Risk management is not just about avoiding losses or reducing their effect. It is also about using operational risk software to find opportunities for business benefit and continuous improvement. Risk management can be used as the groundwork for Six Sigma and Lean management approaches. Here Tony and John explain in this exert taken from their book Mastering Risk Management…
The just-in-time method of management relies on properly identifying, measuring, monitoring and managing supply chain risks which are part of the universe of risk. In addition, quality circles rely on full and informed risk management, as does total quality management. The concepts of process improvement and business optimisation are fundamental parts of risk management and Six Sigma gives a structured approach.
The Six Sigma themes of focus on the customer, of fact-driven proactive management and of unwelcome variations in a process are wholly compatible with good risk management and many would argue are the same themes as pervade risk management. Further, the Six Sigma starting point of process mapping can be very useful to risk management and gives business benefit in its own right.
Six Sigma and risk management compared
As can be seen from the diagram above, the Six Sigma process is iterative both overall and within each pair of stages. In addition, if any stage does not work, the next step in the process is to go back to the previous stage. This forms part of the rigour of the Six Sigma approach. Not only is each stage closely evaluated, but the practitioner/team must repeat the stage using new ideas and solutions if the evaluation does not produce adequate results. This iterative approach seeks to ensure that changes made to business processes have the best chance of delivering the desired positive impact and that the change represents the best return in terms of the improvement achieved.
The overall Six Sigma process
1. Assess current state
As with all stages in the Six Sigma process, this stage has a business focus. The first two stages are to prioritise the process to be improved. This is achieved in the first stage by identifying problems and gaps, and the most pressing needs in the firm.
The equivalent stage in risk management is to identify and assess risks and controls (through a risk and control self-assessment) and to identify indicators and their thresholds.
2. Agree process to be improved
From the areas identified, the process to be improved can be chosen. Often this is driven by business requirements. Alternatively, there are often links between processes such that an improvement to one process can have a beneficial effect on a number of processes. The current performance of the process to be improved is documented using control charts for the process output over time, so that the improvements can be recognised. This assists in generating awareness of the scale of the problem, and possibly a target performance level.
The equivalent risk stage is to compare the risk appetite with the current state using the risk and control self-assessment and the indicator thresholds from Stage 1.
3. Investigate root cause
Theories as to the root cause of the problem are initially identified through consensus work and workshops, and then through the use of tools, such as cause and effect diagrams, histograms and scatter diagrams. Hypothesis testing may be used and standard statistical tests, such as equal variance analysis, are also key to this stage. Data are collected to support the root cause analysis, and, by using the tools, strong correlations are sought that point to which cause should be addressed as a priority.
The equivalent risk management stage is event causal analysis, although there may be very few events relating to the particular process. However, such causal analysis will help significantly with the Six Sigma root cause analysis.
4. Develop solutions
In order to develop solutions, this stage of the Six Sigma process will utilise workshops to determine the links to controls and other processes for the identified root causes. Cause and solution diagrams may also be utilised. This stage also tends to develop further relationships between causes, controls and processes which themselves may point towards solutions. The solutions generated are then prioritised for testing.
Action plans resulting from event causal analysis, and from appetite analysis using risk and control self-assessments and indicators are the risk equivalents of Stage 4
5. Test solutions
Taking the most promising solution generated in the previous stage, controlled experiments are run to evaluate the impact of the solution. This stage also begins to determine the appropriate implementation of the solution, assuming that it delivers the required improvement/impact.
The modelling of action plans, including modelling of qualitative data, is the risk management equivalent of Stage 5.
6. Design and implement improvement
This stage in the Six Sigma process revolves around how to apply the validated change, including items such as training, implementation of a pilot and assessment of the pilot, the definition of how the change may be considered to be successful, and involving the business to set a success target (if one has not been already set). Once the pilot is successful, a permanent solution is then put in place, including data collection to show that the improvement continues and has become business as usual.
The equivalent in risk is completing action plans, designing new controls and indicators and checking to see if the reduction in risk or improvement in controls expected has, in fact, been achieved.
7. Review learnings
This is the typical debrief of a project, including the following:
- what worked well
- what didn’t work well
- tools that were particularly effective
- things that we would like to do better
- learnings from overcoming difficult points
- how we should manage the people side differently.
The risk management equivalent to Step 7 is the embedding of the methodology (which is, of course, linked to governance). In addition, risk managers at this stage will challenge the methodology and tools used in terms of any improvements that can be made.
8. Identify next improvement
This is a very easy stage in that, typically, the second choice from the original list of required improvements is chosen. This is a very natural step if the firm’s business profile has not changed significantly in the meantime. However, if there has been a change, Stage 1 should be repeated.
From a risk perspective, a new risk and control self-assessment and continuing monitoring of events and indicators will lead to further appetite comparisons and renewal of the cycle.
At the business level, a robust and efficient risk system will enable managers to react to events more quickly and with greater effectiveness. At the board level, good risk management reduces the volatility of performance and facilitates efficient resource and capital allocation. From an investor point of view, risk management encourages and allows an understanding of where shareholder value is being created or destroyed. A good risk management system, fully embedded in the business, will prevent any blindness to risk which may affect the profitability of a business line or transaction.
Risk and control perception is improved through distilling a risk culture, which leads to business optimisation. That will be reflected in a firm’s credit rating. And it will also generate a significant regulatory benefit in an improved relationship with the regulator, wherever that is applicable.
A further benefit is that if you get it right, you avoid paying the lawyers! Risk management is fundamental to successful business management. It produces true business benefits in its own right.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International.
RiskLogix Solutions Limited
RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.
For more information contact us today on email@example.com
167 City Road
+44 207 377 2250