School of Information Systems

Understanding Risk Management Process & Architecture

28 Feb 2022

The risk management strategy and policy is supported and operationalized through a risk management architecture. Organizations require complete situational and holistic awareness of risks across operations, processes, transactions, and data to see the big picture of risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to risk management architecture. The architecture defines how organizational processes, information, and technology is structured to make risk management effective, efficient, and agile across the organization and its relationships.

There are three areas of the risk management architecture:

  • Risk management process architecture
  • Risk management information architecture
  • Risk management technology architecture

It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organization’s requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for risk management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for risk management instead of finding the technology that best fits their process and information needs.

Risk Management Process Architecture

Risk management processes are a part and subset of overall business processes.  Processes are used to manage and monitor the ever-changing risk environments.

The risk management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes risk management processes, each process’s components and interactions, and how risk management processes work together as well as with other enterprise processes.

While risk management processes can be very detailed and vary by organization and industry, there are five that organizations should have in place:

  • Risk identification. This is the collection of processes aimed at automating a standard, objective approach for identifying risk. Understand your surroundings. It is about the internal business context, the external environment that business operates in, and your strategy as to where the business is heading. On an ongoing basis, and separate from monitoring of individual risks, is the ongoing process to monitor risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks that are evolving that impact the overall objectives and performance of the organization. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any organization. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its objectives.
  • Risk assessment. Once an organization identifies risk it then can identify what can happen to help or hinder your objectives. An organization wants to identify the possibilities of outcomes to what can impact it achieving objectives. This should go beyond heat maps to include a vareity of risk analysis and assessment techniques (e.g., bow-tie risk assessments, scenario analysis, Bayesian modeling).
  • Risk treatment. After the range of potential possibilities is understood, the organization needs to decide what to do. What is going to be the best route for the organization to achieve objectives while minimizing loss/harm. This gets into risk measurement activities of understanding inherent and residual risk while looking at risk strategies of risk acceptance, risk transfer (insurance), risk avoidance, or risk mitigation (controls). The goal is to optimize value and return while keeping risk within acceptable levels of risk tolerance and appetite.
  • Risk monitoring. This stage includes the array of processes to continuously monitor risks in the organization. These activities are the ones typically done within the organization to monitor and assess risks on an ongoing basis.
  • Risk communications & attestations. Ongoing processes to manage the communications and interactions with risk owners throughout the risk management lifecycle. These are done on a periodic basis or when certain risk conditions are triggered.

https://grc2020.com/2017/04/05/understanding-risk-management-process-architecture/

Joni Suhartono