Please contact S A Partners for more details. GET IN TOUCH

Process Management and Risk

Speaking with Risk Managers, I find that, almost always, risk management is performed in Excel.  

There’ll be a ‘Risk Register’ file, where (generally) the Risk team will be responsible for documenting an exhaustive list of risks in one column, and in another column treatments/ controls for those risks. This Excel file typically lives in a Risk SharePoint, is maintained by the Risk team, and is provided to auditors come Audit season.  

The key problem with this approach is that the process participants who are supposed to be performing these treatments and controls have no idea that the Risk Register exists. Accordingly, they have no idea that these treatments/ controls exist (or are told once and then completely forget). These treatment/s controls are therefore never actually performed meaning that risk management turns into a theoretical exercise that may be sufficient for audit purposes but drives limited tangible benefits to the business.  

 

A better approach: linking risk management with process management  

If the current approach is broken, what then is the solution? Lets start by defining control as a step in a process that reduces the chance of an incident taking place and/ or reduces the severity of the incident does take place. The key words here are “a step in a process” – your risks, controls/ treatments, and processes all need to be linked.  

Lets take an example. We identify a risk that, like all organisations, we have exposure to phishing attacks. Step one is to register this risk:  

There are a few things to note here. Another major problem with the traditional approach to risk management is that it leads to a culture where the organisation sees risk management as the responsibility of our Risk team; to be effective in risk management it’s critical that we build a culture where risk management is seen as part of everyone’s job.

In this case, I’ve assigned this risk to the Finance portfolio. The Finance Portfolio will have a named Risk Manager who comes from the Finance team itself and has ultimate ownership and accountability for all of the risks in this portfolio. Because, in a group like finance, there will be a large number of risks, rather than having one person own all of the risks within finance, I have assigned an owner to this specific risk, Hugo. Further, to aid with the idea that risk management is part of everyone’s job, you might notice that the title that I’ve given this risk is clear and lacking any jargon – it is simply in the format of a bad outcome followed by a specific cause. At this stage, I’ve assigned it a Likelihood and Severity which is used to calculate the inherent risk score. If a treatment/ control is already in place I can assess it which will calculate a residual risk score, however, in many cases, we will start by identifying a risk with the next stage being to design and implement a control.

With that being said, lets add a control. As I mentioned, ideally our controls should be steps in a process. So lets look at our transfer funds to a supplier process:

Currently, this is a three-activity process where, inside activity 2, the Finance Manager is asked to complete a payments checklist which will help to determine if the payment is/ is not aligned with the company policy.

While this might have been sufficient in the past, perhaps we decide that given the sophistication of today’s phishing scams, this process needs to be updated with a more robust control.

And so we add a new activity where the finance manager needs to have a phone or face-to-face conversation with the person asking for the payment if it is over £5,000.

It’s now time to link this control with the risk that we identified.

A few things to note here:

  • I’ve assigned the treatment of our risk to the specific activity in the process that we just created
  • We need to make sure that treatment is actually taking place and is effective, to do this we need people to sign off. There are a few options here, in this case I’ve decided the best people to sign off are the swim lane participants who are supposed to be performing the treatment (Finance Managers). I’ve also decided that every Finance Manager needs to sign off that this treatment is in place and effective every 6 months.

Finally, we need to assign this treatment an effectiveness rating so that we can get our Residual score.

And now everything has been linked. From my risk register I can see the risk, the treatment for the risk, and can easily navigate to the process that contains the treatment:

And equally, when I’m in the process, I now see a warning icon in the top right corner of Activity 3 which tells me that it’s a treatment to a risk (and therefore I should pay especially close attention) and can also show me what risk it’s treating:

In summary then, for risk management to be effective:

  • We need to have a culture where risk management is seen as part of everyone’s job, not just risk managers
  • We need to make sure that our risks, treatments, and processes are all linked
  • We need governance (from the line of business) built-in with periodic signoff requirements

 

If you’re interested in learning more about the risk management process that I’ve described above using Nintex Process Manager please reach out and I’ll be happy to take you through a guided example.

Ishan Sellahewa

Digital  Transformation Business Manager 

Ishan.Sellahewa@sapartners.com   

Leadership Skills & Training

Leadership Skills & Training

Find out how we can support your Leadership & Continuous Improvement Programmes.

More Details
Systems Consulting

Systems Consulting

Supporting your organisation to achieve Enterprise Excellence.

More Details
Latest Resources

Latest Resources

S A Partners continues to invest in industry research to support our customers.

More Details
Events & Workshops

Events & Workshops

Supporting your learning Journey - delivering workshops and Shingo Prize guidance

More Details