Stakeholders are becoming increasingly concerned about accountability and management of operational risks. Regulations like HIPAA, Sarbanes-Oxley, and Basel II are placing requirements that are more stringent on corporate governance. More and more high technology is embedded in the operating fabric of the organization and, in many respects, technology is the organization. Amazon and eBay are outstanding examples of businesses created by and totally dependent on technology. It is this reliance on technology and escalating dependency on interconnected infrastructures that has elevated the exposure to business interruptions. These interdependencies ripple through an organization, as well as outside to major stakeholders: customers, suppliers, lenders, and partners.
Simultaneously, non-conventional threats such as, denial of service, hacking, and September 11th 2001 changed the very nature of operational risk instantaneously and on a scale not previously envisaged. These newborn threats seek-out and exploit the vulnerabilities of an organizations’ soft underbelly. Short-term interruptions, once considered minor, can now quickly mushroom into significant and serious financial loss analogous to a major disaster.
Widely publicized accounting irregularities and high-profile incidents intensify stakeholder concerns. The financial debacles at HeathSouth, Enron, and Worldcom fuel stakeholder doubts by underscoring dubious internal controls that aggravate operational risks. Furthermore, the sudden demise of one of America’s best-known professional services firms, Arthur Andersen, raises doubts regarding independent oversight practices. Yes, stakeholders are concerned because today’s business environment appears to be supported by a sensitive technical platform that has soaring exposures and is operating without the safeguard of adequate control or oversight.
The foundation of this stakeholder concern is operational risk and the lack of its effective treatment by business management. Many managers appear to be jousting with the windmills of guesswork and best practices, rather than taking a businesslike approach to managing the growth of operational risks.
Managers are under great pressure to cut costs, and often do not know how to build a strong business case for expenditures to achieve regulatory compliance and manage risks. Success dealing with risk requires more than guesswork and luck. Competent managers know how to keep the odds in their favor if they must make a gamble. As the great philosopher Immanuel Kant said, “We have a duty - especially where the stakes are large - to inform ourselves adequately about the facts of the situation”. The stakes in today’s business environment are particularly high and a bad choice about operational risk could be fatal. Risks need to be measured, but many managers doubt that this can be done.
However, without the benefit of a measurement of risk managers resort to their intuitive judgments, little more than stabs in the dark and certainly subject to error. Rapid, intuitive judgment operates as a substitute for more careful study of risk and lead to devoting costly resources to little problems rather than big ones. It also causes concern about risks that are actually quite small and indifference to risks that are extremely serious.
Simply classifying a ‘Serious’ risk does not usually lead to a “serious” budget allocation. Business lines need to be given financial incentives that motivate them to reduce operational risk. Unless risks can be put in a comparative economic context, managers end up doing very little to address risk. Historically, the lack of an economic comparative of risk has cause risk-reduction investments to be made to avoid the appearance of negligence and/or to meet minimal audit requirements rather than cost-effective reduction of risk. This has caused managers to appear to be complacent about operational risk but actually they are simply unsure of the business-value of the risk-reduction investments. What is needed is a quantitative basis for risk management decisions.
Risk losses are caused by the exposure to threat events. Threat events are quantified by estimating their rate of occurrence (or probability), and the duration of the service interruptions they cause. Business processes are characterized by their potential for loss when impacted by threat events. The product of the threats and loss potentials is expected loss, the monetary loss one can reasonably expect to experience expressed at an annual rate. This makes it simple to identify the material threats.
Next one can evaluate the Return On Investment (ROI) of proposed mitigation measures by comparing the anticipated reduction in expected loss (the return) with the cost to implement (the investment.) Obviously, managers will want to select mitigation measures with a strongly positive ROI, and avoid the money losers. It is also important to address potential fatal risk exposures. By addressing all the exposures collectively, one evolves the optimal risk management strategy on a sound businesslike basis.
Governments and regulatory bodies have recognized the reluctance of businesses to account properly for operational risk. Not accounting for operational risk makes certain functions or systems appear artificially attractive. The stakes have become so high, in fact, that governments have taken swift and compelling action to force the issues of operational risk to the forefront of business management.
Companies can expect stricter regulation and oversight by government regulators. Internal controls are no longer ‘Nice-to-haves’, they are ‘Must-haves”. As an example, Section 404 of the Sarbanes-Oxley Act requires public-company executives and auditors to certify the controls and procedures. Section 409 of Sarbanes-Oxley requires prompt reporting of material changes in both financial and operating conditions, i.e. material impairments due to business interruption events.
There are severe civil and criminal penalties related to non-compliance of Sarbanes-Oxley. Much more that the customary slap-on-the-wrist to business executives, these penalties have teeth, long and sharp. Failure to comply could result in fines up $25 million and/or prison terms of up to 20 years. These liabilities land squarely on the key executives, as the law also prohibits company-backed loans to pay the fines or from making extraordinary payments to insiders during an investigation.
Business executives must learn to manage operational risk and that requires that they first learn how to measure it, and evaluate it proprtly through quantitative assessments. Second they must assess the tradeoffs by exploring the costs of alternative preventative measures, also in quantitative terms. Third, to make best use of scarce resources, they must choose the optimal mitigation solutions for the most serious risks.