We all know that from time to time things go wrong - that's just life. It’s how we learn from past experience and what we do to stop errors reoccurring that's important. That's where the risk event process comes in.
“A risk event will typically have both a corrective and a preventative action plan and there may be a need for mitigating actions too.”
A risk event can be defined as "an event where something has happened as a result of human error; inadequate or failed internal processes; inadequate or failed systems or due to an external event". So what types of risk events might your firm come across?
- You may accept a fraudulent withdrawal request from someone claiming to be one of your clients if appropriate verification checks are not completed.
- You could find yourself in possession of the proceeds from criminal activity if appropriate KYC and AML checks are not in place.
- Confidential client data may fall into the hands of a competitor if appropriate encryption software is not installed on company laptops.
- Any one of these scenarios could be classified as a risk event and would be worthy of further investigation. Why was the verification check not completed? What is the impact of not complying with AML legislation? How many clients have had their data compromised?
By recording a risk event, these are just some of the questions you would want to ask as part of the event logging process. If the event impacted a high number of clients or proved costly to fix then chances are this would be a high impacting risk event and you would be keen to understand why the error occurred and put things right. Having such information documented would also be useful from a PI perspective.
In order to fully address control failures and close out risk events, appropriate action plans need to be developed. A risk event will typically have both a corrective and a preventative action plan and there may be a need for mitigating actions too. So what should you consider when developing these action plans?
- Corrective action - What action is needed to put clients back in the position they would have been in had the event not occurred?
- Preventative action - What action is needed to ensure the root cause of the event is addressed and there are no repeat events?
- Mitigating action - What additional training can be provided to help alter behaviours?
Ultimately, action plans should be robust and cost effective. They should have realistic target dates that reflect the significance of the event and consider resource constraints, complexity and any third party involvement that may be required. An effective response to a risk event will see errors put right quickly and steps taken to 'turn off the tap' and prevent reoccurrence.
So there you have it. The next time you become aware of something not working out the way it should have, stop, take a breath and log a risk event!