| Dragging operational risk management into the 21st century The way you manage your business is one of the most important factors that differentiates you from your competitors, it is your organisational DNA as it is a key enabler of stakeholder value– but if you don’t understand how elements of your operations interact and business decisions are made - then you don’t know what you don’t know and you can’t manage what you don’t know! Is this a valid defence for inaction? An excuse for slow progress? A claim for questioning “where to next?” in the context of managing your organisation’s operational risks. Managing operational risk is not new. Organisations in general, and some industries in particular (banking, manufacturing, logistics etc), have been aware for many years of the hazards and uncertainties arising from IT infrastructure, human resources and fraud, business disruption, legal liability and many similar issues. However, the growing number of business failures, increasing complexity of business and mounting regulatory pressure is renewing visibility of these risks under the banner of “operational risk”. This re-focuses the position and status of these risks for management decision making purposes. This re-focusing was emphasised by the events of September 11th, which provided us with a fresh appreciation of the innumerable contingencies and interdependencies that make our modern economy work and organisations thrive. However, we have also learned that most operational vulnerability is due to our inability to understand and adapt to changing risk contexts – our inability to control our operational capability appropriately This is still evident in today’s reactive stance to a number of compliance drivers such as Turnbull, Sarbanes Oxley, ISO 17799, BS 15000, APRA, Basel II, to name just a few. Many businesses have put in place reactive strategies to provide a short term solution to what will be long term and ongoing need for continuous operational risk management. Operational risks have historically been managed independently of each other. Generally, the huge population of line managers, specialists and operations staff in modern public and commercial organisations still have no formalized, cohesive role in protecting the organisation’s intangible and tangible assets. Worse, the various departments and functions that make up the “operational risk” environment in an organisation still usually compete with each other rather than collaborating, particularly when budgets are at stake. This is mostly due to roles that overlap and a requirement to communicate only when absolutely necessary. This ultimately leads to an increased cost in controls due to: • Duplication of work – loss of productivity • Confusion of work priorities • Knowledge is not always formally shared or recorded • Effectiveness of management reporting is diminished • Varying quality • Different work or delivery expectations are created Unfortunately, protecting the complex, technology-dependent, globally focused organisation today is still in the hands of organisational structures and methods that were developed before the commercial computer age – let alone the network age. Given this and the “silo” development of operational risk functions, the compelling question organisations now need to ask is “what constitutes good operational risk management?” The solution to providing real operational risk management requires a robust matrix structure that reaches to everyone in the organisation. The underlying layer that engenders the matrix should protect all of the processes and tangible and intangible assets of the organisation. A new business risk paradigm must be designed and implemented to support sustained organisational performance. Yet as easy as this sounds very few organisations have achieved a systematic approach to measuring and managing non-financial risks to their operations. This would require organisations to routinely review and continuously monitor many factors, such as the quality of corporate governance, employee management, and stakeholder management processes; the company's use of technology; and its deployment of ‘best practices. There are already numerous tools available - including the Balanced Scorecard, activity-based costing, driver-based forecasting, real options, Monte Carlo simulations, and scenario planning - designed to provide insights beyond pure financial results. They can add value if used appropriately, but few organisations have established a process for translating the information generated by these tools into an understanding of operational risk that then leads to better decision-making. Why is this so? The simple term “risk management” camouflages the complex nature of managing risk within operational settings. People, the organisations in which they work and the environments in which they exist are dynamic and non-linear in nature. Managing operational risk is about understanding the way in which organisations and the people within them make choices about appropriate courses of action. This also entails an understanding of the consequences of those choices – particularly if they are inappropriate. This is exacerbated by the “many languages” of operational risk that previous “silo” approaches have created. An effective operational risk management paradigm needs to be able to promote a common language that promotes a consensus of the choices that are made in pursuit of organisational and individual objectives. Unfortunately there are a number of different definitions of ‘Operational Risk Management’, leading to confusion that, so far, has not been rationalised by the agencies that the world is looking to for guidance. As a result, it is necessary for each industry group, association or company to first select the best definition for themselves and