Risk management is becoming more and more important for organizations today to better understand business threats and to ensure that these threats are mitigated. In addition, boards of directors and compliance agencies alike are pushing for assurance that internal controls are sufficient to mitigate the potential consequences of external and internal uncertainties.
The global regulations of Basel II define Operational Risk as “The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events”. This definition is also in synch with ISO whose 9000 standards update for 2015 will add a significant risk based expansion to its traditional process focus. Regardless of the risk management framework adopted, one of the first steps undertaken is a risk assessment. Risk assessments are a foundational element of the framework, however, they are often tactically siloed responses to satisfy the outside pressures and not part of a comprehensive program aligned with strategic business performance outcomes. Such risk assessments may be informal, or poorly constructed and fail to connect to the end to end value-creating work of the organization. This results in risk assessments often having very little useful output other than a simple list of potential risks, with little else.
There is a significant opportunity to adopt a better risk assessment and mitigation approach integrated with and grounded in process management. This will not only identify the business risks, and appropriate controls, but also incorporate elements of process improvement, resulting overall in a tangible and lasting impact on how the business operates; moving the business towards its strategic goals while operating in a reduced risk environment.
This is a balanced design approach that optimizes the set of operational improvements and risk considerations in tandem. We call this innovative yet common sense approach: “A Process-Centric Approach to Manage Operational Risk”.
At the end of implementing the steps described below, the organization would have:
- Completed the risk assessment and determined what risks might occur
- Secured better knowledge of how things are done end-to-end
- Gained an understanding of what is important for the organization at large
- Identified process improvement and risk reduction opportunities
- Enabled fact-based decision making of what risks to mitigate and how to do so
The following 7 steps approach was developed by the Process Renewal Group (www.processrenewal.com) through working with clients in some of the most highly regulated industries in the world. It is equally applicable to any organization in any industry that is looking to go beyond documenting risks, and actually reduce or eliminate them where possible while concurrently improving business processes.
The 7 Steps of the Process-Centric Approach to Manage Operational Risk are:
- Step 1. Review documented risks, controls and processes
- Step 2. Define scope
- Step 3. Map processes in scope
- Step 4. Identify and map risks and existing controls
- Step 5. Determine risks and process performance gaps
- Step 6. Identify and assess process improvement and risk mitigation opportunities
- Step 7. Develop and implement integrated process improvement and risks mitigation action plan.
Step 1. Review documented risks, controls and processes
The existing risk management group will most likely have pre-established risk frameworks, defined operational risks and their descriptions, an active/existing controls register, and risk evaluation levels to establish materiality. Begin by gathering as much existing information as feasible. Ask and interview all key stakeholders for anything they may be aware of to cover all relevant data sources, and perspectives. Strive to gather the latest version of documents and ask if there are any updates in progress. Some of this information may not be completely current but may still be helpful. Gaining too much is better than not enough. It never ceases to surprise us how often teams have to do rework or redesign models because someone did not share details of an upcoming significant change as they did not deem the change as ready for distribution.
Review all existing relevant process documentation, in addition go through policy documents, training material, procedures, internal audit documentation and any regulatory reports. Leverage process management teams where applicable, as they often have process repositories. Even if these are out of date, they offer a good starting point and can be updated at the end of the effort to retain one source of process knowledge. Review any existing process improvement lists and major issues logs, and any document that would capture potential ways to improve current processes.
Investigate what measurement indicators and data exist. Search for measurements relating to performance indicators and risk indicators for the processes in scope.
Step 2. Define scope
As with any project, clearly defining the scope of the assessment is critical to the success of the initiative. In particular, it is important to understand and gain agreement to the following:
- What processes are under revision, start/end points, regions, product types, etc.
- What risks are being assessed (e.g. reputational risks, security risks, privacy risks)? Ensure there is a common understanding amongst initiative stakeholders on the names and definitions of each type of risk.
- Understand preceding and parallel activities that interact with the processes in scope to evaluate potential inherited risks on input.
- What aspects of the risk management effort will you be completing (e.g. mapping risk origination point to the process step; identifying risk severity and probability, identifying key risk indicators)?
Step 3. Map processes in scope
There are multiple ways to approach this step. You might gather all Subject Experts together and start from a blank page, by asking – 'so what do you do first', or, working in reverse, 'what is the process output and what do we do to produce it?' until you have it covered from first trigger to last result. Just be cautious of going to too much detail too soon. This will require disciplined facilitation.
We have found that the deliverable can be achieved faster by preparing a draft version of the process flow at a higher level. This straw model draft would come from the information that was gathered in Step 1, so expect it to be incomplete and not fully accurate but give you a fast start. The exercise then becomes one of validation and updating the models. Note that at this point this as-is process mapping is best done or validated with the performers of the work, not their managers (i.e. focus on people who are actually executing the tasks in scope).
