|
Root Cause Analysis and Action Plans
117
Indirect
cause 1
Indirect
cause 2
Indirect
cause 3
Indirect
i
m
pact 1
Indirect
i
m
pact 2
Indirect
i
m
pact 3
Direct
cause 1
Direct
i
m
pact 1
Direct
i
m
pact 2
Direct
cause 2
Detective
control
Corrective
controls
Preventive
controls
Risk
event
F I G U R E 1 1 . 1
Bow-tie tool
common features between operational incidents in a given firm, regardless of how
dissimilar they looked at first. For example, common features included:
■
imbalance between preventive and corrective controls, leading the firm to
“fire-fight” and remediate, while feeling overwhelmed by workload
■
defective internal communication flows, leading to disparate incidents such as
a misstatement by the CEO in the press, business disruption caused by drilling
through ethernet cables, double spend on insurance policies, etc.
■
excessively low red KRI thresholds in a firm new to the discipline and overly strict
about operational risk management, leading to reporting dashboard mostly red,
meaning it becomes impossible to distinguish real red alerts from petty issues, the
signal from the noise
■
a risk-averse and mature organization in risk management, but with chaotic
third-party management processes: most events were caused by poor selection or
mismanagement of vendors.
So far, I have rarely encountered firms that compare the results of several forms
of root causes analysis to identify their pattern of failure. In my view, this is the largest
untapped opportunity in operational risk management today.
Risk managers from the second line of defense should facilitate bow-tie analy-
sis, especially when it requires a transversal analysis and the involvement of several
118
RISK MITIGATION
departments or divisions. Successful bow-tie analysis depends on a deep knowledge
and understanding of the various causes and consequences of an event, of the controls
that were missing or defective, and of the strengths and weaknesses of the incident man-
agement and response. One individual or even one team rarely attains this breadth of
awareness and abilities, which requires the coordination of different parties in the busi-
ness. The risk function plays a beneficial coordinating role, especially when it comes
to identifying patterns of causes across various incidents and to rolling out firm-wide
action plans.
A C T I O N P L A N D E S I G N A N D G O V E R N A N C E
An action plan is a remediation program to reduce the risk level of a product or an
activity, either by reducing the risk exposure or by improving processes or controls.
Action plans typically follow an incident or near misses whose potential impact
appeared to be above risk appetite. Actions plans should ensure that unacceptable
events would not reoccur. Alternatively, action plans can be made of forward-looking,
preventive measures aimed at keeping a risk within the acceptable limits of risk
appetite.
Each operational incident does not necessarily trigger an action plan and nei-
ther should it. Action plans are additional mitigation steps when events, near misses
or ex-ante risk assessment reveal potential impacts or likelihood above risk appetite.
However, many times I have observed in a firm a certain disconnect between risk
appetite and the decisions to initiate action plans. Regrettably, this can lead to a waste
or a misallocation of resources.
Deadlines and follow-up are also important elements of action plans, alongside
the need for consistency with risk appetite, governance and ownership. Action plans
are like mini projects, and sometimes even large projects, and should be managed as
such. Each action plan must have an owner, accountable for its timely and accurate
execution. Large plans need to be phased and reported on periodically. Risk managers
in the second line of defense can be particularly helpful here in assisting with the design
of the plan and, of course, the follow-up of deliverables and timeliness. Operational risk
managers should support and guide the business, and not let risk owners feel alone in
resolving issues and events. Without effective support from the risk function, business
lines tend to underplay the nature and size of the risks they face in order to avoid
dedicating scarce resources to action plans.
CHAPTER
12
Conduct and Culture
Do'stlaringiz bilan baham: |
