Operational Risk Assessment and Planning is among the most important activities for an organization to prioritize and develop a clear plan that enables growth.
Adopting the 80/20 rule makes sense for any company, but especially for a growing company, with limited time, capacity, and skills, or all-of-the-above. In this article, we will identify the components that are important to an Operational Risk Assessment.
Operational Risk Categories
The task of identifying risks may seem daunting as there are many risks related to running a business. To streamline the risk identification process, it’s essential to review the following three risk categories:
Financial Reporting Risk
Risks or events that may result in reporting financial information incorrectly. It is imperative to speak with both front office as well as finance to obtain a complete picture of the financial reporting processes and controls.
Risk that internal people, vendors, processes, and tools are not working as they should. This can result in a loss of productivity, as well as potentially impacting reputational, compliance and financial reporting risks.
Operational risk tends to permeate organizations from due diligence and onboarding of clients, to processing transactions, analyzing and reporting information, and performing financial closes.
Risk of non-compliance with regulatory requirements and customer contracts, both of which can seriously impact the financials and reputation of a business. This category can also include risks related to interpretations of requirements. It’s important to consider the process owners that are responsible for regulatory compliance and customer contracts/agreements to ensure everyone is understanding the obligations in the same way.
At this point, you might ask, why don’t we go straight to asking the question “what risk rating (low, medium, or high) would you assign to each risk?”
Since risk is an amorphous term and can be defined differently across multiple stakeholders, it can be difficult to reach an unbiased view of risk for the organization. Using a risk model provides the structure necessary to properly and expeditiously answer the risk question with integrity.
In other words, the risk model, which represents risk quantitatively, is a tool for an organization to enable qualitative conversations related to risk. It helps to talk about concrete topics that the interviewees or stakeholders can clearly discuss versus just asking, “what do you think the risk of your area is?”
There are two basic concepts used to assess risk: Likelihood and Impact.
Likelihood of a risk occurring can be determined by looking at the inherent complexity of the business or function, historical problems or issues that have occurred, and projected changes in the business or function.
Impact can be assessed by asking about direct and indirect costs that resulted from a risk that has occurred in your organization or in your industry. It also helps to have discussions about downstream and upstream processes that would be impacted as a result of the risk occurrence.
Risk Attribute Rating
A defined scale of ratings with a definition for each rating should be laid out before starting. Generally, in our experience, a 5-point scale works well to ascribe low to high likelihood or impact.
The conversations related to each component of risk serves to support each rating. Then, we can compile components related to each risk and develop an overall risk rating for each risk. It’s important to note that this is not an annual exercise that’s put on the shelf once completed. Rather, it is a tool designed to develop a roadmap and generate the momentum for the organization’s upcoming initiatives, projects, and activities.
In the next article, we will tackle the topics of roadmap and implementation. In the meantime, for those of you who would like to have a conversation on how we can support your risk assessment exercise, please email me at LShen@alliaconsulting.com.
Written by Laurie Shen, CEO and Founder
ALLIA Consulting LLC