GRC Tuesdays: Operational Risk Management: Is it ORM, ORM, or… ORM?
When I wrote the blog post ORM vs ERM, the Battle that Should Not Have Started almost 18 months ago, I didn’t think that I’d have to write another one focusing exclusively on what Operational Risk Management (ORM) could mean for different stakeholders. I had mentioned in that post that there were already two definitions for ORM: one used in the environmental, health and safety (EH&S) area and another one used in financial institutions, but I thought the separation was sufficiently clear so that there wasn’t any confusion.
Boy, was I wrong! I keep on receiving questions about the difference between the two approaches that share the very same name, and to make things a bit more challenging, Gartner has introduced its own definition, too.
ORM Definitions Compared
In this blog, I will try the perilous exercise of comparing the different definitions. Some might not agree with the distinctions, but I think that, if I stay purely factual and don’t try to interpret, I can reduce my own exposure and “un-muddy” the waters!
Similarities and Differences in ORM
As you can read in the table above, all ORM approaches are intended to identify and mitigate risks that companies face.
Where they really differ is in the type of risks that the process should address and the final intent of it. Where ORM for environmental, health and safety and ORM for financial institutions focus on very specific risk areas to prevent the company from experiencing operational surprises, ORM by Gartner relates to the risks associated to the company strategy and the final intent is to improve performance. I personally think that this can be a new source of confusion since this is the very definition of “risk management” (without an O- in front) according to ISO31000.
Finally, I think it’s worth recognizing that one thing brings all these approaches together: regardless of their different definitions or scope, they can all feed into a Three Lines of Defense process!
Oh, one last thing you ask? What about Enterprise Risk Management (ERM) Vs Integrated Risk Management (IRM) also mentioned by Gartner? Well, let’s keep that for another post shall we?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
For More Information
- Read our other blogs in our GRC Tuesday series.
- Join us at SAPinsider GRC2017 March 20-24 in Las Vegas
Thomas, you are spot on. There is a lot of confusion out there but your definitions chart carves it out very precisely.
Thank you very much for your kind message!