Cascade of Originators: party most likely to be responsible for the occurrence of an adverse event (e.g. a consumer complaining to CFPB, employee committing fraud or keeping incorrect books). Due to increasingly connected world and complex business relationships, seemingly harmless action by one party can set a chain of events that affect other parties one of whom may end up being the originator of the risk. Understanding the originator or sequence of originators of the risk can go a long way in identifying root causes and suitable monitoring/ review methods for proactive risk mitigation.
Cascade of vulnerable parties: party who is affected the most should the risk ensue. It is often the case that a risk affects many parties due to intertwined relationships; so understanding the likely chain of vulnerable parties is critical. Although all risks affect the firm in the end, intermediate vulnerable parties after the risk ensues can affect the impact from the risk on the firm. For example, due to recent CFPB regulation changes, a consumer affected by a risk caused by a financial institution can cause lot more damage to the institution than another risk that does not affect any consumer and is not watched by any regulator.
Mitigation Owners: In general, it is important to centralize risk mitigation responsibilities. However, this approach has a downside as it can lead to escalating costs and inability to scale up to meet the demand for comprehensive risk management and timely risk mitigation. In cases where multiple groups or owners are involved in risk mitigation for a business entity or process, it is important to document the responsibilities of each owner/ group and ensure there is no overlap as well as cracks through which risks can slip through.
Impact on firm: Almost all risks have a direct or indirect financial impact on the firm. However, understanding the sequence of likely impacts can help proactive risk mitigation. A consumer or whistle blower complaint on social media that spreads like wild fire can affect brand image and lead to more serious reputation and financial risk (e.g. customer defection) to a firm than regulatory action.
Compliance: Whether the risk affects compliance to Government regulations or industry practices or enterprise standards can affect the impact on the firm significantly. Almost all firms take regulatory compliance seriously and work on fixing holes that may lead to non compliance. However, if enterprise standards are formulated and monitored properly, they should serve as early warning signals for possible regulatory compliance breach and can help identify risks proactively before firm reputation is affected due to regulatory action.
Prioritizing various risks from the above viewpoints can go a long way in developing proactive risk identification and mitigation methods that address the big problems first and help save firm reputation and bottom line.
In addition to risk definition and classification, there is a lot of work to be done in risk identification as well. So many companies still send full account numbers without masking all but last 4 digits or passwords through email. Thorough audit of business processes and systems is essential to catch such problems.