RMORSA Part 2: Risk Identification and Prioritization0 August 18, 2017 at 10:28 am by Steven Minsky
The first step in Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation, risk culture and governance, lays the groundwork and defines roles for your risk management function. The second step, risk identification and prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk-based decision making.
The engine behind this process – the enterprise risk assessment – isn’t a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can’t answer the inevitable question: what are you going to do about it?
Take a Root-Cause Approach
By categorizing risks, it becomes easy to spot when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.
Use a Single Set of Criteria
When engaging a variety of business areas for risk assessments, ensure you’re using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they’ll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.
To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments. Create qualitative criteria that will apply to multiple functions. For example, a major risk—such as fraud or embezzlement—might result in a work stoppage, or result in a serious variation from an organization’s business values.
Tell a Story to Your Board and Executive Leadership
The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company’s strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked “why is this risk a priority?” your top 10 list won’t exist in isolation, but will be mapped back to the priorities already set by the board.
Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.
Start implementing risk assessment best practices at your organization today by downloading this complimentary best practice risk assessment template.
Note: By submitting your comments you acknowledge that insBlogs has the right to reproduce, broadcast and publicize those comments or any part thereof in any manner whatsoever. Please note that due to the volume of e-mails we receive, not all comments will be published and those that are published will not be edited. However, all will be carefully read, considered and appreciated.