| Emotion rules: ignoring it won’t change anything… Bill Sharon, CEO and Founder, SORMS. On the OP-ED page of the Sunday New York Times on July 24, 2005, Dr. Nassim Nicholas Taleb reminded us all of the predominate role of emotion in the perception of risk. His thesis, in summary, is that risk avoidance is predominantly governed by our emotional system, that emotional system is primitive in nature and we are more interested in the drama of a crisis and the heroes involved than in the efforts at prevention. Of course, his topic was terrorism, not operational risk management or business continuity, and his admonition was to the media to be careful about extending the mission of the terrorists (as in assisting in terrifying people) and understand the effects of their reporting. The principals that Dr. Taleb outlines, however, are readily applicable to the operational environments of complex organisations. They are arguably an extension of the work done by Daniel Kahneman and Amos Tversky in their development of Prospect Theory. Among their many contributions to the understanding of the role of emotion in the perception of risk was that people are not risk averse, they are loss averse. People, they discovered, will take great risks in an attempt to avoid losing (consider the response to repeated margin calls in a falling market). So how do we develop a rational framework suitable for implementation in a complex corporate environment when the going-in presumption is that emotion rules the day? Seems like an oxymoron, but here goes: The perception of risk in the operational environment This is our context for emotional response; we are passionate about those areas in which we focus our attention. Those responsibilities, or areas of attention, tend to fall into three broad categories in the corporate environment: revenue generating activities, operational support for revenue generating activities and assurance/regulatory compliance activities. Operational risk predominantly focuses on the activities of the second group, the operational disciplines required to support the business process; areas like IT, HR, legal, facilities, security, etc. Over the past several decades, the level of sophistication in each of the operational areas has increased significantly. Clearly IT has evolved into a complex commodity, HR has expanded into the areas of counselling and day care, and security has become a predominant concern at the highest levels. The people who perform these functions clearly need to deal with an increased level of complexity to be successful and today’s mobile workforce environment requires them to maintain their marketplace value. Fundamentally, they operate on the basis of keeping one eye on maintaining proficiency in their area of expertise and another on maintaining the status of their particular operational discipline within the organisation. All this leads to a perception of risk that is likely to be coloured more by the self-interest of those working in the operational disciplines rather than the mission of the business strategy – that is the goals that the organisation is trying to achieve and the risks that it must mitigate, manage and assume in that effort. Lamenting this problem is not productive; addressing it in a manner that promotes the active management of relevant risks while addressing the self-interest of the participants is essential. Current approaches to operational risk management The second method of managing operational risk is qualitative. There are a variety of approaches, but fundamentally they all revolve around creating cross-functional teams to identify key business process, assess the risks in those processes and develop plans for their mitigation or, in some cases, acceptance. Note that both of these approaches are heavily weighted in the direction of seeing risk as something bad that should be avoided. If we view these approaches in the context of loss aversion, we can see that a climate of fear of loss is easily created. Ferreting out the unidentified risk (particularly in one’s own area of expertise) becomes a primary defence against loss. If we apply Dr. Taleb’s concepts, we begin to see that this qualitative approach is likely to result in strenuous effort in the beginning of the process and lagging interest and energy as the risk mitigation efforts require months or even years to complete. None of this is good. Virtually all of these efforts fail to take into account the fundamental issues in the management of risk in the operating environment. At its core, the management of risk has to do with the management of people. Databases, actuarial models and business processes are all tools that are, at best, tangential to the problem. Let’s look at some examples to understand the issues: In June, 2005, Citibank announced that unencrypted tapes with the names and details of 3.9 million customers sent by courier to one of the credit agencies had been lost. Reading the story, anyone with a cursory awareness of secure data networks and the current state of data encryption would have to do a double-take. Unfortunately, events of this kind have become commonplace. Banks, universities, and state and federal government agencies have all uncovered similar breaches in the disclosure of confidential personal information. How does this happen in an environment where billions are being spent on physical security and there have been a constant drumbeat of commercials from banks and credit card companies touting their ability to combat identity theft? Our view (SORMS) is that many of the people who work in the operational environments of complex organisations do not have a clear understanding of the mission and goals of the business. Putting a tape in an envelope and giving it to a courier is strong evidence that the perception of the job was to get the tape from point A to point B. The perception of the risk was confined to the ability to get the task done in a timely manner. Had the individuals involved acted in the context of a business strategy that defined success as the care and feeding of customers who pay high interest on credit cards and loans, the value of the information on those tapes would have taken on much greater importance and the perception of risk would have shifted dramatically. Leveraging the motivations of the operational manager • Dissemination of the business strategy to all levels of management within the organisation. • Leverage the expertise of the operational managers in identifying risk in their disciplines. - Projected Risk Profiles: These profiles should not only be a