| Risk management: What should be, what is and what could be For the past decade management consultants and some of the more enlightened complex global organisations have been struggling to define, identify and manage the risks that do not fall into the categories of market and credit risk. Initial attempts to categorise these risks resulted in a plethora of names ; business, strategic, legal, 3rd party, reputational, etc. In financial services, these risks were eventually grouped as ‘operational’ and there has been considerable effort to leverage the actuarial processes of market and credit risk to quantify exposure in this area. Recently, COSO published a comprehensive approach to risk which they have labelled ‘Enterprise Risk’. My company's view is that the categorisation of risk is far less important than the manner in which it is understood and used within the organisation. The danger of the current efforts is that they are primarily reactions to the demands of the regulatory bodies and have encouraged the idea that risk is something that should be avoided. We believe that risk should be evaluated on a continuum: from the hazards that should be mitigated; to the uncertainties that characterise most of the activities in the operating environment and must be managed; to, most importantly, the myriad of opportunities that are presented through the execution of the business strategy. This view of risk management provides for a holistic view, not only in the sense of providing a context to understand risks across a broad range of categories, but also to make information about risk relevant to the component parts of complex organisations. Lack of this kind of relevance is what will cause many of the current efforts to be dismissed by business leaders and ultimately downsized because of cost. That kind of failure is not an option in today’s environment.
Audience An understanding of the business strategy is as crucial as a proactive view of risk issues. Revenue generating managers will respond to risk information that is presented as an aid to their strategy, not solely as an insurance policy anticipating the failure of their efforts. Language • Defensive: Usually associated with internal or external compliance activities. This can range from communicating the rationale for capital adequacy to understanding the limitations of the operating environment to support the business strategy. • Offensive: This is risk management information that identifies the range of opportunities available to execute the business strategy and the criteria to evaluate them given the context of the business strategy. Failure to establish clarity in this area has the potential to create far greater losses than issues in the operational or regulatory area. Understanding risk in an organisation can best be understood when it relates to human experience. To that end, SORMS has identified three perceptions of risk —
These perceptions define the audience for risk management information and the language used to communicate it. Risk defined as “What Should Be” The corporate scandals of the past several years and the implementation of Sarbanes Oxely and Basle II have resulted in an intense focus on compliance efforts in virtually all complex global organisations. These efforts, while arguably necessary, have focused risk management in most organisations on “What Should Be” - in this case, making sure that financial processes are measured against externally determined standards. While there may be room for modification of the Sarbanes requirements, particularly for smaller organisations, transparency initiatives are here to stay. The operational audience for the information generated by these efforts is generally the internal audit department and the Controller. Clearly, CEOs and members of the Board are keen to be assured that their operations are in compliance, but they are not users of this information on an ongoing basis. The language of this information is defensive; comparisons of ongoing practices and procedures are measured against regulatory requirements. Plans are developed to bring operating activities into compliance. While essential from a regulatory perspective, the language and content of this risk management information is marginal, at best, to the ongoing business activities of the company. The concern here is that compliance is being confused with risk management. While it is obviously a component of that effort, it is but a part of understanding the range of risks that an organisation faces. Given its limited relevance on an ongoing basis to the rest of the organisation, confining risk management to compliance requirements is dangerous. It is tantamount to addressing health issues by buying insurance and failing to exercise and pay attention to one’s diet.
The operating environments of complex organisations present the greatest opportunity to move the business strategy forward while at the same time presenting the greatest hazards. “What Is” is often necessarily composed of new procedures and policies designed to create and sustain competitive advantage, an inherently uncertain area. These processes are, by their very nature, not well understood by the people involved in compliance activities. As the processes mature they can be incorporated into the compliance process, but until then, the management of risk as “What Is” is crucial. For example, much has been made in the press about the changes in the marketing services environment. A management structure based on print and broadcast is being challenged to synchronise campaigns across multiple channels. Additionally, the cost-plus economic structure of the business is under constant assault and mitigates against efficiencies. New revenue sharing models, while attractive in both profitability and client relationship, present significant risks for organisations that have little experience in managing risk. As the industry addresses these issues the “What Is” of their operating environments will change dramatically. The language of evaluating risk needs to be not only defensive (i.e. how to account properly for revenue from the new models) but also offensive (how to leverage the operating environment to create and sustain competitive advantage). The consumers of this information form a much broader constituency than the compliance community. They are the operating managers of the company and to get their attention the language of risk needs to be relevant to the tasks that they need to accomplish. The context for the management of these risks becomes more internal with the business strategy emerging as the guiding framework.
