How do you measure the maturity and strength of your operational risk management programme? Alex Hindson and James Pomeroy give some suggestions

Having made considerable investments in risk management, many organisations are now seeking to evaluate the maturity and strength of each element of their programme. Achieving this in a way which is efficient and engages with all stakeholders, presents a considerable challenge. Outlined here is a practical route map for developing a review programme focused on operational risks, which reflects case studies in the technology sector.

Rationale for integration

It is rare that organisations embrace wholesale change in their approach to risk management. Hence, continuous improvement is the way to encourage incremental improvement to risk management programmes. Taking an enterprise-wide approach to risk management encourages the integration of functional approaches to risk. In many organisations, a good place to start is through the consolidation of operational audit programmes.

Most organisations operate some form of operational risk auditing, with some focusing on property damage or business interruption insurance surveys, and others completing corporate safety and environmental audits. Others verify critical business areas, such as information security management. Ask any risk owner about audits and they are likely to talk of audit overload, and of differing risk criteria with conflicting findings, all of which make aligning precious resources to the most significant exposures more difficult. The problem is not necessarily insufficient auditing, but a lack of coordination and integration of operational risk audits.

An integrated audit allows a broader, risk-based review of performance, with the findings presented to senior management more effectively than through traditional piecemeal approaches. The results can also aid benchmarking between locations and risks, identification of trends, common weakness and best practices.

While some organisations have taken steps to develop this approach, such as consolidated quality, or Health & Safety Executive loss prevention audits, adopting a more holistic approach allows movement across potential silo or functional divisions within the organisation's risk landscape. It also starts to highlight the need to reconcile risk management activities that may have been initiated through other drivers, such as insurance or corporate governance.

How do you start?

How can this be done in practice? One solution that has proved highly successful is to enlarge the scope of existing risk review programmes, consolidating methodologies and audits to eliminate duplication where necessary. As all risk topics are managed through a system-based approach seeking continuous improvement, the primary objective of an integrated review is to verify the practical implementation and application of an organisation's risk management framework to the specific risk exposures faced by the organisation.

An organisation's corporate risk profile provides a source for understanding these key operational exposures, and the review programme can help to answer the question of how well they are being managed in reality. Each of the exposures, or topics, is then assessed against the key components of a risk management system, as demonstrated in Figure 1. The structure adopted consists of testing the application of the different elements of a risk management system to the individual operational risk elements within the scope of the programme.

So, taking a specific example such as business continuity management:

- Policy: Does the organisation have a clearly defined and communicated policy?

- Objectives: Is there a strategy for the business to develop continuity management in line with business objectives?

- Roles and Responsibilities: Are roles and responsibilities for continuity management clearly defined and communicated?

- Risk Identification: Is there a structured approach to identifying business exposures?

- Risk Assessment: Are risk exposures effectively assessed and evaluated?

- Risk Response: Are response plans appropriate to the businesses exposures?

- Monitoring and Review: Is performance measured and evaluated on a regular basis?

- Verification and Audit: Is there an effective process for testing the effective of continuity management?

- Communication: Is performance effectively communicated, to drive continuous improvement and the review of future objectives?

For each risk topic included within the review, audit protocols should be prepared to evaluate the effectiveness of the management system. Developing the audit protocols is a frequently overlooked component, whereby you make the focus of the review relevant to the organisation and its strategy, giving weighting to the most significant exposures through common consensus with all stakeholders. If this phase is ignored, the exercise may fail to gain sufficient stakeholder engagement and internal buy-in, risking its overall success. The best audit protocols are usually based upon an internationally recognised standard, and are often adapted to meet an organisation's corporate risk standards. A sample audit protocol is shown in Figure 2, along with the scoring method used to assess the findings.

This framework provides a practical benchmark against which to test an organisation's approach, using a range of recognised best practice guidance and standards. Table 1 outlines some of the options in best practice standards for individual operational risk elements that have proved valuable in implementing this type of approach.

Scope

Experience of implementing this type of programme suggests that the structure needs to be tailored to the specific risk exposures of a given organisation. By taking a modular approach, specific elements from Table 1 can be drawn upon, as they are required.

