Most US banks run an enterprise risk management program and a separate operational risk management function. The two often share a chief risk officer and elements of the same taxonomy, and are also routinely conflated.
This guide to operational vs enterprise risk management resolves any possible confusion using regulator language. The sections below define each layer, set them side-by-side, walk through where they overlap and where they diverge, and show how examiners and software treat both.
What Enterprise Risk Management Is
The Committee of Sponsoring Organizations of the Treadway Commission published the modern reference framework, COSO ERM 2017 which superseded the 2004 COSO ERM Integrated Framework and reframed the discipline around strategy and performance rather than controls alone.
For US banks and credit unions, the supervisory anchors are well established:
- The OCC Heightened Standards (12 CFR 30 Appendix D) apply to insured national banks and federal savings associations with average total consolidated assets of $50 billion or more and require a written risk governance framework.
- NCUA Letter 13-12 sets the equivalent expectation for federally insured credit unions with $500 million or more in assets, recommending an ERM program tailored to the credit union’s complexity.
- International banks reference Basel II and III, which embed enterprise-level risk governance into capital adequacy.
ERM risk categories typically include:
- Credit
- Market
- Liquidity
- Operational
- Compliance
- Strategic
- Reputational risk
Operational risk is one branch of the broader ERM portfolio.
What Operational Risk Management Is
Operational risk management is the discipline that addresses the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. The definition comes from Basel II and remains the reference definition used by US regulators today.
Basel II categorises operational risk events into seven event types:
- Internal fraud
- External fraud
- Employment practices and workplace safety
- Clients, products, and business practices
- Damage to physical assets
- Business disruption and system failures
- Execution, delivery, and process management.
Operational vs Enterprise Risk Management: A Comparison
The table below positions ERM and ORM along six dimensions that matter inside a financial institution. Note that ORM is one category within the broader ERM portfolio, and the comparison clarifies what each layer does.
| Dimension | Enterprise risk management (ERM) | Operational risk management (ORM) |
|---|---|---|
| Scope | All risk categories (credit, market, liquidity, operational, compliance, strategic, reputational) | One category (operational risk, bounded by Basel II event taxonomy) |
| Primary framework | COSO ERM 2017; ISO 31000:2018; OCC Heightened Standards 12 CFR 30 App D; NCUA SL 13-12 | Basel II (BCBS d128, 2004); BCBS d424 SMA; BCBS Sound Practices for the Management of Operational Risk |
| Primary owner | Chief Risk Officer; Board Risk Committee | Head of Operational Risk reporting into the CRO |
| Methodology | Aggregated inherent/residual scoring across categories; appetite-tracking | Loss-event data (internal and consortium via ORX); RCSA; scenario analysis; KRI monitoring |
| Cadence | Quarterly to annual aggregate cycle, with faster cadence for select categories | Continuous loss-data collection; quarterly RCSA; KRI feeds; annual scenario analysis |
| Outputs | Enterprise risk profile, appetite reporting, board oversight materials | Loss event database, RCSA results, operational KRI dashboards, scenario reports, regulatory capital input |
Examiner View: How Supervisors See ERM and ORM
US examiners name both frameworks explicitly, but in different documents. ERM appears in the OCC Heightened Standards (12 CFR 30 Appendix D), in NCUA SL 13-12, and in supervisory letters from the Federal Reserve and FDIC. The framework is the governance artifact examiners inspect when they review the second line’s overall design.
Operational risk has its own supervisory footprint. Examiners draw from the OCC’s operational risk supervisory expectations, the FFIEC IT Examination Handbook, Basel II, and BCBS Sound Practices for the Management of Operational Risk. The Federal Reserve’s 2026 Sound Practices update to SR 11-7 addresses model risk within the operational risk discipline.
