The Titanic is a study in operational risk management. Unfortunately, many organizations are in the same state – they do not see a complete picture of the risks they face and therefore are ignorant of the significance of the aggregate of a lot of islands of operational risk. And when things did go wrong there were not enough lifeboats . . .
There are a variety of risks the Titanic faced – overconfidence, poorly manufactured rivets, focus on speed while ignoring the external risk environment, inadequate design, and lack of someone diligently watching for icebergs. Organizations are in the same ‘boat’ today.
Deloitte illustrated this very well a few years back in their Value Killers research. In this research they studied the Global 1000 and found that nearly half of these companies had a drop in value of 20% or more in less than a month (this was before this last year). In 80% of these cases (that is 400 out of the Global 1000 for those not following along mathematically) it was because of multiple risk factors creating a greater risk environment but these risks were managed autonomously in different parts of the organization.
Organizations continue to manage operational risk in silos, where distributed business units and processes maintain their own data, spreadsheets, analytics. modeling, frameworks, and assumptions. Operational risk platforms (if deployed) are typically not equipped to capture the complex interrelationship among operational risks that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their own view of risk and not the aggregate picture of risk, failing to recognize substantial and preventable losses.
Increasing demands of Operational Risk Management (ORM) requires effective technology to support a comprehensive system of record to manage operational risk in a systematic way – across the entire business including its business relationship and external risk environment.
The “Ultimate ORM Platform” enables the enterprise to answer the following questions across business lines and aggregate risk to an enterprise perspective:
- Do you know you know your risk exposure at the business process as well as enterprise operations levels?
- How do you know you are taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
- Can you accurately gauge the impact of risk taking on business strategy as well as loss?
- Does the business get the information it needs to take timely action to risk exposure to seize opportunities while mitigate negative events?
- Do you have repetitive and inefficient controls, documentation, processes, testing, and risk measurement / management?
- Are you optimally measuring and modeling risk?
To answer these questions, the ultimate ORM platform will have to cover the following key areas:
- Risk and control assessment. This includes risk identification, assessment, surveying, and analysis. To mange operational risk, an organization will implement a taxonomy of risks and a framework designed to provide a sound and well-controlled operational environment. The ORM solution needs to be able to integrate with multiple-frameworks (e.g., ISO 31000, AS/NZS 4360:2004, COSO). In addition, organizations need to manage the balance between the cost of controls and the reduction in risk that the controls effect. The platform should support a range of assessment styles including qualitative and quantitative assessments, as well as top-down and bottom-up techniques. Risk measurement should cover both inherent and residual risk metrics.
- Internal loss events. Operational losses are increasing in frequency and impact because business has grown more complex, particularly as transaction volumes have increased, organizations have distributed operations, growth in business relationship, and businesses’ reliance on automated systems outpaces their ability to monitor risk. Critical requirements for an ORM process includes capturing loss information. This includes creating a consistent categorization scheme for loss events (e.g. Basel II causal categories for losses), and linking loss to the risk taxonomy. This last requirement is extremely important since it allows an organization to pinpoint the root cause of losses and determine if certain controls are failing. This process facilitates the continual optimization of risk management as well as the control environment. An ORM platform needs to combine assessment data with loss event data to support an ORM process.
- External loss data. External losses are also a key component of the Ultimate ORM Platform. The solution should support automatic up-load and down-load capability for interfacing with external loss consortiums (e.g., ORX) or commercial providers (e.g.,Algorithmics, AON, SAS). In addition, the system should facilitate the use of external loss for capital modelling, scenario analysis and benchmarking.
- Key risk indicators. Continual monitoring and management of key risk indicators – including trending and aggregation of KRIs – is a critical element of an ORM process. An ORM platform is to support automatic notification to risk owners when KRI values reach thresholds. Workflows should automate ORM process such as KRI review and analysis. KRIs must support thresholding and time-trending. The best systems will also allow you to align enterprise performance management with risk management and give you a view into risk optimization as opposed to simply risk mitigation. Organizations take risk – they need assurance they are taking the right risk to meet objectives and that risk is effectively monitored and managed.
Reporting. An ORM platform needs to provide timely and accurate information to risk managers, risk owners in lines of business, senior and executive management, board, and external constituencies such as auditors and regulators. ORM reports enable management to maintain risk at appropriate levels within line of business, escalate issues and provide consistent data aggregation across business roles and functions. With improved visibility into its risk environment, an organization is in a position to make risk intelligent business decisions. The ORM platform needs to support a variety of ORM reports including high-level dashboards, risk models, and detailed reports. It has to be able to aggregate data across business entities, relationships, risk categories, event types, and time periods.
- Extensible & flexible platform. One size fits all does not apply for an ORM process. Organizations need an adaptable solution and process to meet specific needs, taking into account corporate governance including corporate policies and procedures. When choosing a technology platform organizations need to pick an application that can adjust to its process as opposed to adjusting processes to fit the application. Important areas for extensibility include
- Business hierarchy. Multiple hierarchies (legal, finance, organizational), multiple levels (with no limit), and asymmetrical hierarchies are all essential to conform ORM to the business.
- Localization. As most firms operate in a number of localities around the world, many of which have their own local reporting needs, it is essential that the technology solution you choose can be deployed enterprise-wide and can be effective across all geographies and business functions.
- Risk Framework. The ORM platform must be able to adapt to different risk categorization, taxonomies, measurement schemes, and evolve as risk processes mature over time.
Which vendors provide this breadth and depth of ORM functionality?
Only a handful – and many are still growing to achieve this vision. ORM vendors that I have deep respect for in the ORM area include BWise, CURA, MEGA, OpenPages, and Texert. Each of these vendors has proven capabilities to handle multiple frameworks and integrated processes for ORM.
OpenPages has given a lot of development and thought to the integration of loss information this past year that has recently impressed me. It is impossible to model risk without understanding where your most significant issues have been – historical trends do have an important place in risk modelling. BWise and MEGA have carried the torch in quantitative risk modelling – though not every organization needs this, while some will use an external application or spreadsheet for complex risk modelling.
There are indusry specific ORM solutions for financial services from vendors such as Algorithmics,Oracle Financial Services Suite, and SAS. However, these solutions tend to be more rigid and lack on the extensible/flexible platform requirement. I have had a deep respect for Ci-3 as well over the years but am waiting to see where this heads under the Wolters Kluwer acquisition.