Bobsguide article

How to Develop a Robust Risk Management Framework

 Bobsguide article

Bobsguide have recently released this article by Richard Pike, CEO, Governor Software,. The article updates the article Richard wrote in September 2011 Six stages to a robust operational risk framework.  It explains how a financial services company can create and implement a stable and manageable framework for risk management

.1. Risk identification

In this section in the previous article I talked about the process of defining and listing the risks associated with different types of operational risk. The end point was a risk library for the firm along with the related items (policies, regulations, controls, tests, etc.).

The practice of risk teams providing lists of risks to management for their review has some major faults and over the past number of years these have been exasperated. Issues with risk registers include:

COMPLEXITY: modern business is complex and interconnected; the higher up the organisation the more interconnected things become, with risks often being combined and having multiple different outcomes. For example, the risk associated with internal fraud can be categorised as a compliance risk and also as an operational risk.

COMMUNICATION: particularly evident in non-financial risks are the hierarchy and aggregation effect that a simple list does not communicate. For example, the risk of a bank branch flooding in a storm is really only of relevance to a branch manager and their regional manager. The CEO of a bank will find its inclusion in a risk register annoying and irrelevant unless 25% of the retail branches and the head office are all at risk of flooding in a storm.

CONTEXT: Why is a particular risk important to my business? So what? These are regular questions that result from a senior executive reviewing a risk register. While one solution is to add context - setting out how a risk might arise and how it might impact the business - this can result in information overload.

OWNERSHIP: Within a standard risk register it is often difficult to assign ownership and responsibility. This results in either no ownership being attributed or defaulting to a second line resource, which is incorrect.

In order for a firm to manage operational risk into the future it needs to transition from a risk register to a network. This allows for interconnectedness, levels and the need for context associated with risks to be recorded and communicated as a network.

The benefit of a network is that it can handle multiple connections between items. At the same time they can be easily separated (into different levels or categories) while retaining their connectivity. Other object types can also be added to the network to incorporate context where necessary (eg policies, regulations).

In addition, when risk teams communicate risks within a network environment it stimulates conversations and challenges people to explore the linkages and interdependencies.

To continue reading this article please visit the BobsGuide page