Operational risk assessment and planning is increasingly important as this one activity can help the organization prioritize and develop a clear plan to enable growth.
Adopting the 80/20 rule just makes sense for any company, but especially a growing company who is likely facing limited time, capacity, skills shortage, and/or all-of-the-above. In this article, we will identify the components that are important in an Operational Risk Assessment.
Operational Risk Categories
The task of identifying risks may seem daunting as there are many risks related to running a business. To help streamline the risk identification process, it’s important to review the following 3 risk categories:
Financial Reporting Risk
Risks or events triggering the potential of not reporting financial information correctly. It is important to speak with both front office as well as finance to gain a full picture of the potential financial reporting processes and controls.
Risk that internal people, vendors, process and tools are not working as they should. This can result in loss of productivity as well as impacting compliance and financial risks.
This tends to be throughout the organization from due diligence and onboarding of clients, processing transactions, analyzing and reporting information, as well as performing financial closes
Risks of non-compliance with regulatory requirements as well as customer contracts that has financial and reputational impact for a business. This category can also include risks related to interpretations of requirements. It’s important to consider the key process owners that are responsible for regulatory compliance as well as customer contracts and/or agreements.
At this point, you might ask, why don’t we go straight to asking the question “what risk rating (low, medium, or high) would you assign to each risk?”
Since risk is an amorphous term and can be defined differently across multiple stakeholders, it can be difficult to reach an unbiased view of risk for the organization. Using a risk model provides the structure necessary to properly and expeditiously answer the risk question with integrity.
In other words, the risk model, represented quantitative, is a tool for an organization to enable qualitative conversations related to risk. And so, it helps to talk about concrete topics that the interviewees or stakeholders can clearly discuss versus only asking what do you think the risk of your area is?
At the core, there are two basic concepts used to assess risk: Likelihood and Impact.
Likelihood of a risk occurring can be determined by looking at inherent complexity of the business or function, historical problems or issues that have occurred, and projected changes in the business or function.
Impact can be assessed by asking about direct and indirect costs as a result of past risk occurrence that’s occurred in your organization or in industry. It also helps to have discussions about downstream and upstream processes that would be impacted as a result of the risk occurrence.
Risk Attribute Rating
Defined scale of ratings as well as a definition for each rating should be defined before starting. Generally, in our experience, a 5-point scale helps to define low to high likelihood or impact.
So, as mentioned earlier, once conversations related to each component is completed, then each rating will be properly supported.
Only now do we get to compile components related to each risk and develop an overall risk rating for each risk type for each area. It’s important to understand that this exercise is not an annual exercise but a tool to help develop a roadmap for the organization going forward.
Next, we will tackle the topic of roadmap and implementation. In the meantime, for those of you who would like to have a conversation on how we can support your risk assessment exercise, please email me at LShen@alliaconsulting.com.