Operational risk is on shareholders minds. The topics of interest at last evening’s NACD – Capitol Area chapter event in McLean, VA included the state of the economy, the stock market and our outlook for the remainder of this year. Corporate Governance and Sarbanes-Oxley were fueling the fire for much of the debate on what was going to fix the current sentiment of investors.
The current state of mind is one of optimism and as our speaker Dr. Robert Sweet, the Chief Economist and Managing Director of MTB Investment Group admitted, he was a little above the "glass being half full". As an economist with a BA, MBA, JD and PhD he was confident that all the numbers were headed the right direction. He only had one caveat. The risk of more corporate malfeasance was something that could change his rosy view of the economy’s crystal ball.
Even in the face off huge government deficits defeating global terrorism and the thought of our extended stay in Iraq lies the greater risk of corporate wrong doing. Our greatest threat to achieving a turn around lies in the behavior and ethics of our US corporate chief executives rather than the next moves by George Bush and the Dickie, Donnie and Condi show.
"Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first loan or execute their first trade. What is new is the idea that operational risk management is a discipline with its own management structure, tools, and processes, much like credit or market risk. " The Journal of Lending & Credit Risk Management March 2000
The risk of loss by inadequate or failed processes, people, systems and from external events is the definition of "Operational Risk." Corporate Executives have hired Chief Risk Officers and established new operational risk management committees. This is moving rapidly outside the traditional sectors of banking and financial services for good reason.
What can the Board of Directors do to make sure that their CEO has moved to a place focused on mitigating operational risks? Fundamentally, the first task is to make sure that the CEO has a management system in place for operational risk. What is needed is a process approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organization’s Operational Risk Enterprise Architecture (OREA).
Let’s break down this Operational Risk Enterprise Architecture (OREA) a little further to get a better view of some of the specific operational attributes:
People
Employee fraud, misdeed, unauthorized activity, loss/lack of personnel and employment law.
Process
Payment/settlement, delivery/selling, documentation/contract, valuation/pricing, internal/external reporting and compliance.
Systems
Technology investment, development, access, capacity, failures and security breach.
External
Legal liability, criminal activities, outsourcing, suppliers/insourcing, disasters/infrastructure, regulatory/political.
The attributes of operational risk are the same key areas that need to have metrics created for measurement and auditing. Performance Management, Balanced Scorecard and other methodologies for managing, monitoring and continuous improvement need to be implemented so the boards of directors have a way to get timely alerts, updates and reporting.
The Operational Risk Enterprise Architecture (OREA) is a management framework that requires a process approach embedded with the legacy of our quality initiatives of the past several decades. The reason is because of the threat of change itself. The P-D-C-A model (Plan – Do – Check – Act) is appropriate for application to this process approach and threat of a constantly changing corporate environment:
Plan
Establish policy, objectives, targets, processes and procedures for managing operational risks to deliver results in accordance with the organizations business objectives.
Do
Implement and operate the policy, controls, processes and procedures.
Check
Assess and measure in applicable areas while reporting results to management for review.
Act
Take corrective and preventive actions based on results to continually improve the OREA framework.
Operational Risk Management is getting the attention of organizations outside of the global money center banks at a rapid pace. Board of Directors in any industry will soon realize that the successful CEO of the future will be a master of building a culture with effective operational risk management systems at it’s core.
Peter L. Higgins is Managing Director of 1SecureAudit LLC, an Operational Risk Management Solutions firm. Copyright 2003 1SecureAudit LLC. Reprinted with permission from "1SecureAudit Operational Risk eLetter", a monthly newsletter for corporate executives.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.