I got a chance to hear Roger Burlton and Sasha Aganova of the Process Renewal Group talk about a recent case study of theirs concerning risk and management and processes. This is a hot topic of course with new regulations and new requirements for financial services firms. Compliance with these risk management regulations, though, can’t be seen either as just a routine need to be compliant or as a way to mitigate only what has gone wrong recently. It also cannot involve just another layer of controls – just adding another set of processes is both inefficient and hard to assess for effectiveness.
The particular client was a very large financial institution covered by both SOX/BASEL in North America motivated to improve their risk management processes. The project was to do a self assessment for some of the bank’s risk controls, checking for regulatory compliance. This meant mapping the processes end to end, identify the controls so they could be audited and providing a way to keep this up to date. This involved 60+ hours of workshops for 11 SMEs creating 40+ processes with 48 points where risk might occur. To do this they did a 7 step process:
- Review documented risks, controls, processes
No matter how bad… Collect everything you can even stuff that is incomplete.
- Define the scope
Which processes, which risks, which potential inherited risks, what aspects of risk management?
- Map the in-scope processes
Connecting with outside stakeholders, developing end to end comprehension and enabling model-based conversation about how the process might be improved or about issues it might have using best practice models. Use multiple levels to focus on an appropriate level of detail at each stage.
- Identify and map risks and existing controls to these processes
What is the risk, where does it originate, what controls exist. And what failures had happened in the past? Make sure you know what data is flowing where, especially when that data must be controlled.
- Determine gaps in controls and process
Is there mitigation for critical risks, what incidents still happen, which business objectives are not being met?
- Identify and assess process improvement and risk mitigation opportunities
- Lots of creativity – mind maps, brainstorming etc
- Eliminate unnecessary steps without adding risk
- Identify system changes, template and form changes, check lists
- Find the places where behavioral change is required
- Don’t create new risks, don’t harm the process
- Develop action plan and ongoing maintenance activities
Measures and KPIs and embedding follow-up activities. Socialize the whole thing and make sure actions are assigned and prioritized.
A critical element to success was to match the actions/plan to the level of maturity of the organization. Had to show the organization how to move from its current level to the next one without overwhelming them. The sponsor was handling all the problems that made it to the end but she had to work with the upstream teams to eliminate problems – an organizational challenge of course.
Overall the project improved the processes to mitigate existing risks while not introducing new risks. It also eliminated gaps in documentation and established a foundation for other risk areas. In the end the sponsor sleeps better at night!
There’s more on this case study on BP Trends Avoiding Risk Management Failure: An End-to-End Process Approach