One of the most important aspects of developing a robust risk management framework is ensuring that the identification and definition of risks and controls is of a high quality. Poorly defined risks and controls will lead to poor decision-making and losses.
In a previous post, we provided a structure of defining risk. In this post, we build on this, focusing on the Risk Bow-tie (example below) and how it can be used to improve the definition of both risks and controls.
Example Risk Bow-tie
The Risk Bow-tie is a valuable tool that can be used through out the risk management process.
During the identification phase of the process, the Risk-Bow-tie can be used as a ‘thinking tool’ to encourage a high quality conversation around risk, and enables a clear definition to be created, whilst capturing and recording the various causes and consequences related to the risk. This helps overcome a commonly seen issue within risk management where risk definitions are a confused mix of causes, events and consequences, all wrapped up in a definition with no structure.
When using the Risk Bow-tie in a risk identification and definition process, start by focusing on events that could either prevent or ease the achievement of objectives. Once these have been listed, start to develop as many potential causes as possible that will lead to the event happening and therefore the risk materialising. Creating this ‘long list’ of causes will help clarify thinking about the risk and form the base of a consolidated list of causes that should be documented alongside the risk. This process should be repeated for Consequences (or the process can be done ‘horizontally’ where causes and consequences are defined together).
Capturing a set of causes and consequences as part of the definition of a risk leads to making a better risk management framework and drives more value from the process. The reasons for this include;
- It assists in the risk assessment process as those completing the risk assessment can review the causes and consider how they have changed or may change over the assessment period.
- It helps develop a fuller picture of the risk environment including the potential consequences of the risk materialising.
- It leads to a better definition of leading KRIs and preventive Key Controls based on a robust and well-thought out set of Causes while also leading to the definition of better lagging KRIs and detecting Key Controls.
A similar approach can be taken when defining Controls. Again the approach can be used to think through the ‘causes’ of a highly effective Controls and what are the Consequences of ineffective Controls? And as above, capturing a set of causes and consequences around controls improves the thinking around other parts of the risk and control framework. As shown below, developing causes around controls helps in the definition of leading KCIs and helps us avoid or minimise risk, increase process efficiency and reduce costs. While developing consequences helps in the definition of lagging KCIs and assisting in the identification of potential risk issues and helps in the analysis of risk related losses.
Example Control Bow-tie
Defining and maintaining causes and consequences as described above leads to a Risk and Controls framework which is of a significantly higher quality than one without this level of detail and thinking behind it. It also makes the framework more sustainable and easier to use/understand as the detail is readily available thus providing guidance when conducting a Risk Assessment or a Control Self-Assessment. It also helps with engagement across each of the three lines of defence.