COO
ChiefOperatingOfficer.org
Key Responsibilities

COO's Guide to Operational Risk Management

The Basel Committee on Banking Supervision defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events." That definition, originally written for banks, applies to every industry. Every process that can fail, every person who can make an error, every system that can go down — those are your operational risks.

According to the Risk Management Society (RIMS), operational risk events cost organizations an average of 3.5% of annual revenue. For a $100 million company, that is $3.5 million per year lost to process failures, compliance violations, fraud, technology outages, and supply chain disruptions. Most of those losses are preventable with the right framework.

This guide covers how to build an operational risk management program that catches problems before they become crises — without turning your organization into a bureaucratic compliance machine.

The Operational Risk Taxonomy

Before you can manage risk, you need a shared language for categorizing it. Use this taxonomy as your starting point.

Risk CategoryExamplesTypical Impact
Process riskBroken workflows, manual workarounds, undocumented proceduresErrors, delays, compliance violations
People riskKey person dependency, skills gaps, misconduct, high turnoverCapacity constraints, quality failures, fraud
Systems riskIT outages, data loss, integration failures, cybersecurity breachesDowntime, data loss, regulatory penalties
External riskSupply chain disruptions, regulatory changes, natural disasters, market shiftsRevenue loss, operational halts, compliance exposure
Compliance riskRegulatory violations, audit failures, contractual breachesFines, legal action, reputation damage

The Risk Assessment Matrix

For each identified risk, assess two dimensions: likelihood (how often it could occur) and impact (how much damage it would cause). Plot risks on this matrix to prioritize your response.

Low ImpactMedium ImpactHigh ImpactCritical Impact
Frequent (monthly+)MonitorReduceUrgent actionUnacceptable
Likely (quarterly)AcceptReduceReduce urgentlyUnacceptable
Possible (annually)AcceptMonitorReduceUrgent action
Unlikely (multi-year)AcceptAcceptMonitorReduce
"Unacceptable" risks require immediate mitigation. If you cannot reduce them to an acceptable level, you should not be running that process. "Accept" risks still get documented. Acceptance is an active decision, not ignorance. Log the risk, note who accepted it and why, and review annually.

The Three Lines of Defense

This model, endorsed by the Institute of Internal Auditors (IIA) and used by regulated industries worldwide, clarifies who owns risk at each level.

First line — Operations (risk owners): The teams doing the work own the risks in their processes. They execute controls daily, report incidents, and escalate emerging risks. Every department head should maintain a risk register for their function. Second line — Risk management and compliance (risk oversight): A dedicated risk function sets standards, monitors compliance, provides tools, and challenges the first line's risk assessments. In smaller organizations, this may be a part-time role or shared with finance. Third line — Internal audit (independent assurance): Provides independent verification that the first and second lines are working. Reports to the board or audit committee, not to the COO, to maintain independence. The COO's role spans all three lines: You set the risk appetite, ensure the first line has the tools and training to manage risk, hold the second line accountable for oversight quality, and act on third-line findings.

Building the Risk Register

A risk register is the single most important operational risk management tool. It documents every identified risk, its assessment, controls, and ownership.

Minimum fields for each risk entry:
FieldDescription
Risk IDUnique identifier
Risk descriptionWhat could happen, in specific terms
CategoryFrom the taxonomy above
LikelihoodFrequent / Likely / Possible / Unlikely
ImpactLow / Medium / High / Critical
Risk levelFrom the matrix (Accept / Monitor / Reduce / Unacceptable)
Existing controlsWhat is currently in place to mitigate this risk
Control effectivenessEffective / Partially effective / Ineffective
Residual riskRisk level after controls are applied
OwnerNamed individual (not a department)
Action planWhat additional mitigation is planned
Review dateWhen this risk will be reassessed
Start with your top 20 risks. Trying to register every possible risk creates paperwork without insight. Focus on the risks that, if they materialized, would require executive attention.

Key Risk Indicators (KRIs): Early Warning Signals

Key Risk Indicators differ from Key Performance Indicators. KPIs tell you how the business is performing. KRIs tell you whether risk conditions are changing.

RiskKRIThresholdMonitoring Frequency
Key person dependency% of critical processes with single-person coverageAbove 20% = elevated riskQuarterly
Cybersecurity exposureUnpatched critical vulnerabilitiesAbove 5 = elevated riskWeekly
Process failureError rate in high-volume transactionsAbove 2% = elevated riskDaily
Supplier concentrationRevenue dependent on single supplierAbove 25% = elevated riskMonthly
Employee riskVoluntary turnover in critical rolesAbove 15% annually = elevated riskMonthly
Compliance exposureDays since last regulatory training completionAbove 90 days = elevated riskMonthly
Financial liquidityDays of operating cash on handBelow 45 days = elevated riskWeekly
Display KRIs on a risk dashboard visible to the executive team. Use traffic-light coding: green (within tolerance), amber (approaching threshold), red (threshold breached). Review in your monthly operational review.

