Welcome back -

Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing

        Robert Kugel's Analyst Perspectives

        << Back to Blog Index

        Operational Risk Management Is a New Imperative

        Risk has always been an integral part of business, but our recent Governance, Risk and Compliance (GRC) benchmark research shows that companies deal with risk with varying degrees of effectiveness – especially operational risk. A majority of companies lag in their overall GRC maturity, as I covered in a recent blog post. Operational risk management should be of greater interest to executives today because they can have greater control of it than before. The expansion of IT systems to automate and support most business processes has made it easier than ever to measure, monitor and report on what’s going on in a company. It’s now practical to expand the scope of operational risk management and improve companies’ effectiveness in handling risk events when they occur.

        Our research shows that managing risk more effectively is the main reason why people want a better approach to GRC. Nearly eight out of 10 (77%) want to be able to identify and manage risks faster. Another 59 percent want to achieve a better risk control environment – for example, they want to ensure that rules and procedures are being followed. In many instances, it possible to use information technology to keep people from not following rules and policies. For example, there’s a long-standing approach to reducing financial fraud by having a policy for separation of duties that keeps people who approve invoices separate from those who sign checks or issue payment instructions. Because invoice approval and payment are done via computer systems today, the process can be designed to enforce separation of duties and to continuously monitor systems and process execution to ensure this policy is followed.

        Computing systems also can be used to stay on top of compliance to limit the chance that someone fails to do what they are supposed to do. Was a critical piece of maintenance performed on schedule? Has everyone who needed to sign off on a regulatory filing?

        Managing risk is an ongoing process that must be defined, refined and re-examined regularly. Managing risk effectively means having ongoing discussions about risk, usually face to face. But IT is a critical piece of effective risk management. Technology can automate many aspects of risk management – separation of duties and identity management are two examples. Reporting systems can be used to enable managers and executives to monitor operations more efficiently by reliably providing alerts but only doing so when some situation requires their attention.

        One analytic technique that’s applicable to managing operational risks is predictive analytics, a subject I’ve covered in the past. “Predictive” does not necessarily mean that you can foretell the future; rather, this approach sifts through a lot of data, tells you if some key aspect of the business is behaving the way it should and alerts someone if it isn’t. Do order patterns signal a problem? If you can spot the negative trend on the fifth business day of the month rather than in the monthly review, you may be able to address the causal factors before you have a big problem. Predictive analytics can inform managers that they will need to add shifts or workers to address some supply chain snag that has developed.

        Predictive analytics is a powerful tool that’s becoming increasingly accessible to many businesses. However, many companies face a fundamental issue: They don’t have the data. Our research shows a mixed picture. Participants were pretty much split on how easy it is to access and use the data necessary to measure and assess risk. About half (53%) took the middle ground, saying that is neither easy nor difficult. Of the remainder, 24 percent said it’s easy or very easy and 19 percent said it’s difficult.

        Companies are not completely ineffective in managing operational risks – only about one in five said they have ineffective operational risk controls for handling natural disaster, supply chain disruption, competitive threats, reputation loss, internal fraud and demand disruption. (I think this is because companies that have ineffective controls usually go out of business.) However, the data also shows that even fewer rate their risk controls as very effective. For example, only 15 percent assessed their controls for natural disasters as very effective, and just 12 percent rated their supply chain controls as very effective. The research shows that companies are least good at controlling the impact of demand disruption: More than one-fourth said their controls are ineffective while just 5 percent said they are very effective. Just 8 percent are very effective at controlling separation of duties and sources of internal fraud at an operational level. While most companies rate themselves somewhere in the middle, I think “very effective” ought to be the standard companies apply to their operational risk management. And the fact that a majority of organizations think they’re doing reasonably well in controlling operational risk is itself a risk. This sort of assessment typically leads to complacency and a lack of effort to improve operational risk management.

        Managing risk intelligently is one of the key capabilities of successful organizations because it can deliver a competitive edge. Companies that are good at managing risk can make aggressive moves more prudently, spot negative trends faster and respond more quickly and effectively when disaster strikes. IT continues to be one of the main sources of innovation in operational risk management. Executives and managers must become familiar with the technology if they want to manage risks as intelligently as they should.


        Robert Kugel – SVP Research


        Robert Kugel
        Executive Director, Business Research

        Robert Kugel leads business software research for Ventana Research, now part of ISG. His team covers technology and applications spanning front- and back-office enterprise functions, and he personally runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).


        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to ChiefResearchOfficer@ventanaresearch.com

        View Policy

        Subscribe to Email Updates

        Posts by Month

        see all

        Posts by Topic

        see all

        Analyst Perspectives Archive

        See All