top of page

Our services

Operational Risk Management

Operational risk, often defined as losses that can arise from weaknesses or failures in internal processes, people, or systems or from external events, is a class of risk exposures that all organisations face to varying degrees. Historically a laggard area of focus in financial institutions compared to market, credit and liquidity risk, in recent years this discipline has risen in importance as techniques and regulatory capital requirements to improve its quantification have progressed and the recognition of the potential severity of losses stemming from an increasingly complex operational risk environment has grown. In corporates, operational risk has arguably always been more of a core focus, although this has not necessarily been reflected in development of formalised Operational Risk Management (ORM) frameworks and systems.


There are many similarities between ORM and Enterprise Risk Management (ERM), with the former being essentially a core element of and contributor to the latter (once formalised) but with a specific focus on a subset of risks, protection based, and more granular in its scope. For example, both rely on having robust governance, process and cultural facets in a defined framework, although ORM will often focus more heavily on aspects such as process mapping, loss events capture and root cause analysis, scenario and stress testing, development of Risk Control Self Assessments (RCSAs), and management of risks associated with project and change management, particularly for technology. The growing discipline of Operational Resilience also has strong links with ORM, leveraging its capabilities and outputs to support development of a strategically aligned outcome of resilience for the most critical services an organisation delivers to its stakeholders, as well as breaking down the silos that typically exist between second line management functions.


Development challenges and opportunities for ORM practice also typically align with those that commonly face ERM (although this tends to vary by sector), and include: lack of defined strategy and useable appetite articulations; inconsistent language, processes and outputs (both within different operational risk domains and with the ERM system), limiting risk quantification, analytics and knowledge management; and cultural apathy and misunderstanding towards ORM practice and the value it delivers.


How do we help?

MERC & CO’s team has previously supported clients with a range of ORM solutions in both financial services and corporate sectors, as well as working with organisations operating at the nexus of both financially regulated and non-regulated business. Common areas of support include:


  • ORM effectiveness reviews and maturity benchmarking

  • ORM framework design (including ERM and Operational Resilience programme alignment and integration), component development, and implementation support

  • Risk and impact tolerance articulation 

  • Key Risk Indicator (KRI) suite development

  • Risk technology selection and configuration

  • Risk analytics including operational risk assessment, root cause analyses, stress testing and scenario analysis, correlation analysis etc.

  • Enhanced risk / loss event reporting design and population

  • Organisational leadership, management and practioner ORM training content development and delivery

  • Risk practioner development coaching, training and advice

  • Assurance over ORM performance and compliance

bottom of page