Risk Management Failure: A Case Study in Risk … Risk Management Failure: A Case Study in Process...
Transcript of Risk Management Failure: A Case Study in Risk … Risk Management Failure: A Case Study in Process...
Avoiding Risk Management Failure: A Case Study in
Process Improvement and Risk Mitigation
November 2015
Roger Burlton and Sasha Aganova
The Process Renewal Consulting Group Inc.
©2015 Process Renewal Group. All Rights Reserved. 2
Notice of confidentiality
Roger Burlton
President and Managing Partner
Process Renewal Group, BPTrends Associates
Suite 305, 125 Milross AveVancouver, BC V6A 0A1Phone: +1‐604‐240‐[email protected]
All materials provided in this session are copyrighted by Process Renewal Group.
The materials must not be copied, duplicated, or reproduced in any manner, or transmitted to others without the written consent of Process Renewal Group.
©2015 Process Renewal Group. All Rights Reserved. 3
Why a talk about risks and processes?
Risk management fails when considered as: routine to comply with regulations task only for potentially ‘high risk’
areas risks mitigated by additional controls
only effectiveness of controls not analysed
A better approach is needed!
©2015 Process Renewal Group. All Rights Reserved. 4
Presentation agenda
7 step approachKey tasks performed
ResultsWhat was accomplished
BackgroundClient and situation
Sustainment PlanProposed plan to maintain deliverables and sustain compliance
©2015 Process Renewal Group. All Rights Reserved. 5
Presentation agenda
7 step approachKey tasks performed
ResultsWhat was accomplished
Background Client and situation
Sustainment PlanProposed plan to maintain deliverables and sustain compliance
©2015 Process Renewal Group. All Rights Reserved. 6
Client
• One of the largest banks in North America• Financial institution under SOX/BASEL requirements
• Motivated to improve their risk assessment processes
©2015 Process Renewal Group. All Rights Reserved. 7
Situation and objectives
Document processes and incorporate a control framework
Ensure that all activities are compliant with regulatory requirements and that all appropriate controls are in place
Establish the structured baseline processes to be in a position to organize and sustain the effort of operational risk compliance
Objectives
End to End process maps that can be collectively referenced for multiple risk and performance purposes
Controls clearly mapped enabling audit of risks and controls
Having the ongoing means to maintain the process models, risk identification and control points
Success Criteria
Our task was to facilitate the risk control self‐assessment within certain business areas of the bank
©2015 Process Renewal Group. All Rights Reserved. 8
Initiative in numbers
11
Subject Matter Experts
64
Hours of workshops
42
Process streams
48
Identified risk origination points
12
Potential control gaps identified
22
Non-activecontrols mapped
12
Active controls mapped
2
Risk types
©2015 Process Renewal Group. All Rights Reserved. 9
Presentation agenda
7 step approachKey tasks performed
ResultsWhat was accomplished
BackgroundClient and situation
Sustainment PlanProposed plan to maintain deliverables and sustain compliance
©2015 Process Renewal Group. All Rights Reserved. 10
The 7 Steps of the Process‐Centric Approach to Manage Operational Risk
• Review documented risks, controls and processes
• Define scope
• Map processes in scope
• Identify and map risks and existing controls
• Determine gaps in risk controls and process performance
• Identify and assess process improvement and risk mitigation opportunities
• Develop and implement integrated process improvement and risks mitigation action plan
1
2
3
4
5
6
7
©2015 Process Renewal Group. All Rights Reserved. 11
Step 1: Review documented risks, controls and processes
Make sure you get it all!
©2015 Process Renewal Group. All Rights Reserved. 12
Step 2: Define scope
• What processes• Including preceding, subsequent and parallel processes
• What risks • reputational risks, security risks, privacy risks, etc.
• What potential inherited risks
• What aspects of risk management• mapping risk origination point to the process step; identifying risk severity and probability, identifying key risk indicators, etc.
