One of the most basic steps in any risk management process is to define your operational risks. Risks are typically recorded in a risk register together with their related controls (a topic to be covered in a later blog). This sounds easy but for any of you that have reviewed a range of risk registers or attempted it yourselves, you might have found that it is, in fact, a complex task.
The two main issues to consider are:
Risk descriptions typically found in risk registers might look like this:
All of the above are inconsistent in that they are describing different parts of the same risk. Human error is the risk cause, reputation damage is the risk impact, poor quality training is a weak control and loss of confidential data is the risk event. These elements will be described in a later blog series we will be doing on Bow Tie Analysis.
Each organisation should decide on a consistent standard for defining and recording all risks. We would suggest the following:
There are three levels of granularity and detail you can choose from when recording risks. These are, from the least to most granular.
The approach taken by each organisation may be different depending on the maturity of the business. The method needs to be kept as simple as possible while providing enough granularity to be useful.
The following provides an example of level 3 above using the Protecht. ERM system. This method is based on:
Whichever method you decide to use in your risk management framework, it needs to be consistently applied and communicated to all persons involved in the risk management process. This will ensure that the risk registers are understandable and consistent and that they support the generation of a quality data set that can be used for value add reporting and risk analytics.
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).