• Thursday, March 28, 2024
businessday logo

BusinessDay

Risk identification framework: A guide to taking an important step in your risk management journey

risk-management (1)

When Mr. Olufemi became an Interswitch Financial Inclusion Agent, he may not have foreseen that a few months later, he would be crying out about serious bodily injury from assault and threats to his life by angry customers whom he owedabout N2 million.Mr. Olufemi operated aQuicktellerPaypoint shop, and his business plan did not include borrowing from customers. Customers could come to his shop to withdraw cash from their accounts domiciled in any of the nation’s banks.They would use their bank-issued debit cards on the Interswitch-issued Point of Sales Terminal in his shop, and once his account with his bank was credited for the amount the customer wished to withdraw, he would pay cash to the customer from sales proceeds of his store or from cash kept on hand for this purpose. But “the best-laid plans of mice and men often go awry”. A malfunctioning POS Terminal, which would debit the customers’accountswithout crediting his, got him on the wrong side of customers, some of who physically assaulted him.

Risk crystalized in a slightly different hue on December 5, 2018at aRobbinsville New Jersey fulfillment center operated by Amazon.com, where a Bear Repellant was accidentally discharged within a contained area of the warehousefacility. According to news reports quoting the Get Bear Smart Society, the bear pepper spray is a “nonlethal repellent that causes a bear’s mucous membranes to swell, making it hard for the animal to see or breathe, giving its victim an opportunity to flee.It has a similar effect on humans.”In the reported Amazon.com incident,amachine accidentally punctured a 9-ounce bear repellent can, releasing concentrated Capsaican,the major ingredient in pepper spray,exposing employees and leaving about 80 of them with various kinds of breathing difficulties, with one in a critical condition.

The Nigerian vice presidential debate hashtag #2019Debatewhich trended on the Nigerian Twitter-sphereon December 14, 2018 ordinarily had little to do with Guinness Nigeria, or Terragon Group, a data and marketing technology firm and Guinness’s @GuinessNGR Twitter account handler.But in what appeared to have been an erroneous slip of partisan passion unto the client’s handle, @GuinessNGR replied to a tweet by a member of Nigeria’s President’s media Team: “Shut up you dirty mouth goat”.Shortly after, Terragon Group tendered an unreserved apology from the company’s official handle, but those 6 words were already out, retweeted, screen-grabbed,shared, and re-blogged by countless other platforms, and forever in the public domain.News cycle quickly moved onto more interesting matters, but could the slip have been worse for Guinness? Who knows the implication for Terragon? This was again a risk incident with a totally different tag.

Risk is everywherearound us,including in the path of courageous entrepreneurs venturing to fulfil myriads of human needs. Entrepreneurship is a quest for benefit realization through risk optimization, but not everyone pays attention to the risk side of the equation. In creating and selling products or offering services that cater to specific market opportunities, risk must be managed or benefits may not be realised. Although many organisations have some semblance of risk management, it isnot often as rigorous as their risk contexts require.Highly regulated industries may be a step ahead in attention to risk management, but no business can thrive under neglect of risk.

COSO Internal Control Framework
COSO Internal Control Framework

The regulatory environment and the nature of the industry’s risk profile often keeps financial institutions constantly thinking about and managing risks, but outside such stringently regulated sectors, and especially in small and medium scale enterprises, risk management is often not the centre of attention. This often resultsin preventable risk events befalling unprepared organisations, resulting in avoidable losses.

THE RISK OF NOT IDENTIFYING RISK

Risk is defined as the effect of uncertainty on objectives, or the possibility that an event will occur and adversely affect the achievement of objectives. Whether in business as a marketing agency or a school, in the e-commerce or hospitality business, or as newspaper publishing house, risk is lurking whether the organization is risk aware or not. Managing risks requires organizations to identify their risks, analyse and evaluate likelihood and impact, quantify risk exposures, determine disposition to identified risks, formulate and execute risk mitigation strategies, control and response plans, and monitor to ensure that all these processes function effectively. All of these should be done within a clearly articulated mission, strategy and risk appetite.

