Take for example this list from Risk.net of Top 10 operational risks for 2017:
None of these would pass even the loosest definition of a risk. They’re a mix of management concerns, threats, broad categories, and activities. With each, there is an implied risk context that is never fully articulated, and often left to each reader to interpret for themselves. Sadly, this list is compiled from risk practitioners who are likely using the same flawed “top risks” list in their own organizations. If these lists are being used to communicate risk focus areas to senior management and to prioritize resources towards risk management efforts, then we have a serious problem.
So the Operational Risk workgroup is taking on the task to recreate this list based on high level FAIR analysis that can stand up to credible challenge, and better communicate the potential exposure that is implied by the original list. Through this exercise, we hope to publish a revised list with supporting analysis for practitioners to use as a starting point for their own programs.
To kick off this effort, we started by analyzing #3 Outsourcing. If you read the description in the Risk.net article, they reference several concerns:
And one event:
Using this as a starting point, the group first framed a risk statement to capture the spirit of this Outsourcing risk:
"Regulator may find that third-party oversight controls are deficient resulting in large fines from regulators (primary loss) and negative publicity (secondary loss)"
Recognizing that this is only one variation of the broad category of outsourcing exposure, we decided to analyze this scenario as an abstraction of the Aviva event. One of the primary assumptions of this scenario is that the deficient third-party outsourcing controls may not meet regulatory expectations, but that the organization isn’t experiencing any other loss/impact. This is an important distinction, because the group quickly realized that looking at the risk of operational loss due to an actual third-party failure is an entirely different scenario. For now, the scenario is simply scoped as the regulator finding non-compliance and the resulting penalties.
With that in mind, the following key scoping attributes were captured:
Asset at Risk |
|
Forms of Loss (Primary) |
|
Forms of Loss (Secondary) |
|
Threat |
|
Motivation |
|
Impact Area |
|
Key Controls |
|
The group also discussed the following assumptions for the scenario:
Now we have a template for a tangible risk that could be analyzed in the context of a particular organization, their outsourced business process, and a specific regulator. This of course leaves other scenarios and risk themes to distinguish and scope before we have full coverage for the category of outsourcing.
If you found this topic interesting and would like to contribute to this project, please consider joining the FAIR Institute’s Operational Risk Workgroup. We will be continuing this exercise on our next call, April 11, 2017 at 4:00 PM EDT.