Managing Operational Risk with Eyes Wide Open
Some business basics never change. Regardless of the economy, the geography, the industry or the times, companies need to perform competitively and grow profits. What shifts continuously over time are the risks that companies face in their efforts to achieve those goals. Some of these risks relate to the market, such as commodity pricing, foreign exchange (FX) and interest rate fluctuations, which can change business results at any time. Credit risk, with its liquidity issues and counterparty exposure, is an ongoing concern. External and strategic enterprise risks – a bundle of political, regulatory, sustainability and hazard risks – are also ever-present but often considered somewhat uncontrollable. And then there is operational risk.
But ask senior executives in non-financial companies where it ranks among important risks, and operational risk often doesn’t even make the shortlist.
Is that lower priority just a shortsighted view in the company’s risk lens? Are operational risks thought to be implicitly managed in the normal course of business? Or is operational risk the elephant in the middle of the room that looks just too unwieldy to handle, so risk exposures and losses are accepted? Possibly all three.
How well a company manages operational risk has everything to do with how resilient it is in a crisis – and how adept it is at avoiding one. Given its importance, why is operational risk under-attended in many companies, compared to other risk areas?
Part of the reason may be in defining operational risk. Operational risk is the risk of financial loss from an operational failure. While that sounds simple, it encompasses broad territory. This risk from executing the company’s operational business strategies may come from inadequate or failed internal processes, people and systems or from external events. It may be based in environmental, human resources, health and safety, information systems, internal process, legal, reputation, supply chain or technology issues.
But the underlying reason operational risk often doesn’t make the shortlist of important risks is this: it requires placing value on avoided loss. It is loss not experienced because the company anticipated and prepared for it. Because of a common tendency to undervalue its potential for destroying and creating value, many companies fail to make operational risk management a strategic imperative or elevate it to priority status.
The drivers pushing companies to improve operational risk management are growing in importance and number. Certainly investors and directors are less tolerant of surprises, earnings volatility and unmet expectations – and external uncertainties are adding to this pressure. Changing business priorities, aggressive competitors, economic turbulence – all call for companies to have mechanisms in place to anticipate problems and proactively manage operational risks.
In the absence of a regulatory mandate, many directives for change in managing operational risk come from boards of directors. Boards are clearly under pressure to understand company risks and whether expected risks are commensurate with expected rewards. They want to know the company’s risk framework, internal risk capabilities and processes, risk profile, emerging risks, interrelated risks, and how these align with the company’s strategies and goals. Rating agencies also want to see if companies have a more holistic view of their risks. They expect companies to understand and articulate their risks and their plans for managing those risks – including operational risks.
It can be argued that effective operational risk management is what good managers do every day. That is certainly true. What is needed now, however, is an approach to build that skill into the structure of the organisation.
This takes operational risk management beyond subjective assessment, to a more scientifically meaningful understanding of operational risk in its entirety using more objective analysis, measurement, monitoring and planning.
What companies can get for their operational risk management efforts is a balance of efficiency and effectiveness. Often, to gain efficiency, companies take short-term actions to radically cut costs, hoping to turn into ‘lean, mean fighting machines’. That approach doesn’t quantify the risk such draconian measures may create. Addressing costs is not the same as addressing risks. Pursuing efficiency without sufficient risk assessment and management action may in the end damage the company. When it becomes clear the company cannot operate successfully in such an austere model, the additional operational risk manifests itself as additional costs. Nor is optimisation necessarily going to accomplish this balancing act.
An example is global manufacturer pursuing a strategy of creating lean supply chain operations. By initially focusing internally on reducing supply chain costs, the company will meet its short-term goal of improving efficiency within its supply chain processes. But it might well fail to that by ‘optimising supply chain efficiency’, the assessment of operational risks is fundamentally ignored. Supply interruptions could follow, business resiliency decline and many of the costs will have to be added back.
True operational risk management attempts to balance both efficiency and effectiveness. Reviewing operational risks within the supply chain, for instance, using an Accenture approach, we might not recommend eliminating eight of the 20 links in a supply chain just because it saves money. A balanced, risk-based approach might instead suggest taking out five links because of complete redundancy. Eliminating the other three could mean taking on a level of risk exposure greater than the company can tolerate.
Good operational risk management can add real value to companies. Based on our work with clients around the globe, research into leading practices and industry benchmarking, we believe an effective operational risk management approach can align operational risk and performance to achieve sustainable results – and build value. However, it must incorporate the following:
The process begins with a question. What does the company want to accomplish by expanding its management of operational risk? Defining that goal from the start increases the chances that the programme will be successful. The next step is to choose the operational risks to be assessed. There may be more than a hundred operational risks. Do you want to focus equally on all? Probably not, so some narrowing and choosing among risks based on size, consequences and effect on strategic objectives will be needed.
