“Risk is like fire: If controlled, it will help you; if uncontrolled it will rise up and destroy you.” -Theodore Roosevelt
Risk Management teams who are assigned with identifying risk might go about their task in one of two ways. They can either cast a wide net to capture as many risks as possible while grouping risks into actionable themes, or they can use a (more effective) process-based approach.
Identifying Risks: The Brainstorming Approach Falls Short
The most tempting and immediately gratifying option is to facilitate broad brainstorming activities from the top down, discovering (hopefully) repeating themes and granularly defined risks that become more actionable as more and more inputs are gathered. These brainstorming activities are often scheduled with a cross-functional participant group representing all levels of the hierarchy, with hopes that the participants will be a representative sample of the entire organization. The Risk Management Team kicks off meetings for these lucky participants with reassurances that “we are all equals for this activity,” and “there are no bad ideas.” Opulent catering is provided to lift the mood during the tedious and dreary task of letting our inner pessimists run amok. Risks are captured on post-it notes, color coded, and transferred to flipcharts. The rules of brainstorming require us to initially treat all risks equally, regardless of the likelihood or reality of actual occurrence (I once attended a Risk Management brainstorming session that spent time quantifying the impact of alien invasions and sharknadoes!)
After these brainstorming sessions, the Risk Management team is left to swim through their piles of post-it notes, which provide endless opportunities to mitigate risks. The sessions have generated lists of action items, and action feels good. After all, isn’t the whole point of Risk Management to take preventive action now instead of reactive action later? However, after these types of brainstorming activities, the most astute Risk Management professionals are often left with the nagging question of “what have we missed?”
Identifying Risks: Business Process to the Rescue
Risk Management teams in mature organizations have an alternate option to this brute-force approach. They can partner with their Business Process Management team to methodically surface risks, quantify their threat, and spread a culture of Risk Management to the entire organization as a way of working (as opposed to an episodic brainstorming exercise for a select group of randomly selected individuals.) Let’s explore each of these benefits of using the Process-based approach in more detail:
1. A more complete listing of risks.
Business Processes can be used as a framework for subject matter experts, leaders, and process owners to build a more complete list of risks. To accomplish this, the Risk Management team “walks the process” with the experts to identify, step by step, any risks to the successful completion of that step. Those familiar with Lean Value Stream Mapping may be familiar with this approach to identify and mark improvement opportunities as “bursts” on the appropriate process steps. Similarly, a shape might be used to identify an entry to the process’ risk register corresponding to that step. For example, the team might use a red triangle to signify the risk, and a green triangle to signify the corresponding control for that risk (or lack of control by leaving that shape absent.) This approach is particularly useful for process owners who need to demonstrate to internal or external auditors that risks have been identified and mitigated.
The result of this “process-based” approach is a more comprehensive listing of possible risks because the team is focused to consider every step of the process. If the team were to rely on brainstorming alone, the they would be more likely to overlook several process steps, especially those steps and activities that have historically performed quietly and reliably in the background. The process approach gives every step in the process an opportunity to be analyzed for risk.
2. A more useful quantification and prioritization of risks.
The most commonly used tool to quantify and prioritize risks is typically the “Failure Mode and Effects Analysis” (FMEA). This tool assigns three “scores” to the likelihood of the risk occurring, the severity of the risk, and the possibility of the risk happening undetected. These three scores are then mathematically combined (usually multiplied) to arrive at one final score called the “Risk Priority Number” (RPN). The team can then decide whether action is warranted on a risk-by-risk basis to avoid the incident from happening, mitigate and lower the likelihood, share the impact of the risk through insurance, or accept the risk as acceptable.
Again, the process-based approach is preferable because a separate FMEA can be developed for each individual process. One of the biggest challenges to facilitating a group through an FMEA is the inevitable debate around the “score” that each risk deserves. Some facilitators attempt to pre-empt this debate by introducing pre-defined thresholds for each score. For example, in the Automotive industry, a severity 10 signifies that serious injury or death may result. However, the group typically ends up scoring each risk in relation to the others. The participants refer to prior scored risks to feel out the “right” score for the new ones. The conversation inevitably follows something along the lines of “If we gave the last risk a likelihood of 6, this one definitely deserves a 7….”
3. Risk Management becomes a cultural way of working instead of an “event”.
By developing an individual FMEA for each process, participants are free to address the most significant risks for that process, regardless of whether risks elsewhere score a higher RPN. If all risks from a brainstorming approach were combined into a master FMEA, risks would score lower in comparison to others that might have scored higher in the context of its Business Process. For example, a temporary outage of the HRIS system might score a much lower RPN than a temporary outage of the CRM or ERP systems in a combined FMEA. However, the outage would be devastating for the HR team’s business processes. By separating the HR Business Process FMEA, the same HRIS outage scores much higher in relation to the other HR risks, which encourages more action from the HR team to take preventive action.
The Business Process approach also encourages a more widespread cultural embrace of Risk Management by simply expanding the participant pool. When the scope of risk identification is focused on a single Business Process, more experts can participate instead of relying on a representative sent to a larger brainstorming session. Furthermore, the activity can be incorporated into regular team gatherings throughout the year, instead of burdening the Risk Management team with a flurry of activity in preparation of audits.
Employing a Business Process-focused approach to identifying, quantifying, and acting on potential risks offers many advantages over traditional approaches. Organizations and Risk Management teams who take advantage of this powerful relationship between Business Process and risk can expect to see significant improvements in the breadth of risks identified, the quality of risk prioritization, and a sharpening of the Risk Management acumen across their entire cultural landscape.