What is the role of controls in ORM?

The role of controls in Operational Risk Management (ORM) is fundamentally about ensuring that potential risks are proactively managed to safeguard the organization. Controls are implemented as part of a risk management strategy to mitigate or eliminate hazards that could lead to adverse outcomes. This means that they are essential tools used to reduce the likelihood of risk events occurring and to lessen the impact if they do occur.

By focusing on the mitigation of risks, controls help organizations create a more stable operational environment, allowing them to function effectively and pursue their objectives without significant interruptions caused by unforeseen hazards. Effective controls can range from policies and procedures, internal audits, physical security, and employee training, all aimed at addressing identified risks.

In contrast, options that suggest controls either only report risks or solely increase risks do not capture the proactive and protective essence of what controls are intended to do. Similarly, while documenting success stories might be beneficial for organizational learning, it does not reflect the primary purpose of controls in the context of ORM, which is fundamentally about managing and reducing risks rather than merely reporting or celebrating outcomes.