You are currently browsing the tag archive for the ‘operational risk’ tag.
I’ve frequently commented on the artificiality of the emerging software category of governance, risk and compliance (GRC). The term is used to a cover a combination of what were once viewed as stand-alone software categories, including IT governance, audit documentation and industry-specific compliance management, to name three examples. While it’s still common for specific types of software to be purchased piecemeal by different departments, these disparate areas have started a long convergence process. Since just about all controls and risk management efforts require a secure IT environment to be effective, there is a growing interdependence between effective IT governance and everything else connected with enterprise GRC.
Our research has established that companies are immature with respect to their risk and compliance activities. One fertile area where most companies can make substantial improvements is in operational risk effectiveness. Although one-fifth or fewer said their operational risk controls are ineffective, even fewer rated them very effective. For example, just 20 percent said their company’s controls for natural disasters are ineffective, but only 15 percent assessed them as very effective; the rest rated their controls in the middle category, effective. Just 9 percent have controls for supply chain disruption, and therefore almost all must improvise in response to these relatively common occurrences. Certainly, companies with big, important brands pay attention to the risk of reputational loss. Yet even small businesses must now contend with the impact of negative reviews on a range of websites – assuming they even know that one has been posted. Just one in eight (13%) has effective controls to deal with natural disasters – and that’s the leading risk category. More than a decade after the Sarbanes-Oxley Act was enacted to address it, just 6 percent of companies say they have effective internal fraud controls. (For private U.S. companies, it doesn’t matter if they don’t document these controls, but for the sake of good governance they must be present and effective.) The research shows that companies are least good at controlling demand disruption (26% said their controls are ineffective and just 5% said they are very effective) and reputational loss (26% and 9%, respectively).
The responses show that a majority of organizations believe they are doing reasonably well, but I disagree. “Somewhat effective” is a risky attitude. This type of thinking leads to complacency and a lack of effort to improve risk management. I think “very effective” ought to be the standard companies apply to their risk controls.
Financial controls are easier to implement, and there is a long history of their use, yet here again many companies are lagging. Of six key financial risk management efforts we listed, participants identified as the most effective their controls for material financial misstatements (the key objective of the Sarbanes-Oxley Act), with 37 percent saying they are very effective and 51 percent calling them effective. Fewer rated their credit controls very effective (24%), though only 5 percent said they are ineffective. The explanation for this distinction may be that, whereas the consequences of material financial misstatements are direct and severe (likely requiring restatement of financial results and possibly a loss of investor credibility), there may be a strategic reason for a certain laxity in granting trade credit (such as trading off higher revenues against increased credit losses). Controlling risk through contingency planning was identified as the least effective control, with just 14 percent saying it is very effective and 34 percent labeling it ineffective. (Of course, in this case such an assessment is speculative.) Across industries, fire, insurance and real estate companies rated their risk management efforts more effective, likely because risk management is a well-established practice and readily quantifiable in that industry. Midsize companies rated their tax risk management as very effective much less often than larger ones, likely because they have fewer resources to devote to it; they also said more often they are ineffective at preventing disruption of funding.
Managements in heavily regulated industries are more attuned to the risk of compliance failures. Those in financial services businesses are regularly focused on risk because it is a core competence (after all, risk is what insurance is all about). Other types of industries, however, pay less attention to managing risk and usually implement change after disaster strikes. Human nature being what it is, many successful executives and managers are less inclined to focus on risk, yet companies will find that regular risk reviews are in order to challenge assumptions and consider potential responses when unfavorable events occur. Along with this, companies must define and develop methods for spotting risk events sooner and responding faster. The research finds that one of most often identified benefits companies get from GRC efforts is being able to identify and manage risk faster (chosen by 79%), followed by improving the control environment (59%) and preventing situations from occurring because of neglect (54%).
Managing risk and compliance effectively is an important component of good governance. Managing risk intelligently enables organizations to be more successful because it can deliver a competitive edge. Those businesses that are good at managing risk are able to make aggressive moves more prudently, spot negative trends faster, and respond more quickly and effectively when disaster strikes. Harnessing IT for more intelligent risk and compliance management is an important practice in operational risk management. Executives and managers must become familiar with the technology if they want to manage risks as intelligently as they should.
Robert Kugel – SVP Research
One of the most important trends in business over the past 20 years has been the broadening use of information technology to manage and support activities. In the early decades of business computing, companies developed islands of automation for largely numeric functions such as billing, inventory management and accounting. Each ran on a proprietary system and engaged the time of a relative handful of employees. Today, just about everyone works with an IT system for at least some of their operational or administrative tasks. They rely on these systems to support many of their daily routines, from recording transactions to using analytics to provide alerts, insights and decision support.
