In the third installment of this series, we will further evaluate the importance of assigning ownership, how it accelerates issue resolution, and provide some examples of assessment methodologies and how they can help deliver a secure business environment
- Assigning issue ownership
- Assessment methodologies
- Prioritizing resolutions
The core objective of this article will empower you to establish a consistent management methodology and optimize the use of your resources in issue resolution.
In the previous part of our series, we identified the main registers that teams should be using to document risks, nonconformities, and issues. These repositories provide teams with a baseline to understand and identify what needs to be done to implement a successful issue management program.
For a refresher on register types, you can read part 2 of our series. Now let’s get to it
Assigning Issue Ownership
As we know, an issue register is a document where all issues that negatively affect your company are recorded and tracked – from identification to resolution. For smooth and swift resolution, teams must establish issue ownership. An issue owner is the person responsible for managing various issues including threats, vulnerabilities, and nonconformities.
In general terms, the issue owner should be someone who possesses relevant expertise and has acting authority: someone who can be held accountable. The issue owner is typically a point of contact at the leadership level. The owner coordinates efforts to mitigate issues by managing the team members and individuals who are responsible for the associated smaller pieces (tasks).
As part of a corporate governance program, it is always suggested to keep a centralized responsibility matrix. This matrix must specify, at the leadership level, who the decision-makers are. This serves as a guide to creating a contact list in the early steps of your program.
As a best practice, the matrix should also document the general roles and responsibilities of individuals within it, this might include who is:
- Identifying and assessing risks
- Performing root-cause analyses
- Determining mitigation plans, corrective, and preventive actions
- Articulating and assigning tasks to team members
- Making sure risk issue management is integrated into operational activities
- Monitoring and reporting the status of open issues
- Ensuring that internal and external environments are monitored for emerging risks and opportunities
Risk Assessment Methodologies
Another important component of your governance program is to ensure that all issue owners employ the same assessment methodology. This makes your prioritization efforts more efficient, consistent, and measurable regardless of available financial and human resources.
There are several advantages to establishing a risk assessment methodology that is simple and straight-forward:
- Increase in general understanding and adoption rate of the assessment methodology
- Improving the efficacy of analyses and accuracy of results
- Streamlining the risk assessment methodology’s applicability for different risk categories
There are two core assessment methods, but the most well-known and commonly used method for assessing risk is the qualitative approach, relying on the judgment and expertise of the assessor. Seeking best practice guidance to reach their decisions, they will often use their own experience combined with consulting others when carrying out the assessment.
A simple formula for this method can be summarized into:
Risk = Impact x Likelihood
In this case, the impact measures the consequence and severity of the risk in the event it materializes. Likelihood analysis should be based on the controls already deployed and within the context of the internal and external environments to which the risk applies.
A nominal value must be attributed to each qualitative component:
The final risk rating will be used to prioritize issues.
When dealing with nonconformities, the most critical element of resolving them is to perform a root-cause assessment. Your method for analysis should focus on identifying the cause and its various sources to prevent similar recurrence while mitigating future risk. A couple of the most effective methodologies are:
- 5 Whys: The 5 Whys is a method that uses a series of questions to drill down into successive layers of a problem. The basic idea is that each time you ask why, the answer becomes the basis of the next why until you can reach the root of that problem.
- Fishbone diagram: Also called a cause-and-effect or Ishikawa diagram, the fishbone diagram sorts possible causes into various categories that branch off from the original problem. This method allows you to visualize and organize potential causes of a problem into a useable framework for solving it.
In nonconformity management, identifying the root cause is an important step before assigning a final score to the issue and defining its criticality. For example, you might decide to prioritize nonconformities in specific operational areas that might represent a bigger impact to clients.
Prioritizing Issue Resolution
This is another variable that must be well documented and communicated to all stakeholders, especially leadership.
Issue prioritization can be achieved by evaluating the issues against your organization’s needs, expectations, and environment to determine which are more likely to occur, which will have a higher impact, as well as areas that might have a greater adverse impact.
When it comes to prioritizing issues, ask yourself a couple of questions to create an effective strategy:
- How critical would the immediate impact be to clients, brand image, and reputation?
- How critical would the future impact be to clients, brand image, and reputation?
These questions are tied directly to:
- Immediate loss of revenue and reputation, and might have tactical operational considerations.
- The future impact of the risk in your system might have negative consequences on clients.
These first two questions can help you prioritize based on urgency, timing, and allocation of resources. Next, you should document the categories or areas of issue that should be prioritized.
If you associate the result of your assessment methodology, with resolution urgency, and review it considering the category of the issue, you should have a fairly consistent baseline for an effective prioritization system.
In the final part of this series, we will discuss the best approaches to monitoring issues and how you can create reports that will keep your team up to date and impress corporate leaders.