Managing Operational Risk properly for even a medium sized organisation, particularly a financial organisation, can be a daunting task filled with Temple of Doom sized pitfalls and almost biblical consequences. Have I exaggerated the scale of the issue by casting the role of Operational Risk Manager as Indiana Jones?! Let's explore...
The challenge for creating a workable and, for want of a better word, 'accurate' Operational Risk structure lies in the complex nature of the task (it covers the whole organisation from Sales to Facilities to managing Capital Adequacy) and the competing priorities and views over what Operational Risk means to different stakeholders.
If we examine the old "Whats In It For Me?" for a few different roles and perhaps even for a few familiar individual personality styles we might get a view over how best to organise the Op Risk Process for a better chance of success. Once we are armed with the knowledge of how different stakeholders react we'll look at the nuts and bolts of the various Op Risk methodologies that can be adopted.
Lets define what we mean by Success first.
Any project or business area needs support and engagement from its major stakeholders so that has to be at the corner stone of our success criteria - Who are the stakeholders? Depending on your organisation, that might be entirely internally focused but could equally encompass important external stakeholders too like investors, regulators and even prospective employees. Understanding your stakeholders and deciding WHY they are stakeholders in Op Risk is your first step.
Sales and Operations Managers should be interested in identifying risks for their departments or regions that could have a direct impact on day to day running of the business.
Risk professionals will want to start to put some modelling against the identified risks and come up with a range of outcomes.
Finance Managers will want to start putting some numbers against those risks that go into the various planning regimes.
Board level stakeholders will want to understand and make decisions around those risks and how they compare to the risk appetite of the organisation.
Regulators and investors will want to understand and see that the organisation has an effective Op Risk process from grass roots operations to effective capital management. They'll also want to see that the senior levels of the organisation a re engaged in the Op Risk process and undertand what the outcomes are telling them about the organisation.
So the stakeholders themselves have varied interest in the process and will want out of it only what is suitable for them. The design of the process therefore relies on making it match the expectations of each stakeholder and not assume that just sending the same Op Risk register to everyone is going to push everyones buttons. Lets go back to one of our stakeholders and examine more closely what key things we might need to consider.
Operations and Sales Department managers are interested to various degrees in managing a list of future risks, events and "near misses". I say they are interested in varying degrees because some will want to list every possible eventuality no matter how small or remote. The other end of the spectrum sees Managers who are disinterested in pie in the sky thinking about risks that will never materialise. It is within this spectrum that the first challenge lies and the Indiana Jones Op Risk Manager needs to some clever tools to get out of the next Op Risk meeting alive...
Managing disparity among the providers of risks lies firstly with creating a common language that everyone can understand and discuss. The terminology is important and needs discussion, challenge and agreement on what things mean. The term 'Risk' covers a multitude of meanings in an organisation and setting that in the context of Op Risk is about using real life examples, challenging what is a risk and what isn't a risk. A definition often used for 'Risk' is "The possibility of suffering harm or loss; danger". Examining this rather dry statement in the cold hard light of the real world is where the value lies for the various managers who will be supporting your process.
Let's then look at how you can get some engagement and parity into the risk capture process.
In this context Risk refers to the description of something that might happen that will result in a loss of some sort. It may also be the capturing of past events or 'near misses' that help to inform the future. The important thing to get your stakeholder managers to understand is that risks are rarely well formed the minute they are thought of. Identifying the risk is the first step, closely followed by a process of boiling it down to a tangible description that people can work with. A risk might start out being described as "Product failure causes poor customer experience." The questions we need to ask are "What product?", "How might it fail", "What other impacts are there?". We might end up with several risks for specific products for which we know there is a clear risk (perhaps we have uncovered an issue in the supply chain that affects certain products) and we may end up with a generic 'Product Failure' risk that builds in a factor for the true 'unknowns'. Approaching the identification of risks in this way builds a much clearer and more accurate picture of the organisations risk profile and examining the risks on a macro basis helps to identify broad organisational issues. It also helps to bring together risks from different areas of the business. For example, if both Marketing and Customer Service identify a risk of "Hardware Failure on Widget 123 Product", you run the risk of carrying double the exposure on your risk register for what is probably the same risk.
The financial implications of this, particularly in an organisation that needs to carry capital to cover risks can be enormous. So, with an idea of how we might define the risk, we need to consider how we might go about determining its scale to the organisation.
This brings us on to our first way of assessing the simple 'size' of the risk by using Expected Value Measurement - Impact and Probability.
What is Impact? Once we've tied down the risk to a meaningful description we can begin quantifying its effects.
Impact can be both described and quantified and it is often helpful to do both. Describing the impact and not simply assigning a financial amount to it can be useful in the identification of connected risks and in particular chain reaction risks. Impact might be initially described as "Affect on brand reputation as a result of product failure". A "so what?" question on that impact might turn up "Investor confidence shaken because of poor customer reputation". Another "so what?" might surface another impact of "Company liquidity affected by withdrawal of investor support." Our product failure risk now has three quantifiable impacts. At this stage the quantification of risks is probably sufficient to be done by assigning one of a range of financial impacts and the size of those impact bands will be determined by the size of the organisation, perhaps based on a percentage of turnover for the organisation or division. Risks that surface at the top end of the spectrum will be subject to more detailed analysis later on in the process.
What is Probability? Here we are trying to answer the question "How likely is it that something will happen?" and that is set in the context of the organisation. A risk described as "Malicious damage to Building 123" will have a much higher probability for a high profile animal testing laboratory than a rural based charity. Again, at this stage you'll be asking your operations and divisional managers to estimate the probably on a scale with detailed probablity modelling done on the larger risks. However, determining probablity requires the setting of a window of opportinity. The likliehood of 'mailicious damage' over the next 12 months is obviously less so then the likelihood of malicious damage over the next 10 years. Setting that expection and understanding how the data is subsequently used is important. If you are basing your risk profile on a 12 month window then make that specific to the stakeholders. If you intend to run a rolling 3 year risk profile and use an annualised portion of that risk then say so too. Put plainly, the risk of an event happening over the next 3 years might be higher than 3 times of any single year risk, perhaps for example because of worsening geopolitical risk or a company starting new activities. Using our 'Malicious damage risk', if a company is planning to start new activities that might have some negative perception, then the current year probability might be 5% but the 3 year probability might be 30%.
So far we've got your managers to a point where they have created a well thought through set of risks, with quantifiable impacts and an idea of probability that is consistent with your planning horizon. You've also had the opportunity to look at the broad spectrum of risks and make sure that they are discrete and there's no duplication. On Part 2 we’ll explore how you can work with your stakeholders to understand how those risks are mitigated and if those mitigations are viable and enter the dark cavern that is Risk Analytics.