Operational risk management has long been considered a process that requires businesses to simply review their risks through a series of management workshops. The risks are then assessed for relative consequence and likelihood, or some similar measure, and then appropriate controls are documented. Management then document any residual control weaknesses and any action plans to close these weaknesses, or alternatively a process to accept the residual risk position. Finally, relevant key risk indicators are developed to monitor the risks and their current status.
As I stated, simple really.
Except for one major failing in this approach. It neglects the risks associated with the operation of complex individual processes, which can each individually impact the organisations performance. The complexity with operational risk management is that concentrating on management’s understanding of the risks (being the top-down view) can inherently limit the true depth of risks that exist. Almost every day you read about an organisation that has some form of failing, generally these failings are not due to some significant top-down risk, but rather an individual step in the process failing.
Mature organisations have a risk management process that considers both the top-down and bottom-up risk assessments.
The top-down process is performed through the standard management workshop process, with a focus on those risks that “keep management awake at night” and thereby align more with the strategic objectives of the organisation.
The bottom-up process is best performed through first documenting your end-to-end business processes using some form of process flowcharting and documentation tool. From here, the business process owners, with the process executors should be engaged to document the risks associated with each step in the process. The risks should then be assessed using a standard risk assessment framework such as consequence and likelihood. Clearly, in the bottom-up process the levels should be calibrated to the importance of the process being assessed, bot the organisation as a whole. Then the controls should be identified that match the risk being mitigated. Interestingly, when you perform this type of bottom-up analysis you will find that perhaps some of the controls you have previously thought are critical, are actually not as critical in the process in terms of the real risk. From here, key risk indicators, or metrics, should be developed which can be monitored by management.
The next step is to then reconcile the top-down and bottom-up risks and identify where unexpected bottom-up risks are not included in strategic, overall risks, and of course vice-versa.
Organisations that successfully perform both the top-down and then bottom-up analysis will find that they better understand their risks across the organisation and also where they perhaps can create efficiency improvements, and even strategic advantage. Risk management is not about the process but rather the outcome for the organisation so it can achieve its strategic goals through solid business management.