©2015 Process Renewal Group. All Rights Reserved. 13
Step 3. Map processes in scope
• Connect to outside stakeholders• End to end comprehension • Maintain best‐practice modeling standards• Encourage model‐based conversations
• Variations, potential risks, issues, process improvements and potential performance enhancement opportunities
CUST
OMER
SUPP
LIER
REGULATORS
PEOPLE AND IT PROVIDERS
©2015 Process Renewal Group. All Rights Reserved. 14
Step 3 (cont’d). Leveling and detailed description
Acquire, construct and manage real‐estate
Design and build / acquire real‐estate
assets
Maintain real‐estate assets
Obtain and install real‐estate assets
Disposeof real‐estate assets
©2015 Process Renewal Group. All Rights Reserved. 15
Step 4. Identify and map risks and existing controls
For each risk:
• Ensure clarity on risk type and description
• Define criticality (materiality, severity and likelihood)
• Identify true origination point of this risk
• Map existing controls
• Ensure that control process steps are indeed performed
• Discuss history of failures
©2015 Process Renewal Group. All Rights Reserved. 16
Step 4 (cont’d). Identify and map risks and existing controls
While this projects focused on only 2 risks – the proposed approach can be applied across all risk types
N‐1Origination point for risk Control point Note related to the activity
©2015 Process Renewal Group. All Rights Reserved. 17
Step 5. Determine gaps in risk controls and process performance
• Are critical risks mitigated?
• Why incidents still occur?
• Are we achieving business
objectives?
©2015 Process Renewal Group. All Rights Reserved. 18
Step 5 (cont’d). Determine gaps in risk controls and process performance
While this projects focused on only 2 risks – the proposed approach can be applied across all risk types
N‐1 GAP‐1.05Origination point for risk Control point Note related to the activity Area of potential risk/control management weakness
©2015 Process Renewal Group. All Rights Reserved. 19
Step 6. Identify and assess process improvement & risk mitigation opportunities
• What can we improve?
Be creative• brainstorming• mind mapping• root cause • creative workshop
• Do we create any new risks by improving?• Do we harm process performance by introducing new Controls?
Paul Kaptein, Australia
Search for • unnecessary steps• system change• templates, forms• behavior
©2015 Process Renewal Group. All Rights Reserved. 20
Step 7. Develop and implement integrated process improvement and risks mitigation action plan
Finalise design:
• Define KRIs and KRIs measurement, reporting activities
• Imbed measurement and red‐flag follow‐up
• Consolidate all findings into process documentation
Plan implementation:
• Utilise hexagon to know what it will take to change
• Socialise; get back to Step 6
• Prioritise, assign responsibility
©2015 Process Renewal Group. All Rights Reserved. 22
Presentation agenda
7 step approachKey tasks performed
ResultsWhat was accomplished
BackgroundClient and situation
Sustainment PlanProposed plan to maintain deliverables and sustain compliance
©2015 Process Renewal Group. All Rights Reserved. 23
Level 2Fragmented
Level 3Integrated
Level 1Isolated
Processes are unpredictable, poorly controlled and reactive
Processes are defined functionally in a
consistent way but not integrated
Processes are architected end to end across functions and
groups
Level 4Aligned
Processes are measured and controlled
Level 5Sustaining
Focus is on process / performance improvement
Current Maturity
Target Maturity
High risk potential with few controls
Localized controls –ETE risks / controls may be missed
Architected processes – ETE risks / controls established and
aligned
ETE Processes continuously
improving, risks and controls continuously
adapting
Architected processes – ETE risks / controls measured, monitored
and mitigated
Realistic risk management governance depends on true process maturity
©2015 Process Renewal Group. All Rights Reserved. 24
Integrated process: process governance & risk assessment
Conduct Quarterly Risk‐Control Attestation
5. Quarterly ReviewDevelop & Implement Process Improvement &
Risks Mitigation Action Plan
4. Develop & Implement Identify Risks & Process
Performance Gaps
3. IdentifyConduct Process
Improvement & Risk‐Control Assessment
2. Improve & Assess1. MonitorMonitor Business
Environment Factors, KPIs & KRIs
©2015 Process Renewal Group. All Rights Reserved. 25
Presentation agenda
7 step approachKey tasks performed
ResultsWhat was accomplished
BackgroundClient and situation
Sustainment PlanProposed plan to maintain deliverables and sustain compliance
©2015 Process Renewal Group. All Rights Reserved. 26
Result
• We performed process improvement, without creating risks• We mitigated risks by changing process• We eliminated the gaps on current process documentation • We will use this work as foundation for suggesting changes/improvement in process and risk governance
©2015 Process Renewal Group. All Rights Reserved. 27
Ultimate result
Sponsor: “I sleep better at night now. I know what we do, where the risks are, do we mitigate them or not. I also have re‐connected with
staff to understand what we need to improve”
©2015 Process Renewal Group. All Rights Reserved. 28
Fundamentals of this approach
• the risks occur as the result of certain activity or lack of activity
• control is an activity serving as a risk mitigation
• activity is required to measure identified KRIs
• A ‘systems approach’ is required to improve the compliance of the organization without substantially harming its process performance
process
process
process