Why operational risk management is vital – and where it’s headed

Mitigating risk. It’s a challenge that every company faces but it’s sometimes a difficult thing to confront or to feel that you’re maximizing the potential from.

It can mean anything from having more money set aside for workers’ compensation to an awareness of transaction risk in cross-border deals – that’s why there can often be a reticence in certain sectors to properly address it.

Michael Rosenberg is from WPV Corp, a company which claims to have developed technology that almost completely mitigates the risk of harassment/sexual harassment and workplace violence, using a validated risk assessment and an incident reporting system that is held outside the organization.

See also:

• Blackstone acquires majority stake in Thomas Reuters Financial & Risk Business

• The comeback of SOX: Are businesses ready for the challenges?

• The importance of reputation in business

 “Managing risk can literally mean the difference between a company being profitable and being bankrupt,” he says assertively.

“Reactive cultures that ignore risk waste millions of dollars literally having to deal with emergencies. It’s like a car: if you don't do the maintenance and ignore the risk, it will break down at the worst possible time and cost you a lot of money to fix and replace. 

“Ignoring operational risk leads to significantly higher insurance rates, turnover, lost time and most importantly brand degradation. 

“Identifying and preventing operational risk before it becomes a crisis literally is the single largest factor in ensuring a company's survival.”

But what exactly is operational risk and how do you manage it?

“Typically, operational risk is a highly-siloed discipline in organizations,” explains Val Jonas, CEO of British consultancy company Risk Decisions. 

“Good risk management may be carried out locally, but this doesn’t necessarily meet the organization’s need to achieve a connected view of risk. It also doesn’t encourage creativity in thinking about both up-side and down-side scenarios. This is exacerbated by the fact that most organizations still use spreadsheets to manage risk in each silo.

“Those organizations most effective at risk management embed a culture of risk awareness and management as a top-down imperative. This encourages more informed risk taking, drives creativity and increases business performance. 

“Key strategies include establishing a consistent approach to give pan-organization visibility of risk, while allowing different operational areas to manage risk as appropriate. This will increase and improve collaboration which can lead to valuable insights e.g. supply risks impacting multiple areas of the business. Another strategy is to implement regular audits of key suppliers’ risk policies and processes to ensure they deliver. For example, pharmaceutical companies ensuring that the third-party companies running their clinical trials will do so ethically and in the required time-frames. 

“Finally, all business cases should include an assessment of risks, with clear explanations of how they will be managed.”

One of the key facets of operational risk management companies have to address in this day and age is the prospect of cybercrime.

Figures in last year’s Accenture Cost of Cyber Crime study showed that the average annual cost of cybercrime is $11.7mn, increasing annually by 22.7%, with the number of breaches increasing by 27.4% to an average of 130 each year.

“Operational risk management is getting more important in recent years due to the new and more stringent regulatory requirement while organizations are keen to embrace the digital transformation which essentially increases the risk exposure as a result,” says William Tam, Director of Sales Engineering, APAC, for global cybersecurity expert Forcepoint.

“The continuously shifting ‘threat landscape’ requires an equally transformative view on behavior-centric security. To manage cybersecurity risk, companies need to include measures that understand the nature of human intent and the ability to dynamically adapt security response. That’s the path forward to stop cyberattacks dead in their tracks.

“Cloud computing has been a key disruptor to operational risk management.  As business critical data continues to move to the cloud, and be made available to anyone anywhere, traditional perimeter-based security and risk-modelling are becoming obsolete.

“Organizations need to concentrate on when and why people interact with critical data.  Additionally, as malware continues to evolve, the risks will multiply, leaving traditional security controls ineffective.”

It’s an ever-evolving space, and requires companies to be clear in their thought process and implementation. Jeff Skipper, an expert in organizational psychology who runs his own consulting firm, Jeff Skipper Consulting, believes it is an area which companies often fail to address.

When asked how important operational risk management is in the business world, he responded assertively.