This approach offers the option of developing the programme incrementally from a narrow foundation, as support and commitment grows within the organisation. Hence, for example, a traditional property loss prevention and health and safety based review can be adapted over time to include wider aspects, such as business continuity management and corporate social responsibility, as represented in Figure 3.

Clearly, internal stakeholders need to be carefully engaged to ensure that they support the approach and are prepared to bring the evaluation of their management system within a shared framework. Resistance could also be encountered if the process is not also carefully communicated externally, for example to insurers who will rely on key components for their loss estimations. Stakeholders may also be concerned that they might lose control over parts of their functional remit. Crucial to the success of an integrated audit therefore is the dialogue and engagement that the risk manager undertakes with his colleagues. This is an opportunity to broaden the basis of internal support for a risk management system and is a key element in forging commitment to an eventual enterprise-wide approach to managing risk

The specific scope for a given organisation would be derived from an evaluation of its overall risk profile and through careful consultation with interested parties. For example, the key operational exposures a technology or telecommunications company might wish to audit include IT security and network fraud. For a manufacturer of engineering components supplying the aerospace industry, product design, recall and supply chain risk management would be key elements of a review framework. The benefit of an flexible approach allows for the scope to be enlarged or contracted as the organisation's risk profile changes with the introduction of new risks and the maturing of existing risk management arrangements.

Experience to date

Practical experience to date with a number of major technology companies has shown that the programme can be implemented effectively at three levels.

1 Corporate risk review: A single corporate review was conducted across several of the risk elements selected from Table 1 to fit the organisation's risk profile. Senior managers from each corporate function were interviewed and management systems reviewed using structured protocols. The findings were evaluated against a best practice scoring system and an assessment profile produced, as shown in Figure 4. This was used to highlight the current state of development of risk management within the organisation, and to establish future targets, based on a series of recommendations. This, in turn, was used to drive a corporate risk management improvement plan.

2 Business unit risk review: A series of reviews were then conducted in business units within the group, against the same scope as the corporate review. The same process was applied, and this allowed business units to be benchmarked against each other and against the corporate assessment. This has allowed the development of specific risk improvement plans within business units to bring the effectiveness of specific elements of the risk management framework up to the required corporate standards.

3 Site-level review: A site-based review is carried out for a number of key facilities within each business unit. The purpose of these reviews is to verify that actual on-site performance is in line with the findings of the management reviews carried out to date. This format therefore retains an element of a traditional site audit programme, but its role is now one of verification. This element of the programme remains of direct relevance to insurance underwriters, but is now put into the context of a wider management system review. Insurers have seen value in this approach. Management are more likely to act upon recommendations made as part of the reviews, because they fit within the context of a risk management system that has clear support from across the organisation.

This general approach has been reproduced while working with other organisations for the evaluation of specific risk issues, such as crime management. These evaluations have proved particularly useful in helping to demonstrate the effectiveness of an organisation's risk management for specific insurance programmes, such as professional indemnity cover.

Other benefits

Experience has shown that an operational risk management programme can be used to drive risk improvement by linking it to internal allocation of risk financing costs. In large organisations it is possible to use it to drive a premium allocation process for global programmes. This operates most effectively for organisations with a captive insurer, where scores derived from operational risk management reviews can drive the allocation of premium costs for insurance programmes. Where risk scores are driven down by local business units, a reduction in premium levels can be given.

Next steps

Risk managers need to ask themselves:

- Does your current risk management programme meet the needs of your organisation?

- Has your programme adapted with changes in the nature of exposures your organisation faces?

- How appropriate are the risks it considers?

- Does it encourage risk specialists in your organisation to share information and work together?

- Does the programme support the development of an enterprise-wide approach to risk management?

Alex Hindson is associate director, enterprise risk management at IRMG. Tel: 020 7882 0639, e-mail: alex.hindson@irmg.aon.co.uk James Pomeroy is senior consultant, enterprise risk management, IRMG. e-mail: james.pomeroy@irmg.aon.co.uk