For all of our vCOO engagements, in one way or another, there has been one constant thread: a desire, by our clients to address operational and enterprise risk. For many of our clients, the management of their risks has been something that has been left to client-facing or compliance colleagues to manage “off the edge of their desks”. In many cases, the Clients are aware of the risks, but have not had the resources, capacity and wherewithal to begin addressing them.
The foundation of our vCOO service is managing risk; whether it be by driving projects and programmes to improve specific areas of business performance, or by creating an environment and culture where managing risk is everyone’s responsibility.
We’ve done this by implementing Operational Risk Registers – either to sit alongside the Businesses Business Risk Assessment (BRA) or as a standalone document. This has been a great way to engage key stakeholders in the operational risk discussion and, crucially, create engagement and momentum to start addressing any resultant risks.
Creating an Operational Risk Register (“ORR”)
Implementing an ORR doesn’t have to be burdensome. It can be done quickly and with very little effort. Generally, we’ve tended to follow this approach when doing so, which enables a very detailed and well constructed ORR to be created quickly:
Engage your business and operational leaders to start thinking about the operational risks the business faces. These can be categorized quite simply to aid the thought process: 1) People risk, 2) Process risk 3) Premises risk 4) Performance risk.
Taking these in turn:
- People risk: think about the risks faced either by your people (e.g. succession planning, staff turnover, having adequate training plans, etc.) or the risks posed to your people (e.g. health & safety, fire risk, etc.)
- Process risk: think about the risks posed to the business if your processes are not adequately executed (e.g. breaches, incidents, loss, client complaints, etc.)
- Platform & Premises risk: think about the risks facing the business “Platform” (i.e. mainly technology, data and building(s)), e.g. your business location, your IT and technology risks (including cyber), the risk of your service contracts and 3rd parties, WFH and Business Continuity etc.
- Performance risk: think about the risks posed to your business performing and delivering on the business services/deliverables/outputs, etc. This is often a good way to capture operational risks which you haven’t thought of under People, Process and Premises risks.
Once you’ve got these risks down on paper, think about your existing controls (to mitigate these risks):
Assessing the risk
For each risk, think about the following:
- The Inherent risk (of the risk occurring) – is it High, Medium, Low?
- The Impact and Materiality – if the risk did happen – again, High, Medium or Low?
- What controls and mitigants have you implemented (to address the Inherent risk)
- How effective are these controls?
- The Residual Risk – i.e. what impact have the controls had – have they lowered the risk rating?
- Is the Residual risk acceptable?
If not, you need to take action to address the risk.
Taking Action
Draw up a quick action plan of the Top 5 (rated) risks and make a concerted effort to address them in the next 90 days. They won’t all be totally “fixable” within the 90 days, but by documenting your approach and taking immediate action, you can demonstrate your awareness of the risks, your prioritisation and that action is being taken.
If you’d like to discuss your operational risks, or if you need help pulling together an ORR and the associated action plan, please do get in touch.
