Incident management in non-financial risk management (NFRM) encompasses the identification, capture, and analysis of risks and the elaboration of respective actions. The establishment of an effective incident management solution promotes faster response to risks, and makes it possible to proactively address potential vulnerabilities and prevent further incidents. It identifies potential sources of risks (e.g., implementation of a new product, outsourcing of services, external incidents, etc.), provides the necessary data, and triggers subsequent risk assessments in every impacted unit. In one word, sound incident management simplifies non-financial risk management. In addition, process efficiency and effectiveness can be increased through the use of new technologies.
Data availability is fundamental for effective incident management. At Capgemini Invent, we are pleased to provide you with structural recommendations based on the cross-sector best practices discovered during our various projects across Europe:
Development of a mutually exclusive and comprehensively exhaustive risk taxonomy of actual risk events and an effective risk identification process; alignment of the taxonomy with external sources to facilitate the integration of external data into the internal (incident) database.
Governance and organization:
This involves establishing a clear structure with explicit ownership and responsibilities along the three lines of defense. In particular, the responsibilities between the first and second lines of defense should be clearly articulated within the organization and a permanent control team should be created to review the activities and controls performed by the first line and to report to both the first and second lines in order to permanently monitor operational risks and promote a sound risk culture.
People and culture:
This involves living a culture that recognizes the importance of managing non-financial risks to the extent that everybody in the organization is aware of the risks triggered by their activities regardless of whether they are directly or indirectly affected by them. One of the best practices to support risk culture is the establishment of a respective risk culture entity in the organization. The entity should be sponsored by different departments, such as Risk, Legal, Compliance, and HR. Beyond that, the community should foster knowledge sharing, leverage best practices, and encourage actively challenging existing methods.
Technology and tools:
This involves implementing tools supported by new technologies to examine historical data on losses and to identify (potential) correlations and patterns. New technology will also help to maintain a more complete risk inventory and better integrate external data (e.g., such as the data from ORX).
In addition to the above-listed prerequisites, incident management furthers improves when best practices are implemented:
Risk identification and documentation
When identifying an incident, a comprehensive picture of the incident must be captured. Appropriate governance and organization, combined with the right people and culture, leverage the identification process. Lastly, a well-developed risk taxonomy facilitates clear and appropriate categorization.
Assessment and documentation of root causes
Every identified incident must be analyzed to its root cause. Storing this information in a central database promotes an accelerated initial analysis and makes it possible to proactively reduce incident frequency and solve the root cause of every NFR problem.
Documentation of (potential) impacts of each incident
The impact of each incident to the enterprise is documented, resulting in measurable outcomes, making results comparable and improving audit tracking.
Creation of an action plan
The fundamental remediation of historical incidents is a solid basis to prevent potential incidents in the future. Every remediation action should be defined by considering the link between the root cause and the (potential) impact of each incident and it should target failing controls and processes. Remediation actions can vary, from automating failing processes to questioning management bonuses, by repeatedly incurring incidents.
Incident management using modern applications
A solid incident management tool supports the above best practices and provides a dashboard with customizable outputs to track and report incidents. Automated mail triggers include escalation and security processes. To further improve the identification, documentation, and assessment of incidents, the possibility to couple big data with advanced analytics. This can be further enhanced by using natural language processing and optical character recognition. Machine learning, APIs, knowledge base, and SLAs support should also be facilitated.
Stay tuned for more information on incident management by Capgemini Invent.
Erekle Tolordava is a Senior Manager at Capgemini Invent and is leading company’s strategic offer Non-Financial Risk Management globally. You can contact him at firstname.lastname@example.org or 004915140252792