Risk-based thinking is at the center of recent changes to compliance standards, guidelines, and regulations. One of the areas where risk-based thinking is being applied is within the operations of a business. This is the domain of operational risk management which is defined as:
"The risk of direct or indirect loss due to inadequate or failed internal processes, people and systems, or from external events."
– Basel II
This definition comes from the financial and insurance sector although is still useful for other industries as operational risk management continues to gain traction there. However, this definition is likely to change as trends to include positive risk increase (ex. ISO 31000).
Whether risks are negative or positive, an important step in any risk-based approach is the identification of the risks themselves. This requires (among other things) an understanding of where risks come from. Knowing the sources can help not only to identify risks but also how best to manage them.
It is possible to think about these sources in relationship to operational systems and processes. These relationships can be classified as: extrinsic, intrinsic and emerging.
For the purpose of this article, the following compliance systems model (introduced in a previous article) will be used. Although, in principle, these definitions can apply to each component of any process or system.
Extrinsic Risk
These are risks that are external to the system that affect the underlying processes and activities. These risks may be introduced due to changes (shown in red in the above model) to: scope, critical to compliance requirements, resources, funding, strategies, best practices and program controls that are placed on the system. Risks may also come from other external sources that have been identified at the corporate level.
A significant source of system risks arises because of changes, it is therefore important to have an effective management of change process to identify these risks and manage them. This is even more critical when the system is vulnerable to emerging risks.
Intrinsic Risk
These risks are inherent in the process and activities. These may be in the form of latent or active failure modes, gaps in capabilities, uncertainties in work plans, or process variability.
There are two common approaches to identify and treat these kinds of risks:
Risk Assessment – as part of an initial or periodic assessment, levels of risk are calculated for each activity or place were value is added. Steps can then be taken to decrease the uncertainties or minimize or exploit the consequences to better achieve the desired system objectives. These assessments assume a relatively static process where risks are not changing often.
Risk-Based Process – this approach includes an embedded risk screening at the front end to determine which path to take given the level of risk associated with either the work to produce the output or the output itself. Separate work streams based on the level of risk can accelerate cycle times and also ensure that the appropriate amount of rigor (ex. further risk assessment) are applied when needed. This technique is used frequently when using stage-gate methodologies such as for: projects, change and design processes; and is effective to identify emerging risks as assessments are done each time the process is initiated.
Emerging Risk
These are risks that are developing or changing as a system evolves. These are often the most difficult to identify and to understand. Emerging risks can be classified as:
Newly created risks
Newly identified or noticed risks
Changes to such things as likelihood, severity, causes, consequences, and control effectiveness for existing risks
Periodic risk assessments are useful to update risk profiles to take into consideration emerging risks. Risks identified using the risk-based process, mentioned previously, can also be used to update the system risk profile so that they can be monitored.
Knowing where risks come from can ensure that appropriate triggers are created so that risks are appropriately identified, managed, and effectively treated. As companies continue to change at an increasing rate to improve their business processes it is essential that risk-based approaches keep up.
Conducting risk assessments periodically may not be enough. However, embedding them inside processes will enable companies to stay on top of new and emerging risks so they can stay proactive.
