Defining operational risks is not as easy as it looks
One of the most basic steps in any risk management process is to define your operational risks. Risks are typically recorded in a risk register together with their related controls. This sounds easy - but for any of you who have reviewed a range of risk registers or attempted it yourselves, you might have found that it is, in fact, a complex task.
The two main issues to consider are:
- What exactly are you describing? Your risk description needs to be consistent between all risks.
- What level of granularity and detail should the risk description contain?
What are you describing?
Risk descriptions typically found in risk registers might look like this:
- Human error
- Reputation damage
- Poor quality training
- Loss of confidential data
All of the above are inconsistent in that they are describing different parts of the same risk. Human error is the risk cause, reputation damage is the risk impact, poor quality training is a weak control, and loss of confidential data is the risk event. (These elements are described in a blog series on Bow Tie Analysis.)
Each organisation should decide on a consistent standard for defining and recording all risks. We suggest the following:
- The main short name for the risk is the risk event, i.e., loss of confidential data.
- The risk is described in terms of its event (loss of confidential data), caused by human error and resulting in reputation damage.
- Training is recorded as a control over the risk and, since the training is poor quality, it would be rated poorly when control effectiveness is assessed.
What level of granularity and detail should be used?
There are three levels of granularity and detail you can choose from when recording risks.
These are, from the least to most granular:
- Risk event only: “Loss of Confidential Data.”
- Risk event, main cause and main impact: “Loss of confidential data, caused by human error, leading to reputation damage”. This is often referred to as a risk statement.
- Risk event, main and secondary causes, main and secondary events: “Loss of confidential data, caused by human error, system failure and external cyber-attack, leading to reputation damage, monetary fines and financial losses”.
The approach taken by each organisation may be different depending on the maturity of the business. The method needs to be kept as simple as possible while providing enough granularity to be useful.
The following provides an example of the third level above using the Protecht ERM system. This method is based on:
- Defining the risk event and linking it to a central library of risk event categories.
- Defining the risk causes and linking to a central library of risk cause categories.
- Defining risk impacts and linking to a central library of risk impact categories.
Whichever method you decide to use in your risk management framework, it needs to be consistently applied and communicated to all persons involved in the risk management process.
This will ensure that the risk registers are understandable and consistent and that they support the generation of a quality data set that can be used for value-added reporting and risk analytics.