Avoiding Risk Management Failure: A Case Study in Process Improvement and Risk Mitigation

Transcription

1 Avoiding Risk Management Failure: A Case Study in Process Improvement and Risk Mitigation Roger Burlton and Sasha Aganova The Process Renewal Consulting Group Inc. November 2015

2 Notice of confidentiality All materials provided in this session are copyrighted by Process Renewal Group. The materials must not be copied, duplicated, or reproduced in any manner, or transmitted to others without the written consent of Process Renewal Group. Roger Burlton President and Managing Partner Process Renewal Group, BPTrends Associates Suite 305, 125 Milross Ave Vancouver, BC V6A 0A1 Phone: Process Renewal Group. All Rights Reserved. 2

3 Why a talk about risks and processes? Risk management fails when considered as: routine to comply with regulations task only for potentially high risk areas risks mitigated by additional controls only effectiveness of controls not analysed A better approach is needed! 2015 Process Renewal Group. All Rights Reserved. 3

4 Presentation agenda Background Client and situation 7 step approach Key tasks performed Sustainment Plan Proposed plan to maintain deliverables and sustain compliance Results What was accomplished 2015 Process Renewal Group. All Rights Reserved. 4

5 Presentation agenda Background Client and situation 7 step approach Key tasks performed Sustainment Plan Proposed plan to maintain deliverables and sustain compliance Results What was accomplished 2015 Process Renewal Group. All Rights Reserved. 5

6 Client One of the largest banks in North America Financial institution under SOX/BASEL requirements Motivated to improve their risk assessment processes 2015 Process Renewal Group. All Rights Reserved. 6

7 Situation and objectives Our task was to facilitate the risk control self assessment within certain business areas of the bank Objectives Document processes and incorporate a control framework Ensure that all activities are compliant with regulatory requirements and that all appropriate controls are in place Establish the structured baseline processes to be in a position to organize and sustain the effort of operational risk compliance Success Criteria End to End process maps that can be collectively referenced for multiple risk and performance purposes Controls clearly mapped enabling audit of risks and controls Having the ongoing means to maintain the process models, risk identification and control points 2015 Process Renewal Group. All Rights Reserved. 7

8 Initiative in numbers Subject Matter Experts Hours of workshops Process streams Risk types Identified risk origination points Active controls mapped Non-active controls mapped Potential control gaps identified 2015 Process Renewal Group. All Rights Reserved. 8

9 Presentation agenda Background Client and situation 7 step approach Key tasks performed Sustainment Plan Proposed plan to maintain deliverables and sustain compliance Results What was accomplished 2015 Process Renewal Group. All Rights Reserved. 9

10 The 7 Steps of the Process Centric Approach to Manage Operational Risk 1 Review documented risks, controls and processes 2 Define scope 3 Map processes in scope 4 Identify and map risks and existing controls 5 Determine gaps in risk controls and process performance 6 Identify and assess process improvement and risk mitigation opportunities 7 Develop and implement integrated process improvement and risks mitigation action plan 2015 Process Renewal Group. All Rights Reserved. 10

11 Step 1: Review documented risks, controls and processes Make sure you get it all! 2015 Process Renewal Group. All Rights Reserved. 11

12 Step 2: Define scope What processes Including preceding, subsequent and parallel processes What risks reputational risks, security risks, privacy risks, etc. What potential inherited risks What aspects of risk management mapping risk origination point to the process step; identifying risk severity and probability, identifying key risk indicators, etc Process Renewal Group. All Rights Reserved. 12

13 Step 3. Map processes in scope Connect to outside stakeholders End to end comprehension Maintain best practice modeling standards Encourage model based conversations Variations, potential risks, issues, process improvements and potential performance enhancement opportunities SUPPLIER REGULATORS CUSTOMER PEOPLE AND IT PROVIDERS 2015 Process Renewal Group. All Rights Reserved. 13

14 Step 3 (cont d). Leveling and detailed description Acquire, construct and manage real estate Design and build / acquire real estate assets Maintain real estate assets Obtain and install real estate assets Dispose of real estate assets 2015 Process Renewal Group. All Rights Reserved. 14