Risk Management Definitions
Risk Management Definitions

 

Risk Management Definitions

Recognizing that risk abounds in an endeavor is only the first step. A business’s objective setting, at various organizational levels, should be followed by risk assessment – a systematic process for identifying, analysing and evaluating events that can affect the achievement of organizational objectives. Such events can be identified in the external environment (e.g., economic trends, regulatory landscape, competition, and events with physical impact such as natural disasters, robberies etc) and within an organization’s internal environment (e.g. people, process, and infrastructure). When these events intersect with an organization’s objectives – or can be predicted to do so – they become risks.

Risk Identification is the process of generating a comprehensive list of risks based on events, with the goal of understanding possible impediments to the achievement of business objectives. For example, if your organization was outsourcing the management of its social media handles to an agent, a possible risk event may be the use of the handle for unauthorized purposes, erroneously or otherwise, resulting in reputational fallouts. To start risk-managing the process so that risk would not exceed the organisation’sdefined tolerance,sufficient time would need to be set aside to identify as many risks as possible that can derail the achievement of business objectives regarding this public relation function. Risk affects organizational context through diverse mechanisms. An understanding of both the context and mechanism will strengthen the risk management process. The following is a framework which considers the interaction of the risk context and mechanism to provide insights required for holistic risk identification. 

RISK MECHANISM

Think of risk mechanisms as the processes by which risks can crystalize. These are the avenues through which uncertainties can arise and the process by which uncertainties affect the risk context. How could risk affect the SOICriDe, your risk context? Risk mechanism can fall under the following:

  • Assumptions: Uncertainties can arise due to the validity of crucial assumptions. For example, Mr. Olufemi’s financial inclusion shop could have assumed that the switch company would always credit the business account every time a customer made a withdrawal, or that customers would understand and wait for the financial institution to reverse erroneous debits to their accounts. In reality, these assumptions were not always valid. Moreover, achievement of certain performance expectations depends on the validity of some assumptions. In Amazon’s case, the successful fulfilment of the Bear Repellant depends on not dischargingit within its warehouse facilities. Amazon’s Workplace Safety objectives also depend on not having vasoconstrictors discharge within its premises. The risk identification procedure should therefore question the different assumptions on which the organisation’s risk context functions, and the situations that can threaten the validity of these assumptions.

Useful questions to ask here are: What must go right to achieve our objectives? What are the barriers to our success?What could go wrong? How could we fail?

  • Vulnerabilities: Risk often crystalises in the intersection of vulnerabilities, exploitation or mischance. It is therefore important to acknowledge vulnerabilities in the components of the risk context as these may readily present themselves for adverse outcomes from deliberate or inadvertent actions or inactions. For instance, products that an organization offers or locations in which it operates may be vulnerable to environmental or human agents. In Amazon’s case, product containers – including of hazardous materials – are vulnerable to accidental destruction. The product/process owner, in Amazon’s case the warehouse managers, should be knowledgeable about their risk context to be able to ask and answer the “What If?” questions that would help probe the vulnerabilities. A financial inclusion agent that keeps cash on premises is vulnerable to cash theft, while the staff could be vulnerable to assault and bodily harm from dissatisfied customers, especially in under-policed climes. For Terragon, Guinness Nigeria’s Twitter account handler, using a Twitter app without a maker-checker functionality constituted a vulnerability with susceptibility for error or sabotage.

Useful questions to ask here are: How could our operations be disrupted? How could someone sabotage, steal from or defraudus? How could any of our infrastructure fail?What can we not survive without? Where do we need considerable effortsin order to control risk?Where have we devoted significant resources?What asset do we need to protect?

