Identification of Operational Risks
Identification of Operational Risks
The fundamental principle of operational risk management is to ensure that all operational risks have been considered and decisions have been taken about the best way to mitigate them. This is because experience has shown organizations that the worst outcomes come from risks that they have knowingly or unknowingly ignored. It is therefore important to ensure that the organization tries to maintain an exhaustive list of all the operational risks that it faces. The reality is that the risk can never be exhaustive. However, the idea is to make the analysis as comprehensive as possible given the time constraints that the organization has. It is also important to realize that the identification of operational risks is not a one-time process. Since the organization operates in a dynamic environment, it is important to periodically scan the environment in order to identify newer risks that may emerge and proactively manage them.
In this article, we will have a closer look at some of the best practices which are associated with the identification of operational risks.
Top-Down Approach Vs Bottoms Up Approach to Operational Risk Assessment
The identification of operational risks is one of the most crucial steps in managing risks. The failure to identify risks almost certainly means that the organization will not take any action to mitigate them. Hence, to identify risks, a thorough scan of the entire organization and its operating environment is necessary. This is the reason that companies often use a combination of a top-down approach as well as the bottom-up approach in their bid to identify operational risks.
The top-down level of risk identification starts with the actions of the senior management. This is because the data required to conduct the top-down analysis is not available to people working at lower levels. Top-down risk identification is generally done by the senior management in seminars. The major process owners of the organization try to brainstorm about what could go wrong with their operations. These sessions include scenario generation exercises wherein the executives are supposed to come up with the probable scenarios that the external environment can bring up and the response that the organization would give in each case. Generally, the top-down approach considers emerging technology and global risks in their meetings. This type of risk analysis happens quite infrequently. This is because the external environment does not change very often.
As the name suggests, the bottom-up approach to risk management is the opposite of the top-down approach. This is because the bottom-up approach is often undertaken by supervisors and mid-level management. However, they take their inputs from the lowest levels of workers. Process mapping and interviews are some of the most common techniques which are used in bottoms-up management. This is because the idea is to map the entire process at a granular level. Interviews help identify the most common threats to which the process is vulnerable. Also, it is the job of the management to conduct an operational risk analysis to identify key people and systems which can cause a systemic breakdown in the organization. This risk identification focuses on how technology and people can be deployed to provide optimum results for the company. However, there is an inherent issue with the bottoms up approach. Many times, managers are too engrossed in finding their individual risks. Hence, the exercise is conducted on a very micro level. The end result of such an exercise is the identification of a series of disjointed risks. These risks may not have any pattern to them and maybe at a very low level. Hence, formulating an organization-wide approach to mitigating these risks might become difficult in such an environment. The frequency of this process is quite high. Companies often conduct half-yearly or annual risk audits in order to identify the risks and create plans to mitigate them.
Problems with Risk Identification
The problem with risk identification is that it is not a process-based approach. The methods used in the risk assessment exercise are qualitative. Hence, the outcomes of such methods are not consistent. For instance, two different groups at the same organization may brainstorm in order to identify risks and both the groups may come up with entirely different outputs. Both the bottoms up and top-down approach relies on intuition and judgment instead of using the scientific method. Even after the risks are identified the categorization of these risks is subject to a lot of human judgment. This creates a huge problem since if the person conducting the risk management exercise is not competent, the risk identification would be incomplete. Tools like risk matrix have been created to help managers identify and prioritize risks. However, they too work based on the inputs given to them by the person identifying the risks.
The bottom line is that the identification of risks is an imperfect process. This is the reason that it needs to be done in an iterative manner. This is because it is possible that a risk that was missed the first time may be identified in the second or third attempt.