Several supervisory documents sit at the intersection of ERM and ORM:
- The June 2023 interagency third-party risk management guidance jointly issued by the Federal Reserve, FDIC, and OCC
- The April 2026 reissue of SR 11-7 (binds operational and enterprise risk together through the shared model governance lens)
- Treasury’s February 2026 Financial Services Sector AI Risk Management Framework (assumes integrated risk and control evidence across both layers when assessing AI-driven processes)
How ORM Feeds ERM in Practice
ORM produces five distinct evidence streams that ERM aggregates:
Loss-event data
Every operational loss the institution captures rolls up into the enterprise loss database that feeds appetite-monitoring against tolerance.
RCSA outputs
Operational risk control self-assessments produce inherent and residual scoring that aggregates into category-level positions in the enterprise register.
KRI dashboards
Operational risk KRIs (fraud rates, near-misses, control failures, regulatory issue counts, business continuity incidents) feed the ERM aggregated reporting layer. The ERM dashboard the CRO presents to the board pulls these KRIs directly from the ORM operational data store.
Scenario analysis
ORM scenarios inform ERM appetite recalibration. Scenario outputs also feed regulatory capital calculations under the Standardised Measurement Approach.
Audit findings
Internal audit findings on operational controls aggregate into ERM oversight reporting through the issue-management process.
How Software Supports Each Layer
ERM software focuses on the enterprise risk register, appetite tracking, aggregated dashboards across categories, and reporting. The capability set is mature and widely understood with most US banks having used an ERM platform for at least a decade.
ORM software adds the category-specific capabilities the Basel II discipline requires:
- Loss-event capture with event-type categorisation
- RCSA workflow with library-managed risks and controls
- KRI dashboards drawn from operational systems
- Scenario analysis tooling
- External loss data integration through ORX feeds
The market for ORM-focused tools includes dedicated operational risk platforms and combined GRC suites that pair ERM and ORM in one environment.
Predict360, for example, supports both in a single environment when configured to share taxonomy, controls, and reporting between the two layers. The platform’s regulatory-change module pre-maps to FFIEC handbooks and OCC bulletins, including operational risk-relevant supervisory documents.
Frequently Asked Questions
What is the difference between operational and enterprise risk management?
Enterprise risk management is the institution’s enterprise-wide framework that governs every risk category against board-approved appetite (credit, market, liquidity, operational, compliance, strategic, and reputational). Operational risk management is the specialised discipline that addresses one of those categories under Basel II’s seven event-type taxonomy.
Which framework — Basel II or COSO ERM — applies to operational risk?
Both. Basel II (BCBS d128, 2004) defines operational risk and the seven event-type categories that anchor ORM. COSO ERM 2017 governs the enterprise-wide framework that consumes ORM outputs. US banks reference both depending on which layer is being examined. The OCC reviews enterprise governance through ERM language while reviewing operational risk practices through Basel II language and the FFIEC IT Examination Handbook.
Who owns ORM vs ERM in a bank?
ERM is typically owned by the Chief Risk Officer, with board oversight via the Risk Committee. ORM is typically owned by a Head of Operational Risk reporting into the CRO, alongside Heads of Credit, Market, Compliance, and Cyber risk in the second-line organisation.
Does the OCC require ORM separately from ERM?
The OCC Heightened Standards require both an enterprise risk governance framework and supervision of operational risk for covered banks under 12 CFR 30 Appendix D. Operational risk is supervised under operational-risk supervisory expectations, the FFIEC IT Examination Handbook, the June 2023 interagency third-party guidance, and SR 11-7 / SR 26-02 / OCC Bulletin 2026-13 for model risk.
What software supports ORM vs ERM?
ERM platforms focus on the register, appetite, and aggregated dashboards across all risk categories. ORM platforms add loss-event capture, RCSA workflows, KRI dashboards, scenario analysis, and Basel II event-type categorisation. Unified GRC platforms can support both layers in a single environment when configured to share taxonomy, controls, and reporting between the operational-risk discipline and the enterprise framework.
For risk leaders deciding where to invest next, the practical step is to read the operational risk management explainer for a deeper view of the ORM discipline.
Discover AI-powered technology that helps manage every aspect of risk and compliance, all in one platform.
Request Demo- Risk Prediction
- Regulatory Tracking
- Workflow Automation
- Integrated GRC