Operational Risk Management

Operational Risks

Its all about controlling the probability that something goes wrong.

It is one of those topics that people generally don’t like to think about, because it usually means a lot more work on top of the work you already have, or worse – it associates blame for the gap with the person who raised the gap.

What I have come to find is that when it comes to risk management, its probably one of the best areas to look into, to profile yourself as a thought leader.  Like anything else, it is all in the presentation.

Countless times in my careers I have seen people create an urgent and wide attention on “things that need to be fixed right away”, things that have been open for years. And those that do fix it, well they do get rewarded or at least recognized for the effort.

From a value creation perspective, which I define it as your ability to do something more than your regular 9 to 5, what more value are providing – risks are infact generally easier to identify and work on than ideas. Ideas generally require already thinking about a better process or way.

In a risk containment approach – really what you need to do is follow 4 simple steps (and a possible 5th):

  1. Ask, Find, Hunt

If you already are a subject matter expert, then you’d know where to look and you can skip this section.

If you want to profile yourself as a risk management guru, you need to get talk to people – preferably process owners. Look for a few common themes:

    • Process that is manual, and people dependent e.g. someone needs to key everything manually into Excel
    • A role that has no coverage, e.g. if someone is out of office – it’s a scramble, perhaps after hours support is needed at times but no one is ever on-call formally
    • Ask people about past outages, folks tend to remember this – you might strike gold if you meet someone who took the initiative to solve that outage that one time… perhaps you could implement a permanent fix

If you’re already planning to have a value creation sharepoint for your organization, this process becomes easier <see innovation topic>.

  1. Categorize
IMPACT High Impact

Low Probability

High Impact

High Probability

Low Impact

Low Probability

Low Impact

High Probability


The chart is pretty much self-explanatory, all you need to do is to populate it with different risk topics.  Don’t rule out anything yet, put them all in.

Obviously the high impact, high probability risks are the best ones to tackle – typically these would already be addressed in some makeshift fashion or, they are usually too expensive or complicated to fix.


I like the high impact low probability ones – you could smartly group a few together to make a risk bucket, thereby increasing the total probability accordingly. Take the example below, of a typical bakery or confectionery, where the high impact but low probability items could be looked at together and addressed as a Business Continuity Plan.

IMPACT  High Impact / Low Probability

·         Fridge malfunction

·         Printer malfunction

·         Delivery vehicle faulty

 High Impact / High Probability

·         No delivery agent available for after-hours call

 Low Impact / Low Probability

·         Design PC not working

·         Stove no working

 Low Impact / High Probability

·         Fridge condenser gets frozen




  1. Fixing It

Now this is where it gets exciting, what could be done to mitigate the risks?

Chances are the folks that highlighted the risks already have suggestions, but do brainstorm a bit more. If you just happen to have a position with a wider view of the larger organization, you may even be able to find a solution sitting in another department, or a process that could be reused.

Again – talk to people, read, research. The key word here, is business impact. If you cannot identify, qualify or best of all – quantify – any business impact from the risk, it just won’t sell.

If you find that some of the risks you identified are just going to cost too much, or you don’t have an idea on how to fix it – don’t worry, it is still worth highlighting in the form of a “self-study” document, a very short summary work-in-progress write up.

So net – you don’t need a fully cooked solution, but your business case for why this risk matters has to be great. One way to get perspective on this, ask yourself what your management has been talking about, what are the buzzwords and try to relate them… cost savings, productivity improvement, process outages, infrastructure resiliency, impact to billing or shipping processes?

Risk Description
Title/Keyword After Hours Rota <Your Name> <Today’s Date >
One Line Problem Statement XYZ Confectionary is missing / not processing after hour orders on time leading to missed revenue.
Business Value XYZ Confectionary has seen a surge of overnight confectionary orders since launching our online portal. These late orders are priced at a premium, where one after-hours order would equal 3 business hour ones.


We have missed 2 orders in the past month valued at $1,250. We were late in delivery for 8 orders valued at $5,500 leading to customer dissatisfaction.

Recommendation It is recommended a staff Rota is established so that different people are scheduled to be on call on different nights, getting the next day off.
  1. Growing the Program

If this all gets received well by management and you find yourself needing to structure and expand your risk identification pursuit to the rest of your organization, you aren’t going to need to do a lot more than ensure 1) accessibility 2) promotion 3) continuance/wrap-up


I’d recommend to transfer your data to a sharepoint or corporate website, and be sure to define a data gathering structure that makes it easy for you to pick out the ones with big potential or to be able to pull data in an organized way.

At the very least you need to have a short summary, business value, recommendation and impact. But also consider, if you are in a confectionary for example and you have 5-6 key workstreams, e.g. baking, delivery, storage, packing, sales, others – you may want to force folks to pick which of these areas the risks fall in. It can give insights into tackling a couple of strategic risk areas.


You could sell the idea of how a collectively team identifying risks, to be mitigated, helps everyone and is a virtuous pursuit – but I can safely tell you nothing draws interest as much as a rewarded effort. Try to secure a something simple from management, dinner or a cash prize for the person or team that comes up with the best risk, and mitigates it every quarter.

It would also help indeed if you spoke to department heads, or joined several department team meetings to spend 10 minutes asking about the risk mitigation program. Nothing works  better to illustrate what you are seeking than to do a quick demo, and show a real example.


The easier it is for people to use the portal you setup, the more successful it will be. That said, try not to allow risks to be registered without a concluding status. Commonly you’d ask people to pick from these 4 – Avoid, Accept, Mitigate or Transfer, where:

    • Avoid – you actually plug the gap, fix it!
    • Accept – there are risks so small and at times on non-value adding process, that everyone just signs off and accepts the risk
    • Mitigate – you put a workaround that reduces the likelihood significantly
    • Transfer – outsource the risk for someone else to bridge the gap

If these sound too difficult to explain in a 10minute briefing – I’d recommend keeping it as Open/Close/Keep-In-View where:

    • Open – we’re still working on how to mitigate the risk
    • Accepted – we accepted it, can’t fix it
    • Fixed – implemented a fix

Once you feel that you’ve run the program for a good stretch, its really important to showcase your value as a program leader, and this is where having structured the data gathering bit will be useful. Present to management a report on insights, a 2-slide summary if you will. Organise the data into logical buckets and share interesting considerations.

  1. Other relevant data

In closing, it is absolutely true that a good grassroots risk mitigation program can save a lot of downstream outages and waste in manpower spent in solving a known problem. However there isn’t any real metric to quantify success for a risk program, unlike a sales program which takes the total numeric growth as win – you can’t say a surge in registered risks is a good thing.

Its also difficult and somewhat demoralizing everyone spends their time only thinking about what could go wrong instead of what can go right – new processes and technology vs trying to fix existing outdated ones. Its not a culture folks would want to embrace.

My recommendation would be to do an annual exercise, the risk review – or something of this nature. A month in a year, with a small prize, I think you’d get a lot done quite quickly.

If you’re super interested in this topic, I’d recommend that you read: Blowup (Awesome article about risk in Malcolm Gladwell’s book What the Dog Saw… ) Posted January 22, 1996 by MALCOLM GLADWELL & filed under DEPT. OF DISPUTATION, THE NEW YORKER – ARCHIVE. http://gladwell.com/blowup/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s