  • Events: Think about internal or external events that could happen as a result of political, economic, social, technological, legal, environmental factors, or due to new regulatory requirements, stakeholder expectations or competitive factors. When such events happen, they could impact organizational risk contexts negatively and lead to losses, especially where vulnerabilities already exist. Such events can directly affect organizational outcomes, for instance a ban on the organisation’s key product, or indirectly through a market factor – for instance changes in exchange rates. Direct impacts of events are readily assessible, but for complete risk identification one must also think about cascading impacts.

Useful questions to ask here are: Which future events could affect our ability to achieve our objectives quality, time, cost, safety, etc.? Which external events could negatively affect us or our key service providers? Are any of our locations prone to natural disasters? Are our people exposed to danger? What wouldn’t we want on the pages of the newspaper about our organisation?

Risk context

The risk context is the totality of organizational objectives and business enablers that might be affected by risk events and uncertainties. Risks relate to the various objectives for which an entity or specific organizational units are responsible. Critical mission enablers, performance deliverables and outputs, and dependencies that help deliver them represent the risk contexts or subjects that would ultimately feel the impact of risk events.The dimensions of risk contextcan be easily recalled with the acronym SOICriDe (think “So, I cried”)

  • Structure: Determine the organizational structure for which you are identifying risks. Is it for a project, processes, products, a department, or the entire organization?
  • Objectives: Clearly specify the objectives for which the structure – project, process, product, department, or organization – was set up. Do this for all the organization structures in scope for risk identification.
  • Indicators:Identify performance indicators for these objectives, either internal ones, or measures by which external stakeholders would assess your achievement of the objectives.
  • Criticality: Identify mission critical outputs, activities, functions, products, or services others rely on you to provide. They are often directly related to your internal objectives or external stakeholder requirements.
  • Dependency: Identify theprimary success drivers, capability enablers, inputs, vital activities, services or assetsyou depend on to deliver your services or products in achievement of performance measures.

They risk mechanism can be easily recalled with the acronym AVE! “So, I cried Ave!” presents a comprehensive risk identification framework, combining the acronyms of SOICriDe and AVE.

 

Documenting identified risks

The risk identification process should utilize business documents and records of past events, starting with the standard operating procedure where business goals, processes and procedures are documented, to internal loss data records, incident reports and causation analysis. Additionally, prior reports of audit and other regulatory examinations usually indicate risks and vulnerabilities and would serve as useful inputs. In mature risk environments, reports of prior risk assessment exercises and key risk indicator reports should be studied to identify flagged risks.

For each risk identified, a risk statement should be crafted, givingthe risk a short title and a brief description of the risk and a little more detail about its sources and causes. All identified risks should be documented in a Risk Register, from where risk evaluation can commence to complete the assessment process. A risk statement should contain the risk event, its cause andconsequences.

Some sample risk statements:

  • Terragon Group: Unauthorized activities on the @GuinessNGR Twitter handle due to lack of maker-checker/ authorization and approval functionality on the Twitter app could result in reputational damage to our client.
  • Financial Inclusion:
    • Hardware or network errors resulting in failure to credit our account after customer account has been debited, thereby rendering us unable to pay customers could cause customer dissatisfaction.
    • Dispute with customers in the absence of a security personnel to prevent escalation could expose our staff to physical assault.
  • com: Discharge of hazardous materials due to accidental or deliberate destruction of product packaging could endanger the lives of our staff.

 

Many have called for Amazon to invest more in workplace safety, however, without a robust risk management framework that ensures all significant risks are identified, assessed and the right disposition determined, the safety programme may leave critical gaps uncovered. For entrepreneurs of various sizes and in various kinds of businesses, benefit realization would be more likely with a functional and rigorous risk identification process within a comprehensive risk management framework.

It may not be possible to foresee all risk events, but a robust risk management process ensures that surprises are minimal, responses are swift, and disruption and losses are within tolerable limits. Identifying risks is only one step but a crucial one in the risk management process. An’ forward tho’ we cannot always see, good risk management beats guessing an’ fear.

 

Yemi Adesanya

 

Yemi Adesanya (FCA) is a risk & control manager in financial services