Defining Operational Risks is not as easy as it looks 

One of the most basic steps in any risk management process is to define your operational risks. Risks are typically recorded in a risk register together with their related controls (a topic to be covered in a later blog). This sounds easy but for any of you that have reviewed a range of risk registers or attempted it yourselves, you might have found that it is, in fact, a complex task.

The two main issues to consider are:

  1. What exactly are you describing? Your risk description needs to be consistent between all risks.
  2. What level of granularity and detail should the risk description contain?

What are you describing?

Risk descriptions typically found in risk registers might look like this:

  • Human error
  • Reputation damage
  • Poor quality training
  • Loss of confidential data

All of the above are inconsistent in that they are describing different parts of the same risk. Human error is the risk cause, reputation damage is the risk impact, poor quality training is a weak control and loss of confidential data is the risk event. These elements will be described in a later blog series we will be doing on Bow Tie Analysis.

Each organisation should decide on a consistent standard for defining and recording all risks.  We would suggest the following:

  • The main short name for the risk is the risk event. i.e. Loss of confidential data.
  • The risk is described in terms of its event (loss of confidential data), caused by Human error and resulting in reputation damage.
  • Training is recorded as a control over the risk and as the training is poor quality it would be rated poorly when control effectiveness is assessed.

Define Operational Risk

What level of granularity and detail?

There are three levels of granularity and detail you can choose from when recording risks.  These are, from the least to most granular.

  1. Risk event only: “Loss of Confidential Data.”
  2. Risk event, main cause and main impact “Loss of confidential data, caused by human error, leading to reputation damage”. This is often referred to as a risk statement.
  3. Risk event, main and secondary causes, main and secondary events. “Loss of confidential data, caused by human error, system failure and external cyber-attack, leading to reputation damage, $ fines and $ losses”.

The approach taken by each organisation may be different depending on the maturity of the business. The method needs to be kept as simple as possible while providing enough granularity to be useful.

The following provides an example of level 3 above using the Protecht. ERM system. This method is based on:

  1. Defining the risk event and linking it to a central library of risk event categories.
  2. Defining the risk causes and linking to a central library of risk cause categories.
  3. Defining risk impacts and linking to a central library of risk impact categories.

Importance of Operational Risk

Whichever method you decide to use in your risk management framework, it needs to be consistently applied and communicated to all persons involved in the risk management process. This will ensure that the risk registers are understandable and consistent and that they support the generation of a quality data set that can be used for value add reporting and risk analytics.

New call-to-action

The Complete Guide to

Compliance and Compliance Risk Management

Download Now

Related Articles

feature image
Bow Tie Analysis Risk Culture Risk Management Operational Risk Risk Professionals

Non-Financial Risk – Why the big focus?

The latest focus in risk management seems to be “Non-Financial Risk”. Search for “Non-Financial Risk” on Google and you will be returned everything...
Read more
feature image
Compliance Management Protecht News & Events Risk Management Risk Reporting Videos Compliance Professionals

Modern Slavery - Being Prepared

Do you know what the Modern Slavery Act is and how it will impact your business? We had the opportunity to have Associate Professor Justine Nolan...
Read more
feature image
Risk Culture Risk Management Videos

Difficulties in Engaging Staff in Risk Management: Making Risk Management Real

This is part 2 of our video series on "Difficulties in Engaging Staff in Risk Management". David Tattam provides an example of how you can make risk...
Read more