Risk Management Failure: A Case Study in Risk … Risk Management Failure: A Case Study in Process...

Avoiding Risk Management Failure: A Case Study in

Process Improvement and Risk Mitigation

November 2015

Roger Burlton and Sasha Aganova

The Process Renewal Consulting Group Inc.

©2015 Process Renewal Group. All Rights Reserved. 2

Notice of confidentiality

Roger Burlton

President and Managing Partner

Process Renewal Group, BPTrends Associates

Suite 305, 125 Milross AveVancouver, BC V6A 0A1Phone: +1‐604‐240‐[email protected]

All materials provided in this session are copyrighted by Process Renewal Group.

The materials must not be copied, duplicated, or reproduced in any manner, or transmitted to others without the written consent of Process Renewal Group.


Why a talk about risks and processes?

Risk management fails when considered as: routine to comply with regulations task only for potentially ‘high risk’

areas risks mitigated by additional controls

only effectiveness of controls not analysed

A better approach is needed!


Presentation agenda

7 step approachKey tasks performed

ResultsWhat was accomplished

BackgroundClient and situation

Sustainment PlanProposed plan to maintain deliverables and sustain compliance


Presentation agenda



Background Client and situation



Client

• One of the largest banks in North America• Financial institution under SOX/BASEL requirements

• Motivated to improve their risk assessment processes


Situation and objectives

Document processes and incorporate a control framework

Ensure that all activities are compliant with regulatory requirements and that all appropriate controls are in place

Establish the structured baseline processes to be in a position to organize and sustain the effort of operational risk compliance

Objectives

End to End process maps that can be collectively referenced for multiple risk and performance purposes

Controls clearly mapped enabling audit of risks and controls

Having the ongoing means to maintain the process models, risk identification and control points

Success Criteria

Our task was to facilitate the risk control self‐assessment within certain business areas of the bank


Initiative in numbers

11

Subject Matter Experts

64

Hours of workshops

42

Process streams

48

Identified risk origination points

12

Potential control gaps identified

22

Non-activecontrols mapped

12

Active controls mapped

2

Risk types


Presentation agenda






The 7 Steps of the Process‐Centric Approach to Manage Operational Risk

• Review documented risks, controls and processes

• Define scope

• Map processes in scope

• Identify and map risks and existing controls

• Determine gaps in risk controls and process performance

• Identify and assess process improvement and risk mitigation opportunities

• Develop and implement integrated process improvement and risks mitigation action plan

1

2

3

4

5

6

7


Step 1: Review documented risks, controls and processes

Make sure you get it all!


Step 2: Define scope

• What processes• Including preceding, subsequent and parallel processes

• What risks • reputational risks, security risks, privacy risks, etc.

• What potential inherited risks

• What aspects of risk management• mapping risk origination point to the process step; identifying risk severity and probability, identifying key risk indicators, etc.


Step 3. Map processes in scope

• Connect to outside stakeholders• End to end comprehension • Maintain best‐practice modeling standards• Encourage model‐based conversations

• Variations, potential risks, issues, process improvements and potential performance enhancement opportunities

CUST

OMER

SUPP

LIER

REGULATORS

PEOPLE AND IT PROVIDERS


Step 3 (cont’d). Leveling and detailed description

Acquire, construct and manage real‐estate

Design and build / acquire real‐estate

assets

Maintain real‐estate assets

Obtain and install real‐estate assets

Disposeof real‐estate assets


Step 4. Identify and map risks and existing controls

For each risk:

• Ensure clarity on risk type and description

• Define criticality (materiality, severity and likelihood)

• Identify true origination point of this risk

• Map existing controls

• Ensure that control process steps are indeed performed

• Discuss history of failures


Step 4 (cont’d). Identify and map risks and existing controls

While this projects focused on only 2 risks – the proposed approach can be applied across all risk types

N‐1Origination point for risk Control point Note related to the activity


Step 5. Determine gaps in risk controls and process performance

• Are critical risks mitigated?

• Why incidents still occur?

• Are we achieving business

objectives?


Step 5 (cont’d). Determine gaps in risk controls and process performance

While this projects focused on only 2 risks – the proposed approach can be applied across all risk types

N‐1 GAP‐1.05Origination point for risk Control point Note related to the activity Area of potential risk/control management weakness


Step 6. Identify and assess process improvement & risk mitigation opportunities

• What can we improve?

Be creative• brainstorming• mind mapping• root cause • creative workshop

• Do we create any new risks by improving?• Do we harm process performance by introducing new Controls?

Paul Kaptein, Australia

Search for • unnecessary steps• system change• templates, forms• behavior


Step 7. Develop and implement integrated process improvement and risks mitigation action plan

Finalise design:

• Define KRIs and KRIs measurement, reporting activities

• Imbed measurement and red‐flag follow‐up

• Consolidate all findings into process documentation

Plan implementation:

• Utilise hexagon to know what it will take to change

• Socialise; get back to Step 6

• Prioritise, assign responsibility


Presentation agenda






Level 2Fragmented

Level 3Integrated

Level 1Isolated

Processes are unpredictable, poorly controlled and reactive

Processes are defined functionally in a

consistent way but not integrated

Processes are architected end to end across functions and

groups

Level 4Aligned

Processes are measured and controlled

Level 5Sustaining

Focus is on process / performance improvement

Current Maturity

Target Maturity

High risk potential with few controls

Localized controls –ETE risks / controls may be missed

Architected processes – ETE risks / controls established and

aligned

ETE Processes continuously

improving, risks and controls continuously

adapting

Architected processes – ETE risks / controls measured, monitored

and mitigated

Realistic risk management governance depends on true process maturity


Integrated process: process governance & risk assessment

Conduct Quarterly Risk‐Control Attestation

5. Quarterly ReviewDevelop & Implement Process Improvement &

Risks Mitigation Action Plan

4. Develop & Implement Identify Risks & Process

Performance Gaps

3. IdentifyConduct Process

Improvement & Risk‐Control Assessment

2. Improve & Assess1. MonitorMonitor Business

Environment Factors, KPIs & KRIs


Presentation agenda






Result

• We performed process improvement, without creating risks• We mitigated risks by changing process• We eliminated the gaps on current process documentation • We will use this work as foundation for suggesting changes/improvement in process and risk governance


Ultimate result

Sponsor: “I sleep better at night now. I know what we do, where the risks are, do we mitigate them or not. I also have re‐connected with

staff to understand what we need to improve”


Fundamentals of this approach

• the risks occur as the result of certain activity or lack of activity

• control is an activity serving as a risk mitigation

• activity is required to measure identified KRIs

• A ‘systems approach’ is required to improve the compliance of the organization without substantially harming its process performance

process

process

process

Risk Management Failure: A Case Study in Risk … Risk Management Failure: A Case Study in Process...

Documents

Transcript of Risk Management Failure: A Case Study in Risk … Risk Management Failure: A Case Study in Process...