Encourage conversations when reviewing process maps. Find variations and take notes about potential risks, issues, process improvements and potential performance enhancement opportunities. This serves two purposes. First, the business participants will gain value from the risk assessment activity, as most teams rarely get a chance to discuss the big picture of why things are the way they are and how to make things better and they will appreciate the opportunity for end to end understanding. They are therefore more likely to buy-into the whole process and make the necessary time for the working sessions. Second, and more importantly, the ideas discussed might mitigate some of the risks identified or even completely eliminate them when we get to the next step. Note that process improvement opportunities might be noted during as-is process mapping but should be thoroughly discussed and evaluated with the process owners /managers in next steps.
Step 4. Identify and map risks and existing controls
Some of the work of this step may be performed concurrently with Step 3. However, some additional or alternate participants will be involved with other perspectives. We mentioned that the best participants to map current processes are the doers, however, the best participants for risks and controls discussions are operational management, executive team members and risk specialists; the individuals who are ultimately responsible for the outcome of the process and its risk performance.
During these sessions, ensure that participants are very clear on what type of risks are being identified and which ones not. Proceed to identify risks by walking through the end to end maps activity by activity. For each identified risk, in addition to the usual understanding of materiality, severity and likelihood, one of the key differences of this approach is to find the true point of origination of the risk on the end to end process map. Often a risk manifests itself several steps down the line from where it is caused, at that point it may be seen as risk that is hard to avoid while it could have been mitigated through controls in or changes to prior activities. Investigate if there are any inherited risks on entry points from outside of the processes in scope, as well as any residual risk that is passed on to the processes downstream.
Next, map current controls to the process steps. Confirm that the process activities tied to the control are indeed being performed consistently (e.g. sign-off and review points are frequently eliminated in process improvement without any formal reviews of the implications or approvals). Ensure any missing steps are added the process map, and a note made in the implementation plan (Step 7) to ensure that this process activity is implemented and followed.
We recommend to discuss the history of failures, errors, and incidents that occurred during or as a result of performing the processes in scope. Review these in light of the existing controls, and determine why there were not caught/prevented. Avoid the tendency of turning each failure type into a control, this would introduce significant overhead on the process, look for failure patterns and common causes where possible.
Step 5. Determine gaps in risk controls and process performance
The objective of this step is to determine if any high level risks are not mitigated by controls and if there are any existing controls that do not seem to have relevance. In addition, analyse data of the key performance indicators. Identify if there are any big gaps between current and desired state of business performance. Performance gaps will help you drive conversations for the potential process and capabilities improvements.
Examine any incident reports, external events documentation, and key risk indicators to identify if current controls are not adequate to sufficiently mitigate the risks. For the identified gaps, controls will need to be defined, or processes should be altered to remove deficiencies that result in possibilities of the risk occurrence.
Step 6. Identify and assess process improvement and risk mitigation opportunities
The advantage of this approach is that process performance and risk mitigation opportunities are considered simultaneously. The objective is really to eliminate risks without introducing inefficiencies into the process and concurrently not to introduce risks while improving processes.
When performing this step, consider all potential actions to reduce the performance or controls gaps identified in the previous step. Be creative while taking into consideration the current limitations of the organization like budget and appetite for change. Traditional process improvement tools such as root cause analysis, mind mapping, and benchmark analysis can all be useful tools to identify potential actions. Risk Mitigation and Controlling activities vary and include manual data reconciliation, automatic validation of completed digital forms, additional reviews, approvals and periodic coaching conversations.
Perform a number of review iterations of improving the process followed by reviewing the risks and controls to ensure that process improvements introduced do not add risks, and that risk controls do not add unnecessary overhead to the process.
Step 7. Develop and implement integrated process improvement and risks mitigation action plan
Finalize your designs, ensure that process maps are updated, data definitions are in place, step description include logic of actions. Subsequently, identify Key Risk Indicators (KRIs) for the key risks. This will be a subset of the total risk log. Ensure that KRI measurement mechanisms are established, as well as activities and responsibilities are designed to measure, report and act upon them.
As you go through the review of what has to change, ensure that you take a holistic improvement approach and look into all aspects of capabilities (use the Burlton Hexagon to check). Including ensuring that incentives are aligned to drive desired behaviour.
Socialise determined controls, KRIs and process improvement opportunities to the future performers and their managers to confirm feasibility of these solutions.
As you have prepared your designs, itemise all aspects of required change for implementation. Adjust your implementation plan based on the feedback that you have received. You might need to revisit solutions, and get back to Step 6 or incorporate additional steps for training and cultural change considerations.
Regular recurring review
Depending on the processes in scope and how mission critical they are to the organization, these risk assessment steps can be performed on a regular planned basis. Every subsequent round of the assessment will be performed with less effort since the processes are pre-defined. Additional risk types may be added in later iterations. Note, however, that performance goals, risks, processes and related controls and risk mitigation actions need to adapt to business changes that have occurred or are anticipated based on emerging internal and external factors.
The key objective of the Process-Centric Approach to Manage Operational Risk is to transform the risk assessment process from one that is performed purely for compliance reporting purposes, to an opportunity to create lasting and sustainable change in the organization that adds value to the business and the participants through reducing risk and improving performance.