Speaking with Risk Managers, I find that risk management is often performed in Excel.
There’ll be a ‘Risk Register’ file, where (generally) the Risk team document an exhaustive list of risks in one column, and in another column treatments/ controls for those risks. This Excel file typically lives in a SharePoint folder, is maintained by the Risk team, and provided to auditors come Audit season.
The key problem with this approach is that the process participants who are supposed to be performing these treatments/ controls have no idea that the Risk Register exists. This can also mean they have no idea that these treatments/ controls exist ). These treatment/s controls are therefore never actually performed and subsequently risk management turns into a theoretical exercise that may be sufficient for audit purposes but drives limited tangible benefits to the business.
A better approach: linking risk management with process management
If the current approach is broken, what then is the solution? Let’s start by defining a control as a step in a process that reduces the chance of an incident taking place and/ or reduces the severity if the incident does take place. The key words here are ‘a step in a process’ – your risks, controls/ treatments, and processes all need to be linked.
Let’s take an example. We identify a risk that, like all organisations, we have exposure to phishing attacks. Step one is to register this risk and the screenshot below shows how this is done in Nintex Process Manager:
There are a few things to note here: The traditional approach to risk management is that it leads to a culture where the organisation sees risk management as the responsibility of the Risk team; to be effective in risk management it’s critical that we build a culture where risk management is seen as part of everyone’s job.
In this example, I’ve assigned this risk to the Finance portfolio. The Finance Portfolio will have a named Risk Manager who comes from the Finance team. This person has ultimate ownership and accountability for all the risks in this portfolio. Because, in a group like finance, there will be many risks, rather than having one person own all the finance risks, I have assigned a specific owner to this specific risk, we will call him Hugo. Further, to aid with the idea that risk management is part of everyone’s job, you might notice that the title that I’ve given this risk is clear and lacking any jargon – it is simply in the format of bad outcome followed by specific cause. At this stage I’ve assigned it a Likelihood and Severity which is used to calculate the inherent risk score. If a treatment/ control is already in place I can assess it, which will then calculate a residual risk score/ In many cases you will start by identifying a risk and the next stage would be to design and implement a control.
It’s now time to add a control. As I mentioned, ideally your controls should be steps in a process. So below we have documented our ‘Transfer funds to supplier’ process in Nintex Process Manager:
Currently, this is a three-activity process where, inside activity 2, the Finance Manager is asked to complete a payments checklist which will help to determine if the payment is/ is not aligned with the company policy.
While this might have been sufficient in the past, perhaps we decide that given the sophistication of today’s phishing scams, this process needs to be updated with a more robust control.
And so we add a new activity (activity 3 above) where the finance manager needs to have a phone or face to face conversation with the person asking for the payment if it is over a certain value (in this case £5,000).
It’s now time to link this control with the risk that we identified as follows:
A few things to note here:
- I’ve assigned the treatment of the risk to the specific activity in the process that was just created
- We need to make sure that treatment is taking place and effective, to do this we need people to sign off. There are a few options here, in this case I’ve decided the best people to sign off are the swim lane participants who are supposed to be performing the treatment (Finance Managers). I’ve also decided that every Finance Manager needs to sign off that this treatment is in place and effective every 6 months.
Finally, we need to assign this treatment an effectiveness rating (in this case I’ve assigned it ‘strong’) so that we can get our Residual score.
And now everything has been linked. From my risk register in Nintex Process Manager I can see the risk, the treatment to the risk, and can easily navigate to the process that contains the treatment:
And equally, when I’m in the process, I now see a warning icon in the top right corner of Activity 3 which tells me that it’s a treatment to a risk (and therefore I should pay especially close attention) and can also show me what risk it’s treating:
In summary then, for risk management to be effective:
- We need to have a culture where risk management is seen as part of everyone’s job, not just risk managers
- We need to make sure that our risks, treatments, and processes are all linked
- We need governance (from the line of business) built-in with periodic signoff requirements
If you’re interested in learning more about the risk management process that I’ve described above using Nintex Process Manager please reach out and I’ll be happy to take you through a guided example.
Digital Transformation Business Manager
