When you set your organizational direction and adopt a common language and framework for managing risk you must include the measurable categories associated with credit, market and operational risk. Many choose to adapt the COSO Guidelines to create their unique risk management and control framework.
The question remains, Is that enough? Do you have enough categories to truly address the methodical management of all material risks?
The Board of Directors must be able to understand the framework to begin any meaningful programatic approach to identifying, assessing, managing and mitigating risks. Now what would happen if you added a few more categories to include:
Certainly the Board understands that these are real and important categories to include in the framework. However, these are much more difficult to measure and merge with the new governance culture found in most SOX oriented organizations.
Creating the right environment for employees and supported by the correct processes is not enough these days. Now the front line must also have the right tools to help in performing risk assessments and analysis as change takes place in products and the market place. Creating a risk culture that is effective is a balancing act for employees who are trying to decide if they have a material risk to mitigate or an opportunity that has yet to be realized. Employees need to be able to embed this kind of decision making into the fabric of their daily work routines as opposed to a quarterly or annual exercise.
The largest institutions that have already established the framework, support processes and tools along with the staff are well on their way to meeting the goals of prudent corporate governance. Developing a more comprehensive and pervasive adoption rate across the Tier II and small to medium-sized intitutions is far from reality. We are just beginning this long and difficult journey.
Maybe the biggest question for these evolving risk management cultures is how and where to begin? The answer might be found in your current abilities to deal with "Change" itself. At the end of the day, any Operational Risk Management program is going to be about the ability to address the velocity of change. If you haven't been getting an "A" in this part of your report card then you can be sure that managing your new found material risks will be far from excellent.
A "Loss" is a financial impact from an event that shows up on the companies financial statements. This financial impact shows up as "write-downs" or other entries in the annual report. As you build a Loss Event Database to record losses across the organization you expose the organization to new risks that have never been known before. This is where resources are invested and where management realizes the beauty of having a "Grass Roots Risk Management" initiative.