“Very,” says Skipper. “And it’s too often overlooked because risk management doesn’t seem like ‘productive’ work. You only feel the gap when something goes off the rails. However, the impact of that can be measured in revenue hits, reputational damage, and employee exits.

“In my work with leading organizations in both the public and non-profit sectors, risk management is most commonly only given lip service. The leaders whom I advise are the ones who continually surface risk as a lever to remove obstacles and act. 

“Combining high risk awareness with the strategic use of what I call ‘leadership capital’ is a critical combination for successful initiatives. It has made the difference between 10% and 100% cost overruns.”

Skipper believes that poorly-managed strategic projects are often at the root of organizational failings with regards to risk management.

“It’s very common for the best people to try and avoid key projects because they are very demanding,” he says. “But having the best people with strong skills and leadership is key in these situations.

“Secondarily, there are major gaps in future anticipation. We don’t give people time to think about the ‘what ifs’, which can be the greatest source of risk avoidance as well as innovation.”

One of the key areas where innovation is expected in the ORM space, as it is in so many others, is by embracing cognitive technology.

David Cahn is the Director of Product Marketing for Elemica, a leading business network for supply chains of process businesses, discussed how that might, and might not, change things.

“Cognitive risk management involves the decision by a human to follow the risk mitigation procedures, but knowing the risk of something doesn’t prevent us from taking a chance anyway,” says Cahn.

“However, cognitive science is being incorporated into technology to create powerful tools that tackle complete problems. Advanced analytics and automation will increasingly play bigger roles as tactical solutions to drive efficiency or to help executives solve complex problems.

“The real opportunities lie in re-imaging the enterprise as an intelligent organization – one designed to create situational awareness with tools capable of analyzing disparate data in real or near-real time.

“The goal of cognitive governance, as the name implies, is to facilitate the design of intelligent automation to create actionable business intelligence, improve decision-making, and reduce manual processes that lead to poor or uncertain outcomes. In other words, cognitive governance systematically identifies ‘blind spots’ across the firm then directs intelligent automation to reduce or eliminate the blind spots.”

Tim Ng, COO of Europe’s leading digital health business Now Healthcare, casts an eye even further forward.

“A key challenge in the future will be the necessary integration of new and future technologies into core processes, world-changing technologies like artificial intelligence and machine learning,” says Ng. “Data is at the heart of operations, and those who can harness it will be more successful than those who can’t.

“The greatest impact and trend will be the use of artificial intelligence. This is a logical next step from business intelligence – systems that can consume data from multiple data streams and provide actionable intel in a format that is easily digestible to the management. Say goodbye to huge teams of analysts: AI will be the new norm.

“Technology in general will drive greater change, so operations people will need to thrive on the adrenaline of complexity and change. The operational canvas will be changed forever and this needs to be embraced.

“The world economy has faced and is still facing large structural changes on the way to bringing business to the international stage. Technology has impacted hugely with the world becoming a much smaller place – globalization of businesses has significantly accelerated with small companies able to enter the global markets through the use of technology. It is no longer an honor reserved for large companies and SMEs.

“Because of this, agility is required. Agile operations allow the companies to react to market conditions and plot routes through the minefield of consumer demand. I expect operational processes to be more agile with changes made almost instantaneously, as technology allows access to real time KPI (key performance indicator) management to an unprecedented level.

“Deeper integration of systems and data will be necessary with mobilization and real time access a key enabler. With executives able to access data anytime and anywhere, leading to strategic and tactical decision making many factors quicker than previously possible. Micro services will be the new fabric for operations with the reliance on the large monolithic enterprise systems no longer necessary. Imagine if you could piece together the services you needed like a jigsaw. Able to add, update and discard as necessary when new technologies or better AI became available.

“These are just the beginnings – it is no longer enough to be a safe pair of hands. It is now necessary to have the mindset of an innovator and creator to ensure that operations are able to support the needs of the business.”