Evaluation of a Risk Management Plan
A risk management plan can never be perfect. However, the degree of its success depends upon risk analysis, management policies, planning and activities. A well-defined management plan can be successful only if risks are properly accessed. And if not, the main objective of risk management plan itself is defeated. Critical evaluation of a risk management […]
Rewards and Recognition System in Virtual Teams
In case of traditional co-located teams, pizza parties, lunch/dinner outings etc. are common approaches to celebrating team success while cash or non-cash awards such as public appreciation, customized merchandise or certificates are used to recognize individual performance. But when the teams are globally distributed, it becomes a challenge to reward and recognize their triumphs in […]
Assumption Reinsurance Vs. Indemnity Reinsurance
In the previous few articles, we have studied a lot about reinsurance. We are now aware of the various issues related to the field of reinsurance. However, up until now, we have assumed that reinsurance can be of only one type. This is not true. There are several different types of classifications that are possible […]
Benefits and Drawbacks of Indexation Clause in Reinsurance
In the previous article, we have already seen what an indexation clause in reinsurance contracts is. We are now aware of the purpose behind having indexation clauses in reinsurance contracts. We also know the various variations of the indexation clause which are common in the marketplace. However, before taking a final decision on whether or […]
How Cutting Edge Technologies can Enable Better and More Efficient Decision Making
How Successive Waves of Technological Change Led to Better Career Related Decisions With each iteration of technological change, decision making, whether professional or personal or business related and governmental policy related, gets better and more efficient. This is because decision making in any context thrives on information and when information and better data are available […]
The fundamental principle of operational risk management is to ensure that all operational risks have been considered and decisions have been taken about the best way to mitigate them. This is because experience has shown organizations that the worst outcomes come from risks that they have knowingly or unknowingly ignored.
It is therefore important to ensure that the organization tries to maintain an exhaustive list of all the operational risks that it faces. The reality is that the risk can never be exhaustive. However, the idea is to make the analysis as comprehensive as possible given the time constraints that the organization has.
It is also important to realize that the identification of operational risks is not a one-time process. Since the organization operates in a dynamic environment, it is important to periodically scan the environment in order to identify newer risks that may emerge and proactively manage them.
In this article, we will have a closer look at some of the best practices which are associated with the identification of operational risks.
Top-Down Approach Vs Bottoms Up Approach to Operational Risk Assessment
The identification of operational risks is one of the most crucial steps in managing risks. The failure to identify risks almost certainly means that the organization will not take any action to mitigate them. Hence, to identify risks, a thorough scan of the entire organization and its operating environment is necessary. This is the reason that companies often use a combination of a top-down approach as well as the bottom-up approach in their bid to identify operational risks.
The top-down level of risk identification starts with the actions of the senior management. This is because the data required to conduct the top-down analysis is not available to people working at lower levels.
Top-down risk identification is generally done by the senior management in seminars. The major process owners of the organization try to brainstorm about what could go wrong with their operations. These sessions include scenario generation exercises wherein the executives are supposed to come up with the probable scenarios that the external environment can bring up and the response that the organization would give in each case.
Generally, the top-down approach considers emerging technology and global risks in their meetings. This type of risk analysis happens quite infrequently. This is because the external environment does not change very often.
As the name suggests, the bottom-up approach to risk management is the opposite of the top-down approach. This is because the bottom-up approach is often undertaken by supervisors and mid-level management. However, they take their inputs from the lowest levels of workers.
Process mapping and interviews are some of the most common techniques which are used in bottoms-up management. This is because the idea is to map the entire process at a granular level.
Interviews help identify the most common threats to which the process is vulnerable. Also, it is the job of the management to conduct an operational risk analysis to identify key people and systems which can cause a systemic breakdown in the organization. This risk identification focuses on how technology and people can be deployed to provide optimum results for the company. However, there is an inherent issue with the bottoms up approach.
Many times, managers are too engrossed in finding their individual risks. Hence, the exercise is conducted on a very micro level. The end result of such an exercise is the identification of a series of disjointed risks. These risks may not have any pattern to them and maybe at a very low level.
Hence, formulating an organization-wide approach to mitigating these risks might become difficult in such an environment. The frequency of this process is quite high. Companies often conduct half-yearly or annual risk audits in order to identify the risks and create plans to mitigate them.
The problem with risk identification is that it is not a process-based approach. The methods used in the risk assessment exercise are qualitative. Hence, the outcomes of such methods are not consistent.
For instance, two different groups at the same organization may brainstorm in order to identify risks and both the groups may come up with entirely different outputs. Both the bottoms up and top-down approach relies on intuition and judgment instead of using the scientific method.
Even after the risks are identified the categorization of these risks is subject to a lot of human judgment. This creates a huge problem since if the person conducting the risk management exercise is not competent, the risk identification would be incomplete.
Tools like risk matrix have been created to help managers identify and prioritize risks. However, they too work based on the inputs given to them by the person identifying the risks.
The bottom line is that the identification of risks is an imperfect process. This is the reason that it needs to be done in an iterative manner. This is because it is possible that a risk that was missed the first time may be identified in the second or third attempt.
Your email address will not be published. Required fields are marked *
