What outcomes does your company expect from the risk identification process
If you are reading this, then somehow you have been motivated to undergo a risk identification process in your organisation. That motivation will be a key success factor in running your risk identification process. For instance, say an external audit found risk management wanting in your organisation, and you had been tasked to do a Risk Identification process to satisfy an Audit point.
If there is little other motivation or stakeholder buy in than this to do the Risk Identification, then you may stop now, because you will be wasting your time. For Risk identification to work in your organisation you will need to write down a clear set of outcomes that you expect from the process. You should think about your stakeholders and what will motivate them to participate in the process. Again, if they are being told to participate but do not understand the process or see any benefit in the process then your outcome will be dire. It is important that your stakeholders:
1. Understand how the Risk Identification process is different from work carried out before.
2. Understand that the risk identification results will be given serious consideration by senior management.
3. Understand that the outcomes of Risk identification are actionable, this means that actions taken due to being found out in the risk identification process must be passed back to the SME’s. If the actions taken are not passed back to the SME’s they will assume that there participation is a waste of time.
4. SME’s must see that Senior management take the process seriously and have invested some of their precious time in the process.
5. Your company must be genuinely trying to seek out and action real risks, not box ticking for regulators, auditors or senior managers.
Write down why your company is doing risk identification, and why your SME’s should participate in the risk identification process, if your not convinces then they won’t be. Consider both carrot and stick motivations.
What resources can your company apply to risk identification in business as usual
There is no point building out a very elaborate risk identification process if your company will not commit resources to maintaining and repeating the process. One of the first questions that should be asked of Senior management is what resources will be dedicated to running the process in future business as usual.
If it is one person, part time, then build a light process than can be done by one person part time. It will still be better than nothing.
What is your implementation time horizon
Understand and build to your time horizon, if you are building the process to meet a regulation, target the language of that regulation first, you can build out your processes further later on. Once you have a clear understanding of your goals create a plan to achieve them in a timely manner. Again only plan to build the size of project you can deliver in the time allotted.
What tools does your company have that can be used for risk identification
At the beginning of the process, it is worth sitting down with your IT department to understand what tools you must carry out the risk identification process. One of the main concerns for some organisations is the privacy of risks even internally, a spreadsheet simply does not suffice for these types of companies. Has your company any polling software or user created forms available to it.
Does your company have a clear mandate to do risk identification
Typically, I advise that a letter or note from the most senior sponsor is circulated to all participants in the risk identification process. This is something you as the project manager can write for them, and ask them to sign, you are using their authority not only as a stick but as a carrot to motivate your participants. The Note or letter should explain what the companies’ motivations are in carrying out the process, the motivations should be for the better meant of the company, the letter should also say how the results will be used and what decisions will be made based of the results.
Who or what is driving the implementation of risk identification in your company
Today write down why you are running a risk identification process. Who told you to do it, why did they tell you to do it, write it down read it back to them, circulate it.
Avoiding duplication of risk processes
In many organisations risk practices are already in place, in a financial institution for instance there will be a Risk management department in nearly every area of the taxonomy. These stakeholders can be the most difficult to manage. As the first question they will have for you is “Why are you duplicating my work?”, the risk identification process can be seen as a threat as if it turns up something in the area already owned by a risk manager, they may feel threatened by this. It can be like someone snooping around in your dirty laundry. The people implementing risk identification will have to be very pragmatic and sensitive to the needs of these stakeholders, this can be a particular problem when dealing with operational risk, as the RSCA process is a similar process often designed to capture some of these risks.
You need to follow a line of logic in your own head with this and stick to it.
Have financial institutions collapsed or been severely adversely affected by risk events, even though they had risk management process in place?
The answer to this question is yes, of course. And how does this happen, many different reasons, one reason is a lack of overall oversight, companies can become siloed, cascading risks can be overlooked. Artificial divides between risk categories can become a cause for risk in themselves. The power of the overview is what risk identification is all about.
Risk identification is not about calculating credit exposures or Value at Risk, it is about capturing in an understandable way the most material risks to an organisation in such a way as they can be discussed and mitigated.
It is important that the second line of defence (risk management) is a partner in the risk identification process, in a company that has seen many risk failures this may be even more important as these individuals can feel under attack, they may seek to block the process. Do not make your risk identification process dependent on your second line of defence. It must run in parallel with their activities, and work in such away that they are given a chance to analyse and comment on the outcomes of the process before the results are presented to senior management. This does not mean however that they should be able to change or censor the results of the risk identification process.
Make sure that representatives of Risk Management are involved in every step of your process. Another problem that can arise if the process is not carried out in a collaborative way, is that business SME’s can be targeted by the Risk Managers and then again, the risk identification process, this will cause bad will and this sort of duplication should be avoided.
If there is a clear overlap between the risk identification process results and results obtained from other departments then agree to feed the results from those other departments into your final results, some pragmatism is needed here. Any conflict arising from overlap will ensure that your process will not be repeatable once the spotlight moves away toward other things.
Comments