Operational risk management is on the line
Annie Searle overviews the evolution of ORM and how past issues help inform current challenges.
Most of us spend our days with our heads down, on behalf of our employer or our client, dealing with one of the practice areas where the usual aberrations present themselves in the larger context of operational risk management (ORM). Activities like reading, teaching, and publishing offer the opportunity to step outside daily practice, do some additional research in order to remark upon the evolution of the discipline.
Whether or not it was always identified as such, operational risk has been present since the first attempts to impose controls around people, process, systems and external events. The most egregious historical operational risk failures and subsequent regulation spring from the financial sector and accounting practices. We have only to look back on the work of the Treadway Commission a la COSO, the evolution of Basel regulation, Sarbanes Oxley or even Dodd-Frank rulemaking to see that the greater share of business controls for publically traded companies in the United States come from either best practices or lapses in the world of accounting. Though we like to think that some aspects of ORM - like emergency management or disaster recovery - involve doing the right thing, it would be a mistake to think that frameworks, practices and professions are virtuous: ORM is the management of outcomes so as to prevent financial loss.
In the operational risk course I teach, we discuss at least one ‘real world’ case of operational risk failures each week. I began with Enron and its auditor, Arthur Andersen, because the two companies illustrate how operational risk failures frequently involve one or more of the four control areas. There is so much in retrospect that we can identify as red flags on internal controls at either Enron or Andersen: staff from each company played hard together; financial statements were dummied; and false statements about the condition of the company were made by key executives. The ‘independent verification’ control went out the window when Enron internal audit staff became Anderson employees, meaning that Anderson performed both internal and external audit functions. On the consulting side of Anderson, millions were made, which in turn influenced the accounting side. For those who might raise a flag inside Enron, the response was: “This has been signed off on by Anderson and that’s what we are doing.” For Anderson employees who had a concern, the response was eerily the same, except the rationale was that Enron had signed off. To these few details I’ve provided, add document shredding by Enron, based on a ‘document retention policy’ that had been created by Andersen for Enron in 2000. The policy was designed to avoid turning over documents to plaintiffs’ attorneys in the spate in the lawsuits that had already sprung up. If you were going to summarize the controls breakdowns in the Enron/Anderson scandal, you would have to say that people, processes, and systems each contributed to the eventual demise of both companies.
Fast forward and what do we see? Just as the 2001 Enron scandal drove new SOX reporting requirements for large publically traded companies, the 2008 banking crisis has driven new regulation via the Dodd-Frank Act. Security and data breaches have spawned several different pieces of legislation now working their way through Congress, some of them related to cyber threats from other nation states. Consumer privacy and protection is also the subject of new legislation, given the role of the Internet and the ease of transactional choices via mobile devices. While it can be argued that too much regulation can strangle business growth, there is no question that SOX reporting to the United States Securities & Exchange Commission has certainly reduced the number of financial misrepresentations – especially since the CEO and the CFO must sign off on the reports, and pay reimbursement or possibly go to jail down the road if there is a ‘financial restatement attributable to misconduct.’ Public auditors are also severely constrained in the work they can do for audit clients in the management or technology consulting arenas. (1)
Certainly the earlier Basel requirement on banks to reserve more capital against risk has been buttressed now by current US rulemaking, including the controversial and as yet un-enacted Volcker rule, that would prohibit banking entities from ‘proprietary trading of securities, derivatives and certain other financial instruments for the entity’s own account.’ (2)
We tend to characterize the 2008-2009 financial crisis as primarily involving financial institutions and the auto industry because the government tried to address those areas of concern. Yet we feel the actual impacts on both our private and public infrastructures still. Without investments in what was already a creaky public infrastructure, operational risk exposure has increased dramatically from unemployment, foreclosure and dispossession, the side products of the economic crisis. We can each measure the impacts in our daily life, whether it is potholes in the road, new or increased tolls on bridges, or reduced hours at our public libraries. Meanwhile, the number of persons available to manage or monitor risky programs or processes has gone down in most institutions, another side effect of the financial crisis. From the private sector perspective, the last several years have been a time to sit tight, to hang on to cash reserves, to wait and see what other challenges will present themselves to economic recovery.
