Robert Kugel's Analyst Perspectives

Operational Risk Management Is a New Imperative

Posted by Robert Kugel on Jun 29, 2012 12:36:45 PM

Risk has always been an integral part of business, but our recent Governance, Risk and Compliance (GRC) benchmark research shows that companies deal with risk with varying degrees of effectiveness – especially operational risk. A majority of companies lag in their overall GRC maturity, as I covered in a recent blog post. Operational risk management should be of greater interest to executives today because they can have greater control of it than before. The expansion of IT systems to automate and support most business processes has made it easier than ever to measure, monitor and report on what’s going on in a company. It’s now practical to expand the scope of operational risk management and improve companies’ effectiveness in handling risk events when they occur.

Our research shows that managing risk more effectively is the main reason why people want a better approach to GRC. Nearly eight out of 10 (77%) want to be able to identify and manage risks faster. Another 59 percent want to achieve a better risk control environment – for example, they want to ensure that rules and procedures are being followed. In many instances, it possible to use information technology to keep people from not following rules and policies. For example, there’s a long-standing approach to reducing financial fraud by having a policy for separation of duties that keeps people who approve invoices separate from those who sign checks or issue payment instructions. Because invoice approval and payment are done via computer systems today, the process can be designed to enforce separation of duties and to continuously monitor systems and process execution to ensure this policy is followed.

Computing systems also can be used to stay on top of compliance to limit the chance that someone fails to do what they are supposed to do. Was a critical piece of maintenance performed on schedule? Has everyone who needed to sign off on a regulatory filing?

Managing risk is an ongoing process that must be defined, refined and re-examined regularly. Managing risk effectively means having ongoing discussions about risk, usually face to face. But IT is a critical piece of effective risk management. Technology can automate many aspects of risk management – separation of duties and identity management are two examples. Reporting systems can be used to enable managers and executives to monitor operations more efficiently by reliably providing alerts but only doing so when some situation requires their attention.

One analytic technique that’s applicable to managing operational risks is predictive analytics, a subject I’ve covered in the past. “Predictive” does not necessarily mean that you can foretell the future; rather, this approach sifts through a lot of data, tells you if some key aspect of the business is behaving the way it should and alerts someone if it isn’t. Do order patterns signal a problem? If you can spot the negative trend on the fifth business day of the month rather than in the monthly review, you may be able to address the causal factors before you have a big problem. Predictive analytics can inform managers that they will need to add shifts or workers to address some supply chain snag that has developed.

Predictive analytics is a powerful tool that’s becoming increasingly accessible to many businesses. However, many companies face a fundamental issue: They don’t have the data. Our research shows a mixed picture. Participants were pretty much split on how easy it is to access and use the data necessary to measure and assess risk. About half (53%) took the middle ground, saying that is neither easy nor difficult. Of the remainder, 24 percent said it’s easy or very easy and 19 percent said it’s difficult.

Companies are not completely ineffective in managing operational risks – only about one in five said they have ineffective operational risk controls for handling natural disaster, supply chain disruption, competitive threats, reputation loss, internal fraud and demand disruption. (I think this is because companies that have ineffective controls usually go out of business.) However, the data also shows that even fewer rate their risk controls as very effective. For example, only 15 percent assessed their controls for natural disasters as very effective, and just 12 percent rated their supply chain controls as very effective. The research shows that companies are least good at controlling the impact of demand disruption: More than one-fourth said their controls are ineffective while just 5 percent said they are very effective. Just 8 percent are very effective at controlling separation of duties and sources of internal fraud at an operational level. While most companies rate themselves somewhere in the middle, I think “very effective” ought to be the standard companies apply to their operational risk management. And the fact that a majority of organizations think they’re doing reasonably well in controlling operational risk is itself a risk. This sort of assessment typically leads to complacency and a lack of effort to improve operational risk management.

Managing risk intelligently is one of the key capabilities of successful organizations because it can deliver a competitive edge. Companies that are good at managing risk can make aggressive moves more prudently, spot negative trends faster and respond more quickly and effectively when disaster strikes. IT continues to be one of the main sources of innovation in operational risk management. Executives and managers must become familiar with the technology if they want to manage risks as intelligently as they should.


Robert Kugel – SVP Research

Topics: Big Data, Performance Management, Predictive Analytics, Customer Experience, Governance, GRC, Operational Performance Management (OPM), Management, Analytics, Business Analytics, Business Collaboration, Business Intelligence, Governance, Risk & Compliance (GRC), Operational Intelligence, Business Performance Management (BPM), compliance, Customer Performance Management (CPM), finance, Financial Performance Management (FPM), Information Applications (IA), Information Management (IM), IT Performance Management (ITPM), Risk, Sales Performance Management (SPM), Supply Chain Performance Management (SCPM), Workforce Performance Management (WPM), financial risk management

Robert Kugel

Written by Robert Kugel

Rob heads up the CFO and business research focusing on the intersection of information technology with the finance organization and business. The financial performance management (FPM) research agenda includes the application of IT to financial process optimization and collaborative systems; control systems and analytics; and advanced budgeting and planning. Prior to joining Ventana Research he was an equity research analyst at several firms including First Albany Corporation, Morgan Stanley, and Drexel Burnham, and a consultant with McKinsey and Company. Rob was an Institutional Investor All-American Team member and on the Wall Street Journal All-Star list. Rob has experience in aerospace and defense, banking, manufacturing and retail and consumer services. Rob earned his BA in Economics/Finance at Hampshire College, an MBA in Finance/Accounting at Columbia University, and is a CFA charter holder.