Arischio Consulting

Does your operational risk management need a revamp?

Covid 19 has no doubt heightened the senses of most organisations and accelerated the need to better manage operational risks both with agility and efficiency.

Things are moving so fast that 12 months from now, customer demands may have dramatically changed, the business environment that one operates in may see new regulations introduced putting pressure on businesses to alter the way they operate, new and more agile competitors or one would describe as “born digital” entering the market and destroying your market share within a space of a year.

One cannot afford to sit behind the curve and watch the world go by. As new technology enters the foray, pressure to upskill your existing workforce or demand for new talent will increase. Unless you remain attractive to new talent, then you will struggle to recruit and retain talented staff, significantly impacting your ability to deliver success.

Even attracting investment will prove to be challenging as both institutional and retail investors will demand to see behaviours and values aligned with issues like tackling climate change or better oversight of the supply chain to ensure all those participating in the process are operating ethically.

It’s no longer about maintaining a strong balance sheet as the concerns around the eco-system of an organisation is far wider and global.

Last night I was on a webinar organised by SWORD GRC and presented by a world-renowned thought leader Michael Rasmussen. In one of his slides, he talks about the need for an operational risk management information architecture and its ability to give an organisation that 360 degree contextual awareness.

The awareness of what the different operational risks are, where they exist in the organisation both externally and internally, how they interact with other risks such as strategic, market, insurance, and liquidity risks etc, and managing the scarce resource efficiently so to mitigate the risks.

Michael described it as “Agile Operational Risk Management”.

Organisations, big or small need to have the finger on the pulse. They need to know what is happening both internally and externally and to respond with agility and efficiency. To do so, organisations must move away from the very cumbersome, time consuming, resource hungry and box ticking type operational risk management that we know of.

So what are the key attributes of an Agile Operational Risk Management?

AWARE

Identify the different operational risks that exist within the organisation. These risks may emanate from a number of areas such as:

  • Objectives – Strategic, Department & Process
  • Organisation – Entity, Process and Asset
  • Obligations – Regulatory, Contractual and Values
  • Policies – Code of Conduct, Policies & Procedures and Training/Awareness
  • Roles – Owner, Subject Matter Experts and Employees
  • Issues – Complaint, Event and Investigation
  • Controls – Preventative, Detective and Corrective
  • Risks – Strategic, Operational and Financial

With the interconnected nature of operational risk, understand how it interacts with other risk silos such as market, insurance, liquidity and strategic. Rarely do operational risks occur on their own as often there are multiple causes and effects.

Once the risks have been identified, map out all the different functions within the organisation that do risk management i.e. IT, Risk, HR, Compliance, Legal, Finance, Actuarial etc

Recommendation: I found strategy mapping a useful exercise to start off with as it allows you to capture all the key objectives of your organisation and the underlying drivers that contribute towards achieving them. Once you have the strategy map on a page link it to a value chain that sets out the key activities both primary and support functions that create value.

Using both the strategy map and the value, one can begin to identify the risks using a top down approach with initial input coming from senior management. Later this can be supported by a bottom up approach using tools such as the RCA (Risk & Control Assessment), root cause analysis, audit findings and risk event analysis.

ALIGNED

Most departments unfortunately tend to operate in silos. Break down those silos by bringing together these functions across the organisation, responsible for managing operational risks. Standardise the approach to managing risk by using a consistent and common risk language and framework for assessing, mitigating and reporting risks. Misalignment can create inefficient use of both people and financial capital. Both scarce resources.

Recommendation: From my experience, I’ve found setting up an operational risk working group made up of representatives from each of the support functions and the business an effective way of ensuring that we are all on the same page and working towards the same common goals and vision. This group would be responsible for managing and integrating risk management into their functions.

With different departments managing individual risk categories such as IT and Cyber risks, supply chain risks, people risks, regulatory and compliance risks etc it is crucial that we are all using a common risk language. I am not too fussed about using a generic set of tools as I believe that each risk may warrant its own individual toolkit but as long as we are using a common language, a single and consistent way of documenting risks and an assessment method that allows risks to be compared based on themes between functions then we should be ok.

RESPONSIVE

By aligning the functions and applying a standard approach to managing operational risks, organisations will be in a far better position to identify, respond quickly and effectively to risk events before they become a major issue.

AGILE

With an ever changing and dynamic business and regulatory environment, organisations need to be more agile than their competitors. Businesses need to pivot and change direction when necessary.

RESILIENT

When a risk does materialise particularly if its a low likelihood and high impact event, if the organisation is better prepared in terms of operational resiliency, then it is more likely to recover successfully with limited impact to both its business and customers.

EFFICIENT

The outcome of all the above is an organisation that is efficient in the way it utilises both human and financial capital.

My experiences so far having worked with numerous organisations over the years has highlighted to me that while we may be seen to be managing operational risks, are we really providing an adequate level of comfort to senior management that the key risks are under control and we are running a tight ship or is this simply an illusion that is been left unchecked until disaster strikes and then it’s all hands on deck.

Many thanks to Michael Rasmussen for your discussion on this very interesting topic.