15 Step 4. Identify and map risks and existing controls For each risk: Ensure clarity on risk type and description Define criticality (materiality, severity and likelihood) Identify true origination point of this risk Map existing controls Ensure that control process steps are indeed performed Discuss history of failures 2015 Process Renewal Group. All Rights Reserved. 15

16 Step 4 (cont d). Identify and map risks and existing controls N 1 Origination point for risk Control point Note related to the activity While this projects focused on only 2 risks the proposed approach can be applied across all risk types 2015 Process Renewal Group. All Rights Reserved. 16

17 Step 5. Determine gaps in risk controls and process performance Are critical risks mitigated? Why incidents still occur? Are we achieving business objectives? 2015 Process Renewal Group. All Rights Reserved. 17

18 Step 5(cont d). Determine gaps in risk controls and process performance N 1 GAP 1.05 Origination point for risk Control point Note related to the activity Area of potential risk/control management weakness While this projects focused on only 2 risks the proposed approach can be applied across all risk types 2015 Process Renewal Group. All Rights Reserved. 18

19 Step 6. Identify and assess process improvement & risk mitigation opportunities What can we improve? Be creative brainstorming mind mapping root cause creative workshop Search for unnecessary steps system change templates, forms behavior Do we create any new risks by improving? Do we harm process performance by introducing new Controls? Paul Kaptein, Australia 2015 Process Renewal Group. All Rights Reserved. 19

20 Step 7. Develop and implement integrated process improvement and risks mitigation action plan Finalise design: Define KRIs and KRIs measurement, reporting activities Imbed measurement and red flag follow up Consolidate all findings into process documentation Plan implementation: Utilise hexagon to know what it will take to change Socialise; get back to Step 6 Prioritise, assign responsibility 2015 Process Renewal Group. All Rights Reserved. 20

21 Presentation agenda Background Client and situation 7 step approach Key tasks performed Sustainment Plan Proposed plan to maintain deliverables and sustain compliance Results What was accomplished 2015 Process Renewal Group. All Rights Reserved. 22

22 Realistic risk management governance depends on true process maturity Level 1 Isolated Processes are unpredictable, poorly controlled and reactive High risk potential with few controls Current Maturity Level 2 Fragmented Processes are defined functionally in a consistent way but not integrated Localized controls ETE risks / controls may be missed Target Maturity Level 3 Integrated Processes are architected end to end across functions and groups Architected processes ETE risks / controls measured, monitored and mitigated Level 4 Aligned Processes are measured and controlled Architected processes ETE risks / controls established and aligned Level 5 Sustaining Focus is on process / performance improvement ETE Processes continuously improving, risks and controls continuously adapting 2015 Process Renewal Group. All Rights Reserved. 23

23 Integrated process: process governance & risk assessment 1. Monitor 2. Improve & Assess 3. Identify 4. Develop & Implement 5. Quarterly Review Monitor Business Environment Factors, KPIs & KRIs Conduct Process Improvement & Risk Control Assessment Identify Risks & Process Performance Gaps Develop & Implement Process Improvement & Risks Mitigation Action Plan Conduct Quarterly Risk Control Attestation 2015 Process Renewal Group. All Rights Reserved. 24

24 Presentation agenda Background Client and situation 7 step approach Key tasks performed Sustainment Plan Proposed plan to maintain deliverables and sustain compliance Results What was accomplished 2015 Process Renewal Group. All Rights Reserved. 25

25 Result We performed process improvement, without creating risks We mitigated risks by changing process We eliminated the gaps on current process documentation We will use this work as foundation for suggesting changes/improvement in process and risk governance 2015 Process Renewal Group. All Rights Reserved. 26

26 Ultimate result Sponsor: I sleep better at night now. I know what we do, where the risks are, do we mitigate them or not. I also have re connected with staff to understand what we need to improve 2015 Process Renewal Group. All Rights Reserved. 27

27 Fundamentals of this approach the risks occur as the result of certain activity or lack of activity process control is an activity serving as a risk mitigation process activity is required to measure identified KRIs process A systems approach is required to improve the compliance of the organization without substantially harming its process performance 2015 Process Renewal Group. All Rights Reserved. 28