ISG Software Research Analyst Perspectives

Operational Risk Management Is a New Imperative

Written by Robert Kugel | Jun 29, 2012 7:44:45 PM

Risk has always been an integral part of business, but our recent Governance, Risk and Compliance (GRC) benchmark research shows that companies deal with risk with varying degrees of effectiveness – especially operational risk. A majority of companies lag in their overall GRC maturity, as I covered in a recent blog post. Operational risk management should be of greater interest to executives today because they can have greater control of it than before. The expansion of IT systems to automate and support most business processes has made it easier than ever to measure, monitor and report on what’s going on in a company. It’s now practical to expand the scope of operational risk management and improve companies’ effectiveness in handling risk events when they occur.

Our research shows that managing risk more effectively is the main reason why people want a better approach to GRC. Nearly eight out of 10 (77%) want to be able to identify and manage risks faster. Another 59 percent want to achieve a better risk control environment – for example, they want to ensure that rules and procedures are being followed. In many instances, it possible to use information technology to keep people from not following rules and policies. For example, there’s a long-standing approach to reducing financial fraud by having a policy for separation of duties that keeps people who approve invoices separate from those who sign checks or issue payment instructions. Because invoice approval and payment are done via computer systems today, the process can be designed to enforce separation of duties and to continuously monitor systems and process execution to ensure this policy is followed.

Computing systems also can be used to stay on top of compliance to limit the chance that someone fails to do what they are supposed to do. Was a critical piece of maintenance performed on schedule? Has everyone who needed to sign off on a regulatory filing?

Managing risk is an ongoing process that must be defined, refined and re-examined regularly. Managing risk effectively means having ongoing discussions about risk, usually face to face. But IT is a critical piece of effective risk management. Technology can automate many aspects of risk management – separation of duties and identity management are two examples. Reporting systems can be used to enable managers and executives to monitor operations more efficiently by reliably providing alerts but only doing so when some situation requires their attention.

One analytic technique that’s applicable to managing operational risks is predictive analytics, a subject I’ve covered in the past. “Predictive” does not necessarily mean that you can foretell the future; rather, this approach sifts through a lot of data, tells you if some key aspect of the business is behaving the way it should and alerts someone if it isn’t. Do order patterns signal a problem? If you can spot the negative trend on the fifth business day of the month rather than in the monthly review, you may be able to address the causal factors before you have a big problem. Predictive analytics can inform managers that they will need to add shifts or workers to address some supply chain snag that has developed.

Predictive analytics is a powerful tool that’s becoming increasingly accessible to many businesses. However, many companies face a fundamental issue: They don’t have the data. Our research shows a mixed picture. Participants were pretty much split on how easy it is to access and use the data necessary to measure and assess risk. About half (53%) took the middle ground, saying that is neither easy nor difficult. Of the remainder, 24 percent said it’s easy or very easy and 19 percent said it’s difficult.

Companies are not completely ineffective in managing operational risks – only about one in five said they have ineffective operational risk controls for handling natural disaster, supply chain disruption, competitive threats, reputation loss, internal fraud and demand disruption. (I think this is because companies that have ineffective controls usually go out of business.) However, the data also shows that even fewer rate their risk controls as very effective. For example, only 15 percent assessed their controls for natural disasters as very effective, and just 12 percent rated their supply chain controls as very effective. The research shows that companies are least good at controlling the impact of demand disruption: More than one-fourth said their controls are ineffective while just 5 percent said they are very effective. Just 8 percent are very effective at controlling separation of duties and sources of internal fraud at an operational level. While most companies rate themselves somewhere in the middle, I think “very effective” ought to be the standard companies apply to their operational risk management. And the fact that a majority of organizations think they’re doing reasonably well in controlling operational risk is itself a risk. This sort of assessment typically leads to complacency and a lack of effort to improve operational risk management.

Managing risk intelligently is one of the key capabilities of successful organizations because it can deliver a competitive edge. Companies that are good at managing risk can make aggressive moves more prudently, spot negative trends faster and respond more quickly and effectively when disaster strikes. IT continues to be one of the main sources of innovation in operational risk management. Executives and managers must become familiar with the technology if they want to manage risks as intelligently as they should.

Regards,

Robert Kugel – SVP Research