Sound Practice Guides

The IRM, in conjunction with the Institute of Operational Risk (IOR), has created a series of guidance documents that explain how risks may be identified, assessed, and controlled to help reduce the frequency and severity of operational risk events. It must be emphasized that there is no one optimal risk culture, nor are the universal characteristics of a ‘strong’ or ‘weak’ risk culture.

The need for effective operational risk management is more acute than ever. Events such as the global financial crisis or the COVID-19 pandemic highlight the far-reaching impacts of operational risk and the consequences of management failure. In the light of these and numerous event organisations must ensure that their policies, procedures, and processes for the management of operational risk meet the needs of their stakeholders.

Prof. Ashby comments:

"In the new world of living with COVID-19 operational risk is once again in the spotlight. I hope that organisations and their risk professionals will seize the opportunity to review and improve their operational risk management practices. These guides provide a great place to start.

As the modern world becomes increasingly complex people and organisations must learn how to live with operational risk. Once again the COVID-19 pandemic has put operational risk in the spotlight and highlighted the consequences of poor practice. There has never been a more important time to review and improve the management of operational risk".

This guidance is designed to complement existing standards and codes for risk management (e.g. ISO31000). The aim is to provide guidance that is both focused on the management of operational risk and practical in its application. In so doing, this is a guide for operational risk management professionals, to help them improve the practice of operational risk in organisations.

Not all the guidance in these documents will be relevant for every organisation or sector. However, it has been written with the widest possible range of organisations and sectors in mind. Readers should decide for themselves what is relevant for their current situation. What matters is gradual, but continuous improvement.

Although there is no one-size-fits-all approach to the management of operational risk, it is important that organisations benchmark and improve their practice on a regular basis. These are the first three in a series of papers, which provides practical guidance on a range of important topics that span the discipline of operational risk management.

Guide Catalogue

Risk Culture

Embedding an
Operational Risk
Management Framework

Operational Risk Appetite
and Tolerance

Risk and Control Self Assessment

Operational Risk Categorisation

Operational Risk Governance

Operational Loss Events

Scenario Analysis, Stress
and Reverse Stress Testing

Operational Key
Risk Indicators


Operational Resilience