RMORSA Part 2: Risk Identification and Prioritization

by Steven Minsky on September 4, 2013 · 2 comments

The first step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation, Risk Culture and Governance, lays the groundwork and defines roles for your risk management function. The second step, Risk Identification and Prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk based decision making.

The engine behind this process – the enterprise risk assessment – isn’t a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can’t answer the inevitable question; what are you going to do about it?

Take a Root-Cause Approach

The first and most common hurdle risk managers face is that the risks expressed by process owners are so specific to their business area that they can’t possibly be measured against the rest of the enterprise.  For example, the IT department may be struggling to find candidates with enough JavaScript experience, or the Health & Safety department might be concerned with an endless string of EPA regulations. Process owners can’t help but think in terms of their immediate environment, but you can make use of their insight by adopting a root-cause approach.

The key to this root cause approach is a common risk library, or Taxonomy, that orients the concerns of business areas to a category that you as the risk manager can take action upon. When IT says it can’t find candidates with JavaScript experience, for example, what it’s really expressing is an issue with hiring practices, just as health and safety is expressing its concern with the company’s regulatory environment.

By categorizing risks, it becomes evident when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.

Use a Single Set of Criteria

When engaging a variety of business areas for risk assessments, ensure you’re using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they’ll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.

To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments. Create qualitative criteria that will apply to multiple functions. For example, a major risk—such as fraud or embezzlement—might result in a work stoppage, or result in a serious variation from an organization’s business values.

Tell a Story to Your Board and Executive Leadership

The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company’s strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked “why is this risk a priority?” your top 10 list won’t exist in isolation, but will be mapped back to the priorities already set by the board.

Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.

For more information on risk assessment best practices, download LogicManager’s complementary guide, “5 Steps for Better Risk Assessments.”

Similar Posts:

Steven Minsky is the CEO of LogicManager, Inc., a provider of ERM software solutions. He is a co-author of the RIMS Risk Maturity Model, RIMS State of ERM 2008 Report and a RIMS Fellow (RF) instructor on ERM, as well as a patent author of risk and process management technology. You can read Steven's blog at info.logicmanager.com.

{ 2 comments… read them below or add one }

FK September 5, 2013 at 10:31 am

very good article! looking forward to the following ones!

Risk Culture Builder September 15, 2013 at 1:28 am

It is time to renovate risk management. The past is no longer a roadmap for the future.

Let us come clean and move on, the earlier the better for all. Which other industry has so many frameworks, so many different processes and so many different standards, regulations and so-called guidance documents? Which other industry has so many people claiming to be experts and trying to squeeze a quick buck out of something nobody can ever be an expert in? Too many “somebodies” out there who are “certified” by nobodies, too much education done by non-educators.

Any process older than 5 years is outdated; we live in a world of dynamic change, the pace of which is ever increasing and with it, the levels of Risk Exposure. The basic Risk Management Cycle is one of these outdated processes.

Let us look at Risk Identification: we tried in many different ways to identify all the risks—until a volcano sneezed and we realized that we have not; and can never, identify all the risks. Let us accept that and move on. The size of your risk register is not related to, nor is it an indication of the effectiveness of your risk management process.

Next we get to Assessment and Analysis: Those who thought they were good at risk identification moved on to quantification. Sadly, many are still stuck there, thinking that models can control and mitigate risk. Some in the alternative movement is trying to justify the great cost of their models by using the results for good purposes, like calculating economic capital etc. Thinking of which; the gross income of most banks dropped since 2008, so how cool is it for those using the Basic Indicator or Standardised approach for Operational Risk—in a time when their operational risks increased significantly, their capital charge has come down. Can this create a passion to improve Operational Risk Management to an AMA level?

Even sadder is that in my recent risk survey on LinkedIn, only 26% of the respondents said they have no problems with the data in their systems. Does that mean that 74% of corporate risk reports and a large number of regulatory compliance calculations are sucked out of useless data of varied degrees? The quantity of data is often so impressive that people forget that the underlying quality might be bad. (or is confirmed bad like the 74% of recent survey respondents)

Risk reporting, control and treatment: How wrong did we get red, amber, green! Now everybody wants every risk to be green, because green is good. Green on a risk report is perceived to mean “do nothing”, but that is the quickest way for those risks to shoot to red. Then we get to amber, what a nice place to be- all risks are under control and we choose to overlook the fact that those controls might not be efficient or can be completely ineffective.

DANGER ZONE- those risks in the red zone, the bad zone. The red zone is where you make the most money, but it is also the place that requires the most effort in risk control. For as long as red is perceived as bad we will be stuck with average risk management effort (amber) or no risk management effort (green). So the red zone is the best zone with the biggest returns—if you are prepared to put in the effort.

We already know that the effectiveness of your risk management process is not linked to the size of your risk register. Similarly, it is also not linked to the thickness of your executive risk report. Anyway, we have sanctified board risk reports to the extent that the difference between what the top thinks and the bottom knows is so big that those in the middle are just slipping into the ditch. Trouble surely comes when people are working harder at keeping their jobs, than doing their jobs.

If you have a formal monthly risk report it is generally 28 days too late, frightening to think some have a quarterly risk report, or as a friend commented recently, an ANNUAL risk report! It is thus not about the size, its all about the timing; having a risk nervous system that runs accurate risk information from all points inside the organisation (and outside) and having “live” dashboard reporting on the company intranet. The earlier people know, the better the decisions and the smaller the losses.

Secondly, the sole purpose of many risk management processes is to produce the risk report, often that is the sole purpose of the risk management department. The outcomes of a risk management process are much more than models and risk reports. What do you do with the information you have? If your risk management department cannot show a positive Return on Investment—get rid of them!

Processes and Systems: Most organisations have taken the easy way out (note: not the cheapest) and they built impressive risk management systems worth millions of dollars; but failing to address the fundamental issue of people. All risk management efforts are worthless without a risk nervous system—and only humans can add that.

We already know that there are no risk management experts; and in fact, we do not need any risk management experts! All we need is for each and every employee to know the basic risk management skills and principles; use them to evaluate the risks associated with his/her job and do something on a daily basis to mitigate and control those risks. Risk Management success lies in embedding an effective risk management culture!

Prevent your business from crash-landing, change the way you see and approach risk management and execute that transformation; put in the effort and embed an effective risk management culture in your business, delivering good risk governance and building sustainable competitive advantage.

Welcome to transformation, be the change you want to see!

Leave a Comment