Managing the risk of “What Could Be” requires a coherent, focused and integrated business strategy. Managing the uncertainty of the operating environment and controlling the hazards implicit in non-compliance must be assumed to be in place in dealing with the risks associated with opportunities. As the business strategy evolves through experience in the marketplace, the ability to assess risk, particularly in the uncertainty of the operating environment is essential business intelligence. Managing the risks associated with “What Could Be” requires an accurate assessment of the organisation’s ability to execute. Underestimating the operational capacity required to produce a new product or service, penetrate a new market or integrate an acquisition are contributing factors to failure. The risk management processes culminate at the opportunity end of the risk continuum. The key to managing “What Could Be” in a complex organisation is the ability to take advantage of the opportunities that advance the strategy. The discipline to not be distracted by interesting but tangential opportunities (the real art of good management) requires solid assessments of risk in the competitive environment. Risk management in this context is about clarity and the ability to not only identify the correct opportunities but also to maintain discipline in pursuing them. The language of risk management at this end of the continuum describes the offense that needs to be executed to maintain competitive advantage and achieve the strategic objectives of the firm. It encompasses internal assessments (the operating and compliance arenas) as well as external competitive information.
1.) It has become clear that relying solely on a defensive risk management process does not prevent operational losses, and 2.) The advancement of technology has resulted in complex operational environments that are rarely understood by the business managers who rely on them to achieve their goals. Unfortunately, a series of events have driven the management of risk into the lower left-hand section of the risk continuum (“What Should Be”). The spectacular abuse by a small number of executives and the resulting legislation have consumed vast amounts of resources, both human and financial with the result that risk management is largely viewed as a “What Should Be” exercise. This is dangerous on several levels. The defensive language of risk management can result in a loss of credibility for the entire effort. When senior executives are confronted by a myriad of events of high impact and low probability in combination with data that illustrates that the problems being tracked are not significant, they tend to stop listening. Additionally, it is important to understand that regulatory requirements are based on known risks. The advancement of the business plan necessarily will involve taking new risks. If compliance is the primary focus it is tantamount to driving a car down the highway at 100 miles an hour while staring in the rear view mirror. SORMS' belief is that risk management is about communication and organisational change. To that end, clarity is vital. Audience and language need to be understood from the standpoint of consumers of risk information. Too often this information is clouded in language only understood by those who generate the data. Risk needs to be managed along the entire continuum. Categorising risk in silos is almost as damaging as focusing solely on hazards. Unless risk management becomes relevant to the ongoing tasks of operational and business managers it will always be an expensive side show with the result that the organisation will always be rolling the dice on the risks inherent in “What is” and “What Could Be”.
Bill Sharon, CEO and Founder of Strategic Operational Risk Management Solutions (SORMS) has 25 years of experience in the financial services and marketing/communications industry in a variety of “C” level positions and consultancies. The consistent thread throughout his career is a focus on streamlining operational environments in the service of the business strategy. At JP Morgan as the COO of Corporate Real Estate, he was a key player in the transformation from a commercial bank to an investment bank through the development and construction of high tech offices in 23 markets that reflected the new organisational culture. He went on to develop cross functional processes for penetrating new markets and establishing new products. He also created the first proactive operational risk management process designed as a vehicle to communicate opportunities as well as issues on a real time basis. At Price Waterhouse, he established the North American Operational Risk Management practice which focused on the “upside” of risk – the choices an organisation needs to make to stay competitive. His clients included American Express where he assisted the organisation in evaluating their operational readiness to issue bank sponsored cards in the US and Corning where he evaluated the operational environments of acquisition targets. Over the last six years he has worked primarily in the marketing services industry, initially as a consultant to McCann Erickson in professionalizing the wholly owned subsidiary that provided IT services and then as a consultant to Interpublic as they began to centralise operational services. Most recently, as the CIO of McCann Worldgroup, Bill developed a global collaborative system as the foundation for supporting the crossdiscipline business strategy of Demand Creation. He is featured in the two recent articles on in CIO Magazine and has authored an executive briefing on managing risk in marketing services published by the Cutter Consortium in May 2005. Bill holds a clinical degree and, for the first ten years of his professional life worked with adolescents in the South Bronx and East Harlem, an experience that taught him the very difficult skill of how to listen. He can be contacted at bsharon@sorms.com or view the company website at www.sorms.com
•Date: 29th July 2005 •Region: US/World •Type:
Article •Topic: Operational risk |