As if people, processes and systems were not enough to track, Mother Nature has been especially active in 2011 and so far in 2012. How long can insurers continue to pay out on large losses from high impact events like earthquakes, tornadoes, fires that are a result of drought, and hurricanes? How long will it take, for instance, to effect recovery in areas of northern Japan where the 2011 Honshu earthquake was also the site of a massive tsunami and nuclear reactor emissions? Where will the post-FEMA economic recovery dollars come from for cities like Joplin or Tuscaloosa, hit so hard by tornadoes? Given the budget cuts they have already absorbed, how will city, county and state emergency management teams deliver emergency services during a truly high impact event? It is no small irony that a 911 hoax has sprung up in a number of US states, where callers are told that 911 services have been cut from their city’s budget, and they will need to pull out a credit card and authorize a payment if they wish to have 911 services in the future.
In the midst of still uncertain economic conditions, it is easy to see how further erosion of controls around standard types of operational risk can occur. System failures will occur more often because the budget is not available to upgrade the technology infrastructure. Inappropriate business practices become more attractive when Wall Street must be placated in order for a stock price to remain stable. Regulatory noncompliance becomes more frequent, in the belief that it is possible to be let off the hook in tough times. Finally, reputational risk rises as the messages about brand are multiplied by thousands on social media sites. At a recent Emergency Management All Hazards/Stakeholders Summit in Seattle, speaker Gerald Baron listed a group of institutions who all had to publically reverse operational decisions they had made because of public pressure delivered through social media tools – Komen, Netflix, Gap, Bank of America, Congress and Verizon. He reminded all of us that “media is anyone who amplifies your message.” (3)
Under such conditions, how can an institution increase its vigilance around operational risk?
Though I’ve used banks as examples here, I think non-banks can apply some of the lessons learned by financial institutions and financial regulation. Whether or not there is an elaborate enterprise risk management framework in place, key executives should first make time to sit together and identify (or validate) their top ten risks, then look at what programs or mechanisms they have in place to reduce or mitigate the risk. They should ask the question “Are there any unknown or hidden risks that we have missed?” and then share their findings with their board of directors, who may evaluate or prioritize the risks somewhat differently. Such a straightforward presentation of the top ten risks and then discussion with a board of directors is one of the most effective tools I know of for gaining momentum and for ensuring that SOX reporting accurately reflects the state of the company, from an accounting perspective and in order to execute an effective operational risk management strategy. Best of all, identification of risks, including those that might initially be hidden, does not cost enormous sums of money, nor are consultants necessarily required to assist in the assessment unless executives have already perceived that some risks are not being effectively communicated upward by managers.
One thing is for sure at this time: operational risk management is on the line, and deserves a seat at the executive table, especially when we continue to suffer from a lack of economic momentum.
The risk doesn’t go away in such times. The work just gets a bit harder, especially in maintaining direct communication with key executives and with boards of directors, to ensure that risk is properly identified and that, if necessary, the risk is accepted rather than reduced or mitigated.
Annie Searle is Principal of Annie Searle & Associates LLC – also known as ASA Risk Consultants, an independent consulting and research firm, serving businesses and organizations that are part of the US critical infrastructure. ASA offers neutral and confidential assessments of existing plans and programs, identifies gaps and offers customized road maps to increase resiliency. ASA’s Institute for Risk and Innovation helps drive policy change in areas ranging from public-private sector critical infrastructure resilience, to financial regulation, digital privacy and crisis management best practices.
More information can be found on ASA’s website at www.anniesearle.com.
(1) Thomas A. Faulhaber, “The Emerging Company and the SEC: The Significance of the Sarbanes-Oxley,” Acthttp://www.businessforum.com/SEC01.html
(2) Wolters Kluwer Law & Business, http://wolterskluwerlbinfo.com/LP=401/?cm_mmc=GooglePPC-_-DisplayAds-_-VolckerReport-_-VolckerRuleSimplified&gclid=CL-Axf-Vja8CFRGAhwodlhCe0A
(3) Gerald Baron, “Crisis and Emergency Communication: The Fork in the Road,” 2012 Emergency Management All Hazards/Stakeholders Summit, Seattle, March 21, 2012.
•Date: 29th May 2012 • US/World •Type: Article • Topic: Operational risk management