snapshot of the current risk profile of the operational discipline, but it should also look forward 90, 180 and possibly 270 days in the future. The resulting ‘planned vs. actual’ data will help to mature the risk management process over time. - Peer Reviews: There is no tougher audience than one’s peers and the knowledge one has to defend a risk profile mitigates against the emotional reaction to perceived risks. - Capital Allocation Map: The process should also identify those risks which are funded for mitigation and those that are not. At the aggregate level, this information provides senior management with greater clarity in marrying capital expenditures to strategy. - Business Intelligence: This risk information needs to be used in the management and planning process. There is nothing more damaging to an organisation that ramping up a global initiative, getting everyone committed and excited and then never using the information that is generated. Far better to do nothing at all. Evolving the operational risk management process Our recommendation is that this second step not be attempted until the operational discipline risk assessment process has achieved some maturity. Given the role of emotion in the response to perceived risk, one must assume that initial risk profiles will likely be flawed. In the beginning, the narrow context (the technical components of the operational discipline) and the self- interest of the operational managers will likely result in profiles that are correct in an absolute sense, but not necessarily meaningful in the context of the business strategy. Let’s examine how this methodology differs from the current approaches outlined above. First, it is not our intention to dismiss the value of capital adequacy to address identified and potential risks in business ventures. Insurance against loss is fundamental to good business practice. Our concern is that, as a result of the Sarbanes Oxley legislation and the ‘loss database’ models required under Basel II, the management of risk has become relegated to an actuarial process that is positioned in an adversarial position to the business (business managers will always argue that their capital charges are too high, risk managers will argue that they are too low). This leads to risk management becoming the process of managing capital charges. It is essential that this quantitative process be balanced with a qualitative process that ultimately provides the business intelligence necessary to manage the capital charge in a proactive manner. Second, we believe that it is dangerous to assume that a business process developed by a crossfunctional team contains all of the risks that need to be addressed; let’s not forget our tape in the envelope that got lost on its way to the credit bureau. By leveraging the self-interest of the operational mangers to initially provide a technical risk profile of their discipline and then extend and evolve that perception of risk in the context of the business strategy we get the best of both worlds; a complete examination of the operational discipline and a more robust assessment of the positive and negative impact to the business strategy. Fundamentally, the burden of identifying the risks needs to be on the plate of those best qualified to identify them. Additionally, the process mitigates against an initial emotional overreaction and then a later under reaction by requiring managers to project their risk profile into the future. Here we are using the understanding that people are not risk averse, they are loss averse. Status is important in complex organisations; influence depends on recognition not only of technically proficiency in an operational discipline, but more importantly the degree to which others value your perceptions. Failure to modulate the emotional response to risk by understanding and incorporating real business issues can result in a loss of status. If we return to Dr. Taleb’s admonition at the end of his editorial we find that he advises the news media to be aware of the side effects of their one dimensional reporting. We believe, as apparently does he, that it is possible to change the reaction to risk by providing a broader context in which to understand it. Bill Sharon, CEO and Founder of Strategic Operational Risk Management Solutions (SORMS) has 25 years of experience in the financial services and marketing/communications industry in a variety of “C” level positions and consultancies. The consistent thread throughout his career is a focus on streamlining operational environments in the service of the business strategy. At JP Morgan as the COO of Corporate Real Estate, he was a key player in the transformation from a commercial bank to an investment bank through the development and construction of high tech offices in 23 markets that reflected the new organisational culture. He went on to develop cross functional processes for penetrating new markets and establishing new products. He also created the first proactive operational risk management process designed as a vehicle to communicate opportunities as well as issues on a real time basis. At Price Waterhouse, he established the North American Operational Risk Management practice which focused on the “upside” of risk – the choices an organisation needs to make to stay competitive. His clients included American Express where he assisted the organisation in evaluating their operational readiness to issue bank sponsored cards in the US and Corning where he evaluated the operational environments of acquisition targets. Over the last six years he has worked primarily in the marketing services industry, initially as a consultant to McCann Erickson in professionalizing the wholly owned subsidiary that provided IT services and then as a consultant to Interpublic as they began to centralise operational services. Most recently, as the CIO of McCann Worldgroup, Bill developed a global collaborative system as the foundation for supporting the crossdiscipline business strategy of Demand Creation. He is featured in the two recent articles on in CIO Magazine and has authored an executive briefing on managing risk in marketing services published by the Cutter Consortium in May 2005. Bill holds a clinical degree and, for the first ten years of his professional life worked with adolescents in the South Bronx and East Harlem, an experience that taught him the very difficult skill of how to listen. He can be contacted at bsharon@sorms.com or view the company website at www.sorms.com
•Date: 12th August 2005 •Region: US/World •Type:
Article •Topic: Operational risk |
