Is your risk management a compliance exercise?
Let's explore the difference between the 'appearance of risk management' and 'effective risk management'
Before starting this short blog on what a good risk assessment should be, try to think how you go about considering a risk at work and how you actually react to any incident. For example, do you look at a given risk as a standalone, segregated interruption, which has an allocated, emotionless and almost mathematical solution to mitigate its impact?
If so, you are not alone. However, such approach fails to consider the dynamic nature of risks and one of the key factors, the human emotions.
" I will be asking [firms] what strategic decisions and investment choices they are making to build operational resilience and to maintain the supply of important business services in the event of a major incident, or, as we say ‘a severe, but plausible, scenario’."
Megan Butler, FCA Executive Director of Supervision
full article available here.
The typical shortfalls.
Often organisations evaluate a list of typical interrupting issues during a desk-based exercise and record them using a Risk Register (such as Excel, Word, etc) with an allocated rating for probability of occurrence and another for its impact on the organisation, creating an overall indication of relative priority for dealing with that risk.
It’s a process fraught with deficiencies and ambiguities that perpetuates the gap between the appearance of risk management and the effective management of risks.
At best, the output of these simple risk registering methods is a linear set of discrete, categorised lists, often superficially scoped, and analysed. This approach gives a false sense of security as each risk has been defined and written up as a stand-alone issue; they have in essence, been domesticated inside a spreadsheet field.
Such a risk assessment approach fails to take into account that risks are dynamic, they combine, collide, morph, can have both immediate and longer-term impacts, and they do tend to consider the human element (eg emotions) in detail.
Ultimately, people make meaningful decisions on the basis of what they feel, not what they think. One of the problems with dominant reliance on risk registers is they fail to seize attention or imagination, which may be provided by scenario based planning.
This is one of the reasons why having the right policies, right training and good culture is so crucial to achieve FCA compliance. Our consultants have seen over time that firms often use template policies which are not sufficiently adjusted for the dynamic of the business, do not include input from key decision makers and furthermore, provide vague guidance to staff for assessing and managing risks.
By introducing scenario planning, senior management is involved in structured exercises to place themselves in a hypothetical situation, where several risks are collided together to stress the organisational response. This creates a situation where individuals are part of a collective thought process, engaging with an unfolding narrative of controls and consequences.
End result? … The firms’ senior managers and key stakeholders perceive risks and opportunities more broadly and practically. At RRCA, we always provide free compliance consulting with our FCA compliant policy templates, ensuring practical implementation and complete compliance with FCA rules and cultural expectations.
The new normal.
Created by 2020...
Within the FCA regulated sector, firms have been dealing with the “perfect storm”. Mostly due to the COVID lock-down, firms face plenty of risks impacting almost all areas of operation; from HR, data protection, cybercrime through the “resultant” issues of the lack of PII policies to the key issue of change in customer behaviour.
At RRCA, we have helped a number of FCA regulated firms to navigate this new landscape, with managing the risk of PII renewal, staffing, remote working and indeed, liaising with the FCA with respect to some materialised risks.
One key lesson we learnt from this turbulent year (filled with COVID, Brexit and financial crisis), is that firms should review and improve their risk management framework to ensure that the process is a “living part” of their governance arrangement, and not just an annual tick-box exercise. In particular, firms should ask on a regular basis:
Are the risk assumptions valid?
Do controls work in the way they are designed?
Are you prepared for aggregate risk?
Are there any gaps in preparedness, vulnerabilities in planning, unintended consequences to actions, shocking stakeholder reactions to events?
Stress testing assumptions is a healthy way to learn and improve risk preparedness. Scenario planning almost always sharpens an organisation’s risk management, in a way that standard risk registers almost never do.