What works effectively for many companies in this process is integrating changes into their enterprise risk management (ERM) programme on a pilot basis. Companies may launch the programme in one subsidiary or division to get a good understanding of what the risks are and how to mitigate them better across the company. And – carried out at the same time – an education programme helps people understand the risks and what is being accomplished in the ERM programme. The combination of piloting and education is a practical and proven means of operationalising changes.
Implementing changes in the ERM programme frequently produces discoveries that are useful beyond the programme itself. Valuable information may be developed, for instance, for planning, compliance, business continuity and internal audit. Integrating the new information into those activities allows them to function better and provides practical insights for operational and financial planning. In turn, the information emanating from those sources can go back into ERM so that risks are better identified, prioritised and managed.
One company in the logistics services business leverages its transparent risk culture into a competitive advantage. Across several subsidiaries, this company identifies, assesses, manages and monitors risk in a nearly identical process. The approach is embedded into their business activities and decision-making. What makes this highly efficient approach uniquely effective is the company’s culture of open communications where both good and bad news is escalated immediately to peers and superiors. Failures are dealt with immediately. Nipped in the bud, the risk exposures do not grow to threatening size. Year after year, the company’s healthy earnings have reflected the wisdom of this approach.
Companies that want to upgrade their operational risk management should aim for this high level of transparency to enable fully informed decisions.
Because operational risks can be quite complex, companies often resist the effort to quantify them. The organisation may have voluminous amounts of data it can’t quite simplify to support analysis. And some companies don’t rely heavily on numbers for making risk decisions. In other cases, the way the company looks at risk across the organisation may be limited in scope and depth, focused on silos without being aggregated at the top of the company. In any case, companies often proceed with an impaired and partial view of operational risks and interrelated risks.
What sharpens the company’s view are stronger capabilities in risk prioritisation, risk measurement, scenario analysis and stress testing. These include qualitative risk assessment processes to prioritise risks, assess management effectiveness and assign ownership for risk management. Beyond these are analytics to establish results-based operational risk measurement. And highly complex quantitative methodologies can address important linkages between risks and operational performance.
That intense degree of attention to operational risk management is what catapulted a consumer products company from number three to number one in two of its primary product categories. The company decided to use the management of operational risk to become a better company, and it has worked. Operational risk assessments are fully integrated with business planning; risk workshops at its manufacturing and distribution facilities around the world reinforce the company’s target risk culture. The company successfully achieved its strategic objectives by managing risks in a more efficient and effective way.
To address risks, companies need to agree on risk metrics and methodologies. What are the indicators that are going to be reported to operational and executive management? How frequently will those results be monitored and reported? Are they compatible with one another, forming a unified picture of the whole?
The logistics services company mentioned earlier excelled in communicating risk information throughout the enterprise, but still struggled with achieving a consistent risk measurement. The organisation’s subsidiaries all had different languages for risk measurement. An 8.4 might mean high risk in one area, but in another area it could be a ranking too low to drive action. The corporate team developed a consistent approach and the metrics are now integrated to drive resource allocation corporate-wide.
Using the appropriate level of sophistication for methodologies, whether basic or highly advanced, the company can move beyond siloed approaches to risk management, which can produce blind spots in the risk landscape. The right methodologies provide information that can take the company beyond a narrow focus. This enables it to more comprehensively assess its enterprise-wide exposures and integrate risk indicators with underlying business processes. With that fully informed view, management can see the key connections. For decision-making, metrics matter.
There are undeniable, clear ‘soft’ benefits that can be attributed to better operational risk management: fewer surprises; less uncertainty; a more valuable and sustainable company; reduced losses and compliance expenses; greater buy-in to the overall ERM programme and a more efficient organisation with better communication between operational risk owners and corporate risk management, planning and compliance activities.
Not least, good operational risk management can improve working capital management. With all risks measured, the company has more complete information for deciding how to allocate capital. Given a risk-based view, companies can decide how one investment compares with another as a place to best direct the company’s resources.
Operational risk management creates the framework to avert or minimise these. It puts analytics behind what has been a subjective approach to dealing with risk issues that are often at the core of why companies are surprised at the end of the year. By fully understanding your operational risks and exposures, you anticipate and manage them adroitly. In the end the result is a more resilient company: a company aware of its risks and prepared to shape its future.