Managing non-financial risk or operational risk is becoming more of a focus point for many organisations. With cyber risks on the rise and increased reliance on vendors, new risk categories are emerging for organisations. Not just regulated organisations such as banks or insurance businesses are turning their focus to oprisk management. Across industries, current processes and technologies are being re-evaluated. At Alyne, we are consistently engaging with leading organisations on this topic and have observed some common challenges and success factors in increasing operational risk transparency.
- Process Centricity
Many organisations place a strong emphasis on the perfect and comprehensive process for managing risk. Actually identifying risk from a broad basis in the organisation often takes a back seat. The outcome is more often than not a process that is not embraced through the organisation and does not deliver risk transparency to decision makers.
- Focus on Data Sources
Often connecting all potential data sources such as enterprise applications or process repositories is considered the first step. While these may be good sources for completeness in later stages, they are not always what deliver fast and direct insights to core risks.
- Activity Peaks
While periodic reporting is understandable, it leads to peaks of activity in risk management. This provides an incomplete picture, as risks do not evolve in a linear fashion. Ideally, continuous management and identification of operational risks can be established.
- Develop Culture
Culture will trump process and technology in delivering risk transparency. Shape the organisation to think in concepts of risk rather than forcing a politically loaded process on the organisation. This will increase objectivity of your data.
- Encourage Collaboration
Make it easy to collaborate in capturing, updating and documenting risk information in favour of a stringent, highly controlled process. What you might sacrifice in perceived governance, you make up for in risk insights
- Focus on Risk Identification
Focus on risk identification first. Modelling each aspect of your organisation can follow, but broaden your risk baseline first and iterate towards a more perfect model. Primary driver should always be capturing as much risk information initially as possible.