Representing Operational Risk or Enterprise Risk Management for that matter as pieces of a puzzle has always been appealing and that appeal never seems to wear thin. It certainly used to be a bit of a fascination for me but the real magic of a risk framework design doesn't come from identifying the pieces of the puzzle specifically but from interconnecting these elements in a seamless manner.
Putting the pieces of a risk framework puzzle together still seems to be a challenge for risk managers, even today.
I was browsing the LinkedIn forums as one does, well as some risk people tend to do and I stumbled across this image of operational risk being represented as framework elements interlocked in a puzzle.
The Sergio Galanti Puzzle Workshop 2016 | Inveniat [LINK]
This was a real déjà vu for me and about eight years ago, Causal Capital delivered an industry initiative for risk departments in Indonesian Banks that pretty much ran along the same lines.
Causal Capital Integrated Risk Management Conference 2007 | Martin Davies
Both events shown above are risk workshops or conferences focusing on operational risk management being serviced by specific elements or initiatives, even though the two risk puzzles prioritize different elements of a risk framework, the intergration of these elements is paramount.
When it comes to risk frameworks, I quite like this way of thinking because it allows risk management to become a repeatable set of exercises that can be deployed across an institution. It encapsulates the process of risk assessment into unique components that tell a different story about uncertainty. Loss Data recorded from incidents gives risk managers direct insight into what has gone wrong in their business, scenario analysis is a forward looking exercise that explores what could go wrong and Key Risk Indicators is a separate effort that measures specific risk factors that tell us where we are right now.
This way of thinking is very different from what is described in risk management standards such as ISO 31000 or COSO. These risk programs tend to walk through risk management as if it is a process that needs to be followed and anyone familiar with ISO 31000 will know what I am talking about. The process of risk management is represented in clause 5 of the ISO 31000 standard and flows in the following manner:
5.3 - Establish Context
5.4.2 - Risk Identification
5.4.3 - Risk Analysis
5.4.4 - Risk Evaluation
5.5 - Risk Treatment
While the risk management puzzle is fascinating, it has some complexities that need to be resolved.
Most importantly, how does the risk manager interconnect the elements of the risk puzzle so that they work together in a harmonized way? What I truly mean by harmonized or integrated is that data captured in the Loss Data exercise can be useful to the Scenario Analysis or KRI program. If these individual efforts are not bound together, the risk management framework becomes disjointed and big analytic opportunities are missed.
Integrating the Risk Framework Elements | Causal Capital [Click image to enlarge]
To bridge this gap risk managers need to think deeply about what these individual activity centers deliver in respects to data. They also need to develop a way in which that data can be bound in a 'relationship like' database to convert the data into information. Data and information are not the same thing!
I have found two facilities need to be present to make these relationships work or to cement the various risk management puzzle pieces; the first facility is a Risk Taxonomy and the second is an Enterprise Risk Map.
Risk Management Database Example | Causal Capital
In the Access Database example shown above, you can see data is being 'bound' or interconnected using a Risk Event Classification Table and a Business Unit Table. I would be curious to see other ways to interrelate risk data to paint this integrated big picture of risk management but I find risk practitioners have a tendency to end up with the same kind of structure.