Managing Operational Risk

The lack of attention being paid by corporations from a risk management perspective to internal operational risks and the threat they pose to a company’s brand is underscored by a research and cross-industry benchmarking study completed by Accenture in 2002.

The study suggests that, relative to today’s sophisticated computer-based tools to monitor and manage financial risk in assessing potential hazards and catastrophes, operational risk management is in practice at a low level of maturity.

It is this day-to-day form of risk management that often fails, potentially leading to uncontrollable disaster. This is an age when the value of a company’s brand can often be measured in the billions of dollars. It is also an age when some very high-profile corporate disasters have shown how quickly a brand’s value can shrink almost to zero because of the failure to manage people, processes and technologies.

Increasing the capability to manage operational risk is becoming especially important in a business environment of mergers and acquisitions, hostile takeovers and industry consolidation. In this environment, how is a company to manage its internal operations to preserve and even expand the performance of the business? It is now the rule, rather than the exception, for workers to be learning new systems and processes, reporting to new managers, and collaborating with people thrown together by a merger. For Canadian businesses, changing the way that operational risk is managed is more important than ever.

CRITICAL PRINCIPLES

The benchmarking study identified several critical principles for more effective operational risk management.

Operational risk management is about anticipation, not expert problem solving.

Risk management is all about anticipation – looking ahead to things that might go wrong, and then either working to avoid those things, or putting in place contingency plans in case they do happen. Thanks to sophisticated computer modeling, anticipation is currently easier in the areas of financial and strategic risk management. Take time during project meetings to practice anticipation. Respondents to the benchmarking study were in general agreement that what passes for risk management in many cases is really “issue management”. That is, it is about managing problems that have already occurred, not anticipating problems that might occur.

Attentiveness depends on a culture where risk management is everyone’s responsibility. Operational risk management is effective only when the larger corporate culture supports an attentiveness to risk that is everyone’s responsibility. Attentiveness must be baked into the training, management processes, organizational structures and governance principles of a company and a project. An effective culture will be one that provides training and tools for risk management.

A balance must be sought between oversight and responsibility. A common problem noted by the benchmarking partners is what we came to call the “hide and seek” problem of risk management: one group of people sees it as their job to uncover risks or problems occurring, and therefore another group of people sees it as their job to understate or even hide these risks. To overcome this problem, it is important to strike a balance. Companies must always have controls, reporting and oversight to prevent large-scale problems from occurring. At the same time, they must build a culture (through training, communication and rewards) in which individuals have the capability and are empowered to manage all the various categories of risk.

Early involvement is key. One of the greatest challenges in today’s business environment, where alliances and business partnerships are increasingly the norm, is managing different people, companies and cultures toward a common goal. And in many companies, major projects are proceeding with merged functions where key players have little familiarity with each other, and are probably implicitly competing for turf, budgets and recognition. Thus, a key success factor identified in the study is involving all the various players early in a meeting or workshop.

Resources exist to improve the ability to manage risk. Although, as noted, tools for operational risk management sometimes lag in their sophistication, a number of excellent resources do exist. For example, a standard process for risk management has been created by the Australia-New Zealand standard, which has been further adapted for North America. An adapted version includes processes such as anticipating risk, managing risk in terms of specific goals and creating a culture where risk is everyone’s job. In addition, a number of computer-based tools exist as “add-ons” to project management software. These use simulation to help anticipate cost and schedule overruns on projects.

CORE CATEGORIES

What are the categories of operational risk that are most likely to need mitigating? For large, mission-critical projects, the core ten categories of operational risk that risk managers find themselves managing are:

Business continuity. The risk of causing significant unplanned amendments to effort due to business changes.

Teaming. The risk that either a company lacks control of a sufficient amount of effort to ensure successful delivery or that critical third parties are not stable.

Unproven approach. The risk from using unproven, state-of-the-art technology or an innovative business approach.

Management support. The risk that senior management support is either inadequate or distracted.

User reluctance. The risk that the people who will use the solution are not prepared or willing to use it.

Regulatory. The risk that a regulator will require changes without regard to timeframes or feasibility.

Scope. The risk of scope being changed without regard for plans or previous commitments.

Skills. The risk of significant shortfalls in the skills of the delivery team.

Shareholder value. The risk when the solution is being presented as a means to drive up shareholder value.

Timeframe. The risk of causing negative business impact due to missing critical delivery dates.

Every project has its own unique mixture of these risks, and these will be articulated differently depending on the industry and the company’s specific goals.

LACK OF LONGEVITY

One of the more startling statistics making the rounds today is that the average tenure of a CEO has been reduced to about four years and that of the average CIO is down to just 18 months. That means that risk managers cannot necessarily count on longevity and experience to see them through. Risk managers need to embed effective risk management in the way they plan and manage, rather than rely solely on the skills and experience of individuals. Effective risk management is not an impediment to progress and realization of value. It is, rather, the safety net that allows a company’s people to take the kinds of risks that can lead to new markets, new products and new services. Operational risk management tools will improve over time. Until then, there are principles found to be effective in communicating and planning the kinds of things necessary to manage day-to-day risks. Do not be afraid to wave the red flag of brand equity when talking about upgrades to operational risk management capabilities. That risk is real, and it is the little things that are just as likely to undo a corporation as the big ones.