In the first two parts of this series, I identified both profit/loss statements and excessive growth as areas where operational risk is more easily overlooked. In our final installment of the series, I’d like to focus on the completeness of the risk assessment process.
In my experiences working with and speaking to risk managers from financial institutions, I have encountered differences in how complete their risk assessments are. Some institutions opt for a process that focuses on more critical risks, while omitting other risks from the assessment, in an effort to save some time and money.
Unfortunately, this leaves blind spots in a risk management program that can be detrimental in the future. People, technologies, and processes change, and today’s low risks can develop into critical risks without much notice. If a low risk isn’t being assessed and turns into a large issue, you can find your organization’s security and safety being called into question.
The best approach is that any risk assessment process must start with a comprehensive inventory of all business processes, and each process must be subjected to the rigor of inherent risk and quality of control assessment. This has the potential to be a time consuming and expensive project, however it’s important to have a focused message to get the support you need: “We need a process to identify all risks and threats”. Remember, cutting time and expenses from the assessment process is done at your own risk…
Let me know what keeps you up at night! Feel free to fill out this contact form with any questions or comments about this post, operational risk blind spots, or enterprise risk management in general.
More Resources from Mike: