im-portant regarding development and operational risk information which generally demand cross functional participation.
To conduct risk information management there are different tools for strategic risks, devel-opment risks and operational risks. According to interviewees there is an opportunity of de-velopment with tools. Dede-velopment need where identified in usability of tools, automation instead of manual use, and capability to link risk information from multiple sources and re-porting and presentation functions based on the imported information.
On this area of risk information management main findings are:
Importance of framework defining prioritization of collection. Framework should support prioritization from business area angle.
Importance of roles and responsibilities ensure best participants Importance of informal risk information
Importance of processes to support systematic approach Opportunity to develop used tools
In case company policy framework and execution in practice mainly align
Opportunity to develop usage of external information (e.g. market changes, com-petitor activities)
In development risk process transformation phase includes two different assessment and evaluation of identified risks. One is analyze of business case risks regarding project delivera-bles and business case. This assessment have dedicated tool and responsible of the assess-ment is project owner. Regarding interviewees’ comassess-ments owner will choose participants to this assessment. Mitigation actions are generally affecting to the scope and timing of the pro-ject. Because this assessment is done prior project start and if the risk outlook is high it can cause that project will not get permission to continue.
Other assessment done first time in the planning phase and continuously updated during the project is the assessment of risks that can affect to the execution in planned time, allocated resources and defined deliverables. According to the interviewees project manager is owner of the assessment and it's generally done by project core team members. There is defined tool to support assessment and evaluation with company defined assessment criteria regard-ing development risks. Tool is also information repository for this risk information.
With collected operational risk information transformation phase includes assessment of iden-tified risks with root cause analyze and estimate of impacts. Assessment includes also identi-fying information about possible current mitigation or controls and definition of possible new ones. After assessment risk evaluation is done with risk likelihood and consequences accord-ing to the defined operational risk scoraccord-ing.
Process owner is the responsible of the assessment and evaluation but interviewees empha-sized that important in this phase is also communication and consultation holistically with stakeholders which can give input to the assessment. Every process has its own risk infor-mation tool which is synchronized manually to business unit risk master which compiles oper-ation risk informoper-ation from every process.
Interviewees commented that current tools used to manage risk information are various and some kind of consolidation with tools and risk information structure would support use of the tools and assessments. Interviewees appreciated that they have direct access to the tools and risk information that they own but also commented that there is chances of development in tools.
Main observed challenges with current tools were heaviness for efficient risk information management. It was seen that that tools should support modular structure where identified risk can be assessed with few mandated fields and additional only when seen needed. It was also observed that current tools do not support well any kind of graphic outcome of risk view for owner nor reporting capabilities. This is important findings because used tools are
back-bone of risk information management and should guide the process and support effective and efficient risk information management.
Other area discussed with respondents was risk assessment criteria and how well it currently supports risk assessments and so risk prioritization. There are currently many different crite-ria for different risk categories and interviewees commented that sometimes it seems compli-cated to know which one to use (see Graphic 12). It was also seen that more instruction to estimate risk likelihood or consequences would support risk evaluation. It was also comment-ed that some kind of case examples would be good addition to support risk evaluation.
Graphic 12. Risk evaluation criteria, operational risks (Impact2 x Likelihood = Significance)
Important part of the transformation phase is also communication and consultation cross functionally with stakeholders and interviewees saw that communication has so far been open, effective and efficient. Though interviewees were partly worried that how this good communication can be secured in new organization after merger. Interviewees also com-mented that communication between specialists from different units regarding risks or uncer-tainties is many times executed informally. This informal risk information communicated ex-ample with during coffee breaks was seen important among respondents.
On this area of risk information management main findings are:
Observed development needs with tools used to manage risk information (consoli-dation, automation, reporting capabilities)
Opportunity to consolidate and develop usability of risk information management tools from different processes to one single platform
Variety of different risk assessment criteria for different risk categories. Possible opportunity to consider consolidation.
Importance of cross functional communication regarding risks. Importance of in-formal discussion regarding risk information.