It is important that any organisation understands the impact that its business processes may have on its operational risk and ability to continue in business. Consequently any organisation must design and develop a method of risk assessment which can be used to identify and determine these risks.
This involves identifying and then documenting the process. In some cases the process will already have been defined and documented which will usually be in the form of a process flow chart. However if new processes are being designed they may not be clearly defined. In these cases additional time will have to be allowed for this phase of the work. However it is a critical phase which cannot be omitted as risk assessment cannot be performed properly until a process has been defined and described.
Once each process has been documented a trained and skilled individual, or group of individuals, should review the process to identify any weaknesses in the process. These weaknesses are the parts of the process that could lead to an operational risk event. It must be noted that these weaknesses are not necessarily an indication of inefficiency, they are specifically those which may give rise to an operational risk.
Examples of process weaknesses:
The above are only examples of weaknesses. Each organisation will have to take a view on weaknesses which may be applicable to themselves.
Once the weaknesses, or what are sometimes known as points of failure, have been identified the operational risk events that are associated with these points should be identified. To help with this stage of the process it is advisable for the organisation to determine and agree the categories of process risk. Although there may be risks that are common to all sectors of the economy, it is likely that many risks will be unique to each organisation. Once agreed these risk categories should then be documented.
Each risk which is subsequently identified from the review of the process should then be recorded in an agreed format.
Some organisations may choose to score the risk. This is an optional task, but if carried out helps to identify the potential severity of the risks and thus the importance to the organisation. If risk scoring is pursued it will be possible to determine and quantify the organisations risk exposure. Both the probability of an event occurring and its potential impact should be assessed. In this way an organisations exposure to risk can be accurately assessed. Once all risks have been scored it will be possible to produce a list or table of all risks and their potential threat to the organisation. This can then be used to determine which risks will need to be addressed and the identifying actions that can be introduced to reduce the threat they pose. Clearly priority should be given to those risks posing the greatest threat.
This stage concludes the required identification and assessment of risk. The next stage is to identify and design measures that can be implemented to mitigate against these risks. This is described in Risk Assessment II.