Incident Management: When Risks Materialize

Even with strong risk management, incidents happen. The quality of your response determines whether a risk event becomes a lesson or a crisis.

The incident response process:
  • Detect and report (within 1 hour of discovery): Anyone in the organization can report an incident. Remove barriers. Anonymous reporting options reduce underreporting.
  • Classify severity (within 2 hours):
- Severity 1: Business-critical impact, customer-facing, regulatory exposure - Severity 2: Significant impact to one function, no customer or regulatory impact - Severity 3: Minor impact, contained to one team
  • Contain (Severity 1: within 4 hours; Severity 2: within 24 hours): Stop the bleeding. Prevent the incident from expanding.
  • Investigate root cause (within 5 business days for Severity 1-2): Use the 5-Why method or fishbone diagram. Do not stop at "human error" — ask what about the process or system allowed the error to occur.
  • Implement corrective actions (within 30 days): Fix the root cause, not just the symptom. Update controls, retrain staff, modify processes.
  • Close and learn (within 45 days): Document the incident, root cause, corrective actions, and preventive measures in the risk register. Share lessons across the organization.

Supply Chain Risk Management

Deloitte's 2024 Global Supply Chain Survey found that 79% of companies experienced at least one supply chain disruption with significant impact in the prior 12 months. Supply chain risk is now a standing agenda item for every COO.

Supply chain risk mitigation checklist:
  • Map your supply chain at least 3 tiers deep (your suppliers, their suppliers, and their suppliers' suppliers)
  • Assess geographic concentration — if 70%+ of a critical material comes from one country, that is a strategic risk
  • Maintain relationships with pre-qualified alternative suppliers
  • Hold 4-6 weeks of safety stock for critical materials with long lead times
  • Include force majeure and supply assurance clauses in contracts
  • Monitor supplier financial health annually (Dun & Bradstreet reports, public filings)

Embedding Risk Awareness Into Daily Operations

Risk management fails when it lives in a binder on a shelf. It succeeds when it is part of how people think and work.

Practical embedding tactics:
  • Include a "risk check" as the first agenda item in every project kickoff
  • Add risk discussion to the agenda of monthly operational reviews
  • Require risk assessment for every new vendor, product launch, and process change
  • Recognize employees who identify and report risks (not just those who solve problems)
  • Make risk management training part of onboarding, not an annual compliance checkbox

FAQs

What are the key responsibilities of a COO in managing operational risk?

A COO is responsible for developing risk management frameworks, implementing internal controls, overseeing risk assessment processes, establishing risk tolerance levels, and ensuring compliance with regulatory requirements while maintaining operational efficiency.

How should a COO approach Enterprise Risk Management (ERM)?

COOs should implement an ERM framework that includes risk identification, assessment, mitigation strategies, monitoring systems, and regular reporting mechanisms while aligning with the organization's strategic objectives.

What are the essential components of an operational risk assessment?

Key components include identifying potential risks, analyzing probability and impact, evaluating existing controls, determining risk appetite, assessing business continuity plans, and documenting risk matrices and heat maps.

How can a COO effectively manage third-party vendor risks?

Through implementing vendor due diligence processes, establishing performance metrics, conducting regular audits, maintaining clear contractual agreements, and developing contingency plans for vendor-related disruptions.

What role does technology play in operational risk management?

Technology enables automated risk monitoring, real-time reporting, data analytics for risk prediction, incident tracking systems, and integrated governance, risk, and compliance (GRC) platforms.

How should COOs handle cybersecurity risks?

By implementing cybersecurity frameworks, ensuring regular security assessments, maintaining incident response plans, conducting employee training, and coordinating with IT teams for security measures.

What are the key metrics for monitoring operational risk?

Essential metrics include Key Risk Indicators (KRIs), loss event data, near-miss incidents, control effectiveness measures, regulatory compliance scores, and operational efficiency metrics.

How can COOs ensure effective crisis management and business continuity?

Through developing business continuity plans, establishing crisis management teams, conducting regular drills, maintaining emergency communication protocols, and ensuring critical business function resilience.

What regulatory compliance aspects should COOs focus on?

COOs must ensure compliance with industry-specific regulations, maintain documentation, conduct regular audits, update policies and procedures, and stay informed about regulatory changes.

How should COOs approach operational risk reporting to the board?

By providing clear, concise risk dashboards, highlighting key risk trends, presenting mitigation strategies, sharing incident reports, and maintaining transparent communication about risk status.

Related Articles

Related Articles

COO vs VP of Operations: Key Differences, Overlap, and When You Need Both

A detailed comparison of the COO and VP of Operations roles — covering scope, authority, compensation, and how to decide which your company needs (or whether you need both).

Building Operational Resilience

Building Operational Resilience

COO's Guide to Environmental Compliance

COO's Guide to Environmental Compliance

← Back to All Articles