Risk has always been an integral part of business, but as I’ve noted, companies deal with risk with varying degrees of effectiveness. A complex, ongoing process, operational risk management identifies risks to support successful operations of an organization, estimates the monetary and other measurable impacts if a risk event occurs, establishes methods for mitigating the severity of impacts should they occur, continuously measures the probability of a risk occurring within a relevant period of time, periodically reports on the risk environment to appropriate decision-makers and alerts executives and managers when risk thresholds are crossed. These important activities should make operational risk management of greater interest to executives in today’s volatile business environment.
Operational risk management also is a key reason for an emerging trend toward action-oriented IT systems. The easier availability of broad sets of corporate data and third-party data, along with the ability to process it quickly and explore implications in real time, makes it practical to expand the scope of risk management and improve the effectiveness of responses when risk events occur. Operational risk now can be managed more comprehensively – and the potential consequences mean it should be.
However, many companies handle risk haphazardly, leaving it to functional or business units. One reason for this is that “risk” means different things to different parts of the business. Another is that companies have had a hard time defining operational risks in a way that is measurable and therefore manageable. Often, the data needed to measure and monitor operational risks comes from disparate sources. For example, senior executives should be made aware if health and safety issues have become more probable because required maintenance or other actions have been skipped. Rather than relying solely on document-based attestations by, say, plant managers, higher-ups could also be alerted if maintenance repair and overhaul (MRO) data suggests procedures have been skipped or if accounting data shows a large enough positive variance in maintenance expense accounts. Another reason for slipshod risk management is that relatively few companies use advanced analytics, as our research shows. Rather than relying solely on sales-to-date data as the means of assessing the probability of missing future sales targets, for instance, they could employ predictive analytics (used by just one in eight companies) in a variety of ways to generate alerts as soon as actual results diverge too far from expected in many areas, whether sales of complementary products, cumulative rainfall or social media mentions.
Until now it’s been very difficult to assemble and use enough data to quantify risk. Because of this, operational risk management has been confined to a handful of industries (notably financial services, which is literally a business of numbers), a few kinds of projects (for instance, in engineering and construction, aerospace or defense) or the most easily measured general corporate risks (tracking revenues, expenses and cash flow). To be sure, some individual businesses and some functional areas are better than others at managing operational risk quantitatively. For example, companies that decide to make their supply chains leaner are more exposed to risk of disruption. The scope of the costs associated with leaner supply chains became clear this past year because of the earthquake and tsunami in Japan and the floods in Thailand. Corporations that had implemented comprehensive supply chain analytics were in a better position to react to these events because they had a more detailed understanding of their implications than those that had to wait days or weeks to quantify and analyze their positions.
Now that data is increasingly available and big data technologies as well as in-memory processing capabilities are accessible, corporations can apply a range of analytics and reports to limit the probability of preventing risk events from occurring or mitigating their impacts if they do occur. However, even though the technology foundation for more comprehensive risk management exists, it’s unclear how quickly companies will adopt it. The history of business computing is full of examples of business process changes lagging the introduction of technology that make them possible. For instance, in our ERP Innovation benchmark we found that two decades after modern ERP systems were introduced, only half of companies were using imaging – which increases the availability of source documents such as invoices – and only half used streamlined end-to-end processes such as procure-to-pay.
One of the first technology applications where executives should put operational risk management to work is scorecards. Corporations use balanced scorecards because all business decisions involve some sort of trade-off, such as market share vs. profitability. Moreover, all business decisions involve some form of risk and often more than just the risk of not achieving a business objective. Weighing and balancing trade-offs recognizes the reality that managers and executives must make these decisions intelligently in ways that are consistent with their organization’s overall objectives and risk appetite. Indeed, I believe that scorecards that don’t explicitly include risk are not truly balanced.
One reason for using scorecards as the jumping-off point for capturing and applying risk metrics is that this tool can be adopted and adapted at whatever pace a corporation prefers. Since few companies include risk metrics in management assessments today, there are few best practices at hand. Lacking a well-established set of metrics for a variety of operational functions, early adopters of operational risk metrics may well want to proceed with caution (as one would expect from people concerned with risk). Corporations that have already started with big-data initiatives and have deployed in-memory analytics systems have made most of the investment necessary to support an operational risk management initiative. They can follow the steps I outlined in the first paragraph above, from identifying the most relevant risks through reporting them. This is not a trivial task, but with the right tools it need not be overwhelmingly time-consuming. When done across a company it can keep senior executives alert to the severity of risks and their potential impacts and help them manage the organization more safely on an ongoing basis.
Robert Kugel CFA – SVP of Research