Because the technology is involved in a wide-ranging set of business roles and deeply woven into business processes, companies need a comprehensive approach to addressing corporate governance, risk and compliance (GRC) requirements for their IT environment. In many organizations these systems are increasingly interdependent, necessitating comprehensive controls for the entire IT environment that are coherent and efficient from the users’ standpoint and potentially more effective from the IT department’s perspective; a comprehensive approach requires less work to manage and offers fewer points of potential failure.
The need for this kind of approach was revealed in Ventana Research’s recent GRC benchmark research, in which 25 percent of participants in IT roles said they are dissatisfied with the technology their company uses to manage GRC requirements, and another 35 percent were only somewhat satisfied with what they have. Just 4 percent said they are very satisfied; the remaining one-third (36%) are simply satisfied.
More effective technology for control systems is valuable because well-controlled IT environments are an effective barrier to control failures in risk and business management. And comprehensive governance methodologies are not only more effective but more efficient. In the old days, IT departments had to erect barriers to protect each stand-alone proprietary system and manage and monitor them separately (if they did it at all). Today, systems can be managed holistically, replacing the many little walls around islands of automation with a single secure perimeter within which many individual systems operate. Thus, rather than having to erect and manage new walls every time new systems are added, companies already have these components in place.
For example, companies benefit by having consistent identity management and process controls to ensure they are effectively managing and mitigating the risk of fraud, errors, omissions and intrusions. As to the last, our GRC research shows that one-fourth (26%) of very large companies (those with 10,000 or more employees) experienced a breach of data privacy or data security in the prior 12 months.
Although some organizations have already adopted a comprehensive approach to identity management and process controls, most have not. The research shows that just 10 percent of large companies (those with 1,000 or more employees) have fully automated their identity controls, and another 43 percent have mostly automated them. The rest have limited or no automation in place.
Historically, these issues have been handled largely as afterthoughts; we assert that this is a mistake. The importance of managing risk more effectively and the expanding list of regulatory and legal requirements corporations face have increased the need for software and systems that can provide full control, aid oversight and automate the execution of mechanical tasks. Since information technology can (and should) play an ever more integral role in governance, risk management and compliance functions, and because individual software applications and tools can (and should) be applied to these requirements, companies need to approach their GRC efforts comprehensively and consider the information technology requirements for identity and access management and process controls to be a core discipline.
Identity and access management and process controls are two sets of IT infrastructure elements that can make risk and compliance management efforts more efficient and more effective. Companies must be certain that they give permissions and rights to the appropriate people, and that these people are who they claim to be. Thus, access controls, which depend on managing user identities effectively, are central to enforcing the separation-of-duties (SOD) controls that are applied where more than one person is required to complete a task. Historically, separation of duties was largely a finance department issue, driven by fraud concerns; today it’s a necessary part of IT department management, needed to ensure the integrity of systems – people who make changes to code can’t be the same people who certify these changes. Similar controls are needed for processes throughout a company where it’s necessary to separate duties for external regulatory or legal compliance or internal compliance and risk management.
Process control software enables companies to monitor activities within software applications and IT systems to ensure that things are being done “by the book,” with all steps in a process defined and executed in the correct order and in a timely fashion after the required sign-offs have been obtained. The escalation in outsourcing activities and the globalization of supply chains increase the importance of these process controls to keep things from falling into cracks, and to check, inspect and document work performed by suppliers or contractors.
Process control systems also can be used to spot suspicious activities, in real time if necessary. And such systems allow internal and external auditors to verify that controls are working. They enable easy analysis of system logs to spot suspicious activities such as intraday granting and rescinding of permissions or a higher-than-usual number of changes at the end of a month. Indeed, these are electronic versions of what auditors once used to do by hand, checking paper ledgers for erasures and examining handwriting to spot suspicious marks. Forensic accountants and other risk and fraud experts now can design controls that eliminate the need for heavy manual oversight. By having these controls in place, corporations can minimize the costly need for external and internal audits.
Each of these basic capabilities – access control, identity management, transaction monitoring and controls monitoring – reduces the amount of audit activity needed, cuts the expense and effort of performing these tasks manually and significantly reduces the risk of fraud or errors stemming from poor or nonexistent controls. To the extent that it is feasible, we believe companies need to incorporate these infrastructure elements as a standard practice. Because IT systems are now at the center of handling most key processes, corporate governance and risk management increasingly call for a comprehensive approach on the part of IT departments. It’s time for IT departments that are lagging in their adoption of more effective controls to take a safer and more cost-effective approach.
Robert Kugel – SVP Research