publish it in their risk management policy statement, in effect creating a new paradigm that is specific and therefore adequate for its needs. This new paradigm starts at that big shiny table on the top floor. A recommended approach is that the non-executive directors provide real loss management input to an Operational Risk Management Forum. This forum is not a new idea; it has been around for at least fifteen years. What has been missing is a seamless connection upwards to the CEO in his/her role as accountable person for Corporate Governance, and to the audit committee – to whom the Operational Risk Management Forum should report (if not, then directly to the full Executive Board). The Forum must also report downwards responding to the organisation’s line management who should be the primary source of continuous and structured input. The Non-executive Director(s) should also draw information from the specialist operational risk management areas that would now report directly. With this out of the way, then the major issue can be resolved. The rearrangement, change, expansion and contraction of the various activities of the various internal control functions that make up operational risk management. The full requirement for internal controls will fall out naturally from a practical (not enormous) risk analysis. The requirements for public/private controls interface and control interfaces with outsource partners, key suppliers, clients and so on would be evaluated as a key issue in the risk analysis. Next, every job description in the organisation, from receptionist to director, will need to be enhanced to include individual accountability for, and individual scope of, risk management. There has to be a professional, comprehensive internal marketing campaign running in conjunction with all this activity, changing the culture to one that is risk-mitigation-oriented. In this multi-level operational risk management programme, all the levels are equally important to the success of the venture. This is not ‘defence in depth’, where one level of control can fail but the others provide effective protection. In this kind of programme, if one level is ineffective or disregarded then the whole programme fails. Awareness of the need to change our current operational risk management models is on the increase and we often look to international and national regulation and standards for guidance. Standards exist, especially in the financial service industry and in countries like UK, USA and Australia and we thump the table pointing at them. But every organisation is different, which is why international standards in our environment are so generic. A highly detailed standard that suits General Motors in Detroit will not help a governmental agency in Malaysia - much. Often, even companies in the same industry sector are very different internally. Therefore, the global ‘how to’ publication cannot be a global standard – it has to be a methodology with a focus on the outcomes that are expected. Regardless of what “methodologies” are available for adjusting our business risk paradigms, there has to be a cost-effective, business/service convenient answer to initiate implementation. This justification will exist in the outcomes that the methodology is expected to achieve. We should not settle for anything less than an approach that contributes to sustainable organisational resilience. This is an approach that recognises the downside and the upside of preserving shareholder and stakeholder value through the management of operational risks In the past “do nothing” has been an option to consider when deciding whether to initiate a major project such as this. But doing nothing in the 21st century is not a valid option. Not when the majority of organisations still apply early 20th century internal control solutions even though these organisations run on complex, specialist systems and deliver their products and services through equally complex methods. Fifty years ago one person in one department of an international company could not possibly bring down the whole enterprise. Today, basic operational risk analyses show just how widespread this vulnerability is. In summary operational risk is a nexus for all operational decisions and their subsequent outcomes-yet there is generally little evidence that many organisations have successfully adopted an integrated operational risk management mantra. However, the blame for not achieving effective, practical, modern operational risk management lies with everyone. Internal controls are seen to be a nuisance. They slow you down, stop you moving forward, prevent you taking the afternoon off or completing the activity that you know will work - they are viewed as a cost of doing business rather than a key component of an operational risk management system that sustains stakeholder value by capturing and managing opportunities. Take a break from this and ask yourself - Does your business have this view of operational risk? When was the last time managers in your organisation responsible for physical, personnel and information security, ICT risk management, emergency management, investigations, legal and ecological compliance, business continuity and any other industry-specific components of operational risk management and insurance sat down together for a chat? Your response to this question may well provide an opportunity for your organisation to move forward by improving its ability to manage its operational risks. © Business Resilience Group 2005 PO Box 6836, 600 St Kilda Road, Melbourne, VIC 8004, Australia www.businessresilience.com.au Authors: Nicola Crawford, managing director, BRG and Norman Hoppe, director information & operational assurance, BRG.
•Date: 27th May 2005 •Region Australia /World •Type:
Article •Topic: Operational risk |
