a single framework or function. Rather, it is an integrated capability supported by several interrelated components. These typically include:

• Operational Risk Management (ORM)
• Business Continuity Management (BCM) - Crisis Management and Incident Management
• Cyber Resilience
• Third-Party Risk Management (TPRM)

Each of these components contributes to resilience from a different perspective. However, Operational Risk Management serves as the foundational layer, underpinning the identification and management of risks that could lead to operational disruption.

Without ORM, the other components would lack the structured understanding of risks necessary to operate effectively.

Defining the Role of ORM

Operational Risk Management plays a proactive and preventative role within the broader operational resilience framework. Its primary purpose is to:

• Identify potential sources of operational failure
• Assess the likelihood and impact of these risks
• Implement controls to mitigate or manage risks
• Monitor risk exposure over time

Through these activities, ORM enables organisations to reduce the probability of disruptions occurring in the first place.

In contrast, operational resilience focuses on ensuring that, when disruptions do occur, the organisation can continue to deliver its critical business services.

Thus, ORM can be understood as the discipline that feeds into and strengthens operational resilience by managing the risk landscape.

ORM as the Risk Intelligence Engine

One of the most critical contributions of ORM is its role as the organisation’s risk intelligence engine.

ORM provides structured insights into:

• Key operational vulnerabilities
• High-risk processes and functions
• Emerging and evolving threats
• Control effectiveness and gaps

These insights are essential inputs into operational resilience activities, such as:

• Identifying critical business services
• Mapping dependencies and interconnections
• Setting impact tolerances
• Designing response and recovery strategies

Without accurate and comprehensive risk intelligence, resilience planning becomes speculative and incomplete.

ORM and the Prevention of Disruption

A central objective of ORM is risk prevention and mitigation.

By implementing robust controls, organisations can:

• Reduce the likelihood of process failures
• Minimise human errors
• Strengthen system reliability
• Enhance third-party oversight

Examples of ORM controls include:

• Internal controls and standard operating procedures
• Segregation of duties
• Risk and control self-assessments (RCSA)
• Key Risk Indicators (KRIs)
• Incident management frameworks

These controls directly contribute to operational resilience by reducing the frequency and severity of disruptive events.

ORM and the Identification of Critical Business Services

Operational resilience frameworks require organisations to identify their Critical Business Services (CBS)—services whose disruption would significantly impact customers, the organisation, or the broader financial system.

ORM plays a crucial role in this process by:

• Highlighting high-risk processes and activities
• Identifying services with significant operational dependencies
• Assessing potential impact scenarios

Through risk assessments, ORM helps organisations prioritise which services are truly critical, ensuring resilience efforts focus on what matters most.

ORM as a Continuous and Dynamic Process

Operational risk is not static. It evolves with:

• Changes in business models
• Technological advancements
• Regulatory developments
• External threats such as cyberattacks or geopolitical events

ORM is designed to be a continuous and dynamic process, involving:

• Ongoing risk assessments
• Regular monitoring of KRIs
• Incident reporting and analysis
• Continuous improvement of controls

This continuous nature ensures that the organisation’s understanding of risk remains current, enabling operational resilience capabilities to adapt to changing conditions.

The Complementary Nature of ORM and Operational Resilience

While closely related, ORM and operational resilience serve complementary but distinct purposes.

• ORM focuses on risk reduction and control
• Operational resilience focuses on service continuity and recovery

The relationship between the two can be summarised as follows:

• ORM identifies and manages risks → reduces the likelihood of disruption
• Operational resilience prepares for disruptions → reduces the impact when they occur

Together, they form a comprehensive approach to managing uncertainty, ensuring that organisations are both risk-aware and disruption-ready.

Key Takeaways

The role of Operational Risk Management within operational resilience can be summarised in the following key points:

• Foundation of Resilience
  ORM provides the baseline understanding of risks necessary for resilience planning.
  
  
• Risk Intelligence Provider
  It delivers critical insights into vulnerabilities, threats, and the effectiveness of controls.
  
  
• Disruption Prevention Mechanism
  ORM reduces the likelihood and severity of operational failures.
  
  
• Enabler of Prioritisation
  It supports the identification of critical business services and the prioritisation of risks.
  
  
• Continuous Monitoring Capability
  ORM ensures that resilience strategies remain relevant in a dynamic risk environment.

Operational Risk Management is not merely a supporting function within operational resilience—it is a core enabler that shapes how organisations understand and manage their risk landscape.

By providing structured mechanisms for risk identification, assessment, and control, ORM ensures that organisations are better equipped to anticipate and prevent disruptions.

At the same time, it provides the essential inputs required for building effective resilience strategies.

In essence:

Operational Risk Management strengthens resilience by reducing uncertainty, while operational resilience ensures continuity in the face of uncertainty

Together, they form a powerful and integrated approach to safeguarding an organisation’s ability to deliver its critical business services in an increasingly complex world.