A Best-Practice Approach to Operational Risk Identification
In risk management, operational risks are referred to as the risks of doing business.
That makes sense. The four main types of operational risks, after all, are people, processes, systems, and external events, including laws and regulations.
Within those operational risk types, the most common operational risks are:
- Cyber threats
- Business disruption
- Organizational change
- Human error
- Information security
- Process execution
- IT disruption
Of course, every business has people, processes, and systems and deals with external events. The purpose of operational risk management, therefore, is to mitigate the most serious risks that come from running your business.
To do that, risk managers have to break down these broad categories and identify the risks that might be most consequential to the business. How do they do that?
They do that through operational risk identification. But how to know you’re doing it right?
This article lays out a best-practice approach to operational risk identification.
What is identified risk?
What are identified risks?
Identified risk is the subset of risk that has been determined to exist using analytic tools – these tools are usually qualitative but can be quantitative, as well.
Certainly, not all risk is identified. Nor can all risk be identified, either.
Some risk is not identifiable or measurable. That risk becomes unidentified risk.
The limiting factor between identified and unidentified risk is usually:
- Time and cost of risk analysis
- Quality of the risk management program
- The state of operational risk management software
Different approaches to operational risk identification
Unidentified risk isn’t the majority of operational risk any given business will confront. More likely than not, an effective risk management program will identify most operational risk.
What’s the best way to go about operational risk identification, then?
Well, the risk identification stage itself consists of isolating all potential operational risks. Those risks can be recurring or one-offs. And identifying them will usually involve staff from across the business, not just C-suite executives.
Within operational risk identification, two approaches have predominated. They include a top-down and a bottom-up approach to operational risk identification.
Here is how they differ:
Top-down approach to operational risk identification
In certain approaches to operational risk identification, senior leadership is more important. This is the top-down approach to operational risk identification.
As the name implies, a top-down approach is started by senior management. Senior leaders usually sit around a seminar room and speculate on all the things that could go wrong with the business.
From there, they go through scenario generation exercises of how the organization would respond if certain risks became incidents.
These top-down analyses give greater weight to external risks.
Bottoms-up approach to operational risk identification
Conversely, the approach spearheaded by supervisors and mid-level managers, often with input from lower-level staff, is called the bottoms-up approach to operational risk identification.
Whereas senior leadership works in seminars, those spearheading bottoms-up risk analyses conduct interviews to map business operations at a granular level.
Each of these approaches has its relative strengths and weaknesses.
The benefit of the top-down approach is that senior managers and process owners have access to more relevant data to conduct such an analysis.
However, lower-level staff has access to data, too. Indeed, mid-level managers and their subordinates are likely to have a more granular knowledge of operations.
This knowledge comes in handy in the bottoms-up approach to operational risk identification.
The primary benefit of this approach is that it more readily lends itself to identifying the most common threats to business processes.
Senior leadership, as it’s often noted, works at too high a level. And therefore, taking the bottoms-up approach to operational risk identification maximizes the chances of finding individual risks.
The downside of the bottom-ups approach, though, is that it leads to a disjointed picture of operational risks, with little connective tissue.
Challenges with operational risk identification
That two approaches can yield differing pictures of risk underscores one of the challenges with operational risk identification. Both seminars and interviews aren’t scientific (i.e., quantitative) methods of identifying operational risks.
Once risk is successfully identified, different stakeholders might want to treat those risks differently, as well.
What’s more, the sheer volume of new risks (e.g., cyber, compliance, and climate) is also overwhelming risk teams, making it harder to identify threats to the company.
The deteriorating risk environment has also rendered many existing risk management processes and frameworks ineffective. Many of these approaches, as we’ve noted, are overly manual, which can lead to disjointed, disconnected, and duplicative efforts.
There’s also a generalized lack of internal communications tools within operational risk management to help teams properly integrate their knowledge base of risk into their systems for managing risk.
Requirements in operational risk identification
Along with the business imperative to identify risk (before it turns into a disruption), there’s also regulatory pressure to identify risk.
These pressures have grown since the Financial Crisis. In the financial services sector, specifically, regulators like APRA (Australian Prudential Regulation Authority) have beefed up their operational risk management mandates.
Per APRA CPS 230 (Operational Risk Management), entities are now compelled to identify, asses, and manage operational risks as well as put in place effective internal controls, monitoring, and remediation.
Further operational risk management requirements include:
- Assess the impact of business and strategic decisions on your operational risk profile and operational resilience, as part of the business and strategic planning processes. This must include an assessment of the impact of new products, services, geographies, and technologies on your operational risk profile.
- Maintain a comprehensive assessment of the operational risk profile. As part of this, an entity must:
- Maintain appropriate and effective information systems to monitor operational risk, compile and analyze operational risk data, and facilitate reporting to the Board and senior management.
- Identify and document the processes and resources needed to deliver critical operations, including people, technology, information, facilities, and service providers, the interdependencies across them, and the associated risks, obligations, key data, and controls.
- Undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test operational resilience, and identify the need for new or amended controls and other mitigation strategies.
- Conduct a comprehensive risk assessment before providing a material service to another party to ensure that it is able to continue to meet its obligations after entering into the arrangement.
Digital technology to automate operational risk identification
These requirements are stringent. But they aren’t impossible to comply with.
Indeed, for regulated entities, operational risk management software can automate the risk management lifecycle (including operational risk identification), mitigating one of the most serious challenges to operational risk management.
How do these technologies work?
The platforms in question help organizations proactively identify, assess, and mitigate potential risks that could cause operational failures or disruptions to their normal operations. The integrated resilience workspace provides a holistic view of risks, streamlines operational risk-related processes, and fosters effective stakeholder collaboration and communication.
What are other Operational Risk Management software capabilities?
Align risk management initiatives with organizational objectives to ensure risks are managed in a way that aligns with your objectives so you can effectively manage threats and capitalize on opportunities.
Risk & controls library
Get a head start with a pre-existing library of potential operational risks and corresponding control measures, inspired by the best industry practices to save time in recognizing and recording operational risks.
Gain oversight into the ongoing management of risk controls as they are implemented and maintained in your operational environment, using scheduled audits that personnel can complete from anywhere, on any device.
Create custom reports that summarize historical data with charts, recommendations, and sign-offs. Export these as PDF or Word documents and share with stakeholders and executives to enable them to make informed decisions, manage threats, and benefit from opportunities.
Keep track of your compliance obligations with ease, using a centralized register that enables you to monitor breaches and collaborate with your team to ensure compliance throughout your organization.
Proactively identify, assess, and manage operational risks through a centralized workspace that provides a holistic view of risks and streamlines risk assessment processes while fostering effective stakeholder collaboration and communication.
Streamline the risk document management process by leveraging centralized document management functionality to ensure personnel have the right information at their fingertips.
Consolidate data to gain valuable insights and visualize it through interactive dashboards, charts, risk matrices, and maps in real-time, from any device.
Finally, operational risks are the risks of doing business. Identifying them efficiently and effectively is key to keeping operations running smoothly.
However, operational risk identification isn’t easy. Manual processes make it harder still. But by automating operational risk management with platforms like Noggin, you stand a much better change of proactively identifying, then assessing and mitigating all potential risks to your normal operations.
Don’t just take our word for it, though. Check out Noggin for yourself by requesting a software demonstration.