Who moved my CEO? The board of directors guide to managing operational risk

By Peter Higgins.

Operational risk is on shareholders minds. The topics of interest at a recent NACD – Capitol Area chapter event in McLean, VA USA, included the state of the economy, the stock market and our outlook for the remainder of this year. Corporate governance and Sarbanes-Oxley were fuelling the fire for much of the debate on what was going to fix the current sentiment of investors.

The current state of mind is one of optimism and as the speaker Dr. Robert Sweet, the chief economist and managing director of MTB Investment Group admitted, he was a little above the ‘glass being half full’. As an economist with a BA, MBA, JD and PhD he was confident that all the numbers were headed the right direction. He only had one caveat. The risk of more corporate malfeasance was something that could change his rosy view of the economy’s crystal ball.

Even in the face off huge US government deficits, our greatest threat to achieving a turn around lies in the behaviour and ethics of our US corporate chief executives rather than the next moves by George Bush et al.

“Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first loan or execute their first trade. What is new is the idea that operational risk management is a discipline with its own management structure, tools, and processes, much like credit or market risk,” states The Journal of Lending & Credit Risk Management (March 2000).

The risk of loss by inadequate or failed processes, people, systems and from external events is the definition of ‘operational risk’. Corporate executives have hired chief risk officers and established new operational risk management committees. This is moving rapidly outside the traditional sectors of banking and financial services for good reason.

What can the board of directors do to make sure that their CEO has moved to a place focused on mitigating operational risks?

Fundamentally, the first task is to make sure that the CEO has a management system in place for operational risk. What is needed is a process approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organisation’s operational risk enterprise architecture (OREA).

Let’s break OREA down this a little further to get a better view of some of the specific operational attributes:

People
Employee fraud, misdeed, unauthorised activity, loss/lack of personnel and employment law.

Process
Payment/settlement, delivery/selling, documentation/contract, valuation/pricing, internal/external reporting and compliance.

Systems
Technology investment, development, access, capacity, failures and security breach.

External
Legal liability, criminal activities, outsourcing, suppliers / insourcing, disasters / infrastructure, regulatory/political.

The attributes of operational risk are the same key areas that need to have metrics created for measurement and auditing. Performance management, Balanced Scorecard and other methodologies for managing, monitoring and continuous improvement need to be implemented so the boards of directors have a way to get timely alerts, updates and reporting.

The operational risk enterprise architecture is a management framework that requires a process approach embedded with the legacy of our quality initiatives of the past several decades. The reason is because of the threat of change itself. The P-D-C-A model (plan – do – check – act) is appropriate for application to this process approach and threat of a constantly changing corporate environment:

Plan
Establish policy, objectives, targets, processes and procedures for managing operational risks to deliver results in accordance with the organisations business objectives.

Do
Implement and operate the policy, controls, processes and procedures.

Check
Assess and measure in applicable areas while reporting results to management for review.

Act
Take corrective and preventive actions based on results to continually improve the OREA framework.

Operational risk management is getting the attention of organisations outside of the major banks at a rapid pace. Board of directors in any industry will soon realize that the successful CEO of the future will be a master of building a culture with effective operational risk management systems at its core.

Peter Higgins is managing director of 1SecureAudit LLC, an operational risk management solutions firm.

Copyright 2003 1SecureAudit LLC.

•Date: 19th September 2003 •Region: N.America •Type: Article •Topic: Op. risk
OPERA •Rate this article or make a comment - click here