Critical Capabilities for Operational Risk Management
The inability to predict outliers implies the inability to predict the course of history.” - Nassim Nicholas Taleb, The Black Swan: The Impact of the Highly Improbable
We live in an era of dramatic, improbable events that adversely affect the economy, the environment, the fate of household name companies and people’s welfare and health. At least, they seem improbable until they happen. Then they can appear inevitable. Complexity makes them hard to predict: failed banks, industrial accidents, large scale regulatory breaches, corruption and law-breaking, poor governance and corporate collapses. As these calamities pile up on news desks, one begins to realise that situational awareness involves a greater effort than some organisations are capable of and sometimes the battle for control is simply lost.
The term operational risk management (ORM) is used by the Basel Committee on Banking Supervision to cover risks that are intrinsic to the operation of any business: internal and external fraud, employee behaviour and workplace safety, market manipulation, product quality problems, fiduciary breaches, asset integrity, business disruption and systems failures, poor governance and process errors. The Basel Committee’s use of the term operational risk is very apt and probably the most useful definition. It can then be understood that enterprise risk management is a strategy that seeks to take a holistic or organisation-wide view of operational risks. For my money, the terms ERM, GRC and integrated risk management are interchangeable as all three imply a global strategy for ORM.
It is rare, and arguably unwise, for an organisation to go straight from ad hoc or no risk management to a complete ERM strategy. A more common journey is from ad hoc, fragmented systems through increasing management to a more integrated and agile approach to risk that delivers lean resilience. Thoughtful, managed investment in information management systems is critical. What then are the basics?
According to Gartner, an IT industry analyst, the critical capabilities for operational risk management are the ability to assess and document risks (preferably in a risk register – a big list of undesirable events, their potential causes and consequences and plans to mitigate them); incident reporting tools that let staff easily raise the alarm at the earliest sign that something is wrong; real-time monitoring of lead indicators (i.e. danger signs) which can be anything from a gearbox vibration level to the fact that an important meeting was skipped; response automation tools that execute pre-planned activities when a risk threshold is breached (for example, software that escalates the gearbox vibration level to the attention of the CEO, grounds the vehicle affected and issues instructions to the maintenance and repair team); and, lastly, the ability to quantify, analyse and report on risk so that the board and senior management has visibility of their risk exposure today. Are all the lights green? If not, why not?
Organisations that take risk seriously make great efforts to model and simulate the what-ifs, they provide staff with easy tools for raising alarms and expressing concerns, they monitor continuously for early warning signs and they are geared up to automatically respond to trouble. If that sounds like a whole different culture from the one you inhabit in your work, it might well be. Should you do something about this? Definitely.
In the risk management software industry we talk about operational maturity. Just because you’re not aware of a problem does not mean that it isn’t your responsibility. Organisations that invest in risk management systems do so primarily to protect the public and their own people as well as their finances and reputations from the threat of unforeseen, improbable damaging events. The payoff is that doing so makes them more efficient: safety and efficiency are two sides of the same coin. Anyone who’s ever tripped over in an untidy workshop knows that.
Being proactive about risk means never feeling comfortable again. But then surely that degree of bother is preferable to causing harm and ending up on the front pages or worse?
Interested in reading more about operational risk management? Download Ideagen and BDO Risk Advisory Services' white paper: The Golden Thread: Achieving Strategic Objectives via Risk-based Compliance and Oversight.