Monthly Archives: August 2013
You may be asking how anyone can make such a bold statement without knowing the details of your specific risk program. Actually, I know more about your risk program than you realize and that’s why I know its failing. I also know that as much as 55% of the cost of all risk programs are wasted! And more importantly, I can prove it.
Let me demonstrate: Your risk program (audit, risk management, compliance, ethics, IT and governance) is risk-based. You have assessed your risks and mapped your controls accordingly. You have policies and procedures tied to risks and associated internal controls and you monitor the effectiveness of controls on a periodic basis and provide some form of risk reporting using key risk indicators and metrics. You can effectively articulate the three lines of defense of your risk program.
Independently, internal and external auditors test your controls and you have created some form of management certification to demonstrate that management has signed off on the attestation of the operation of the effectiveness of these controls. In some cases, you use a combination of off-line and online systems to track the operation of your various risk program activities. You use one or more risk frameworks as a model for the operation of your risk program.
Some firms have augmented their program with Six Sigma and other quality control measures. Depending on the level of detail in your organization you have documented hundreds, no thousands, of controls and created heat maps, workflows and graphs to justify the millions of dollars spent on staff and other resources to monitor compliance of your controls.
Where required by regulatory mandate in your industry; Basel, FINRA, SEC, HIPPA, or some other governmental or quasi self-regulatory agency you may be required to measure or quantify risk capital in the event of losses in your operations or protect against financial fraud. You may even have advanced governance programs in place with risk committees, detailed reports to the board of trustees, and various board level committees focused on risk management. You have satisfactorily passed regulatory review and internal and external audit examinations.
These practices are confirmed in industry conferences, training programs and are included in a variety of skills certification courses. Risk professionals across all highly regulated industries globally say this is what they do with some variation of sophistication noted, yet something is missing.
The vast majority of these programs are failing!
This is a troubling development given the increase in global competition and rapid advancements in technology. The cost of failure is significant and rising! So what is the problem?
Before I tell you why your program is failing please answer the following questions about your program:
1. Do you use Probability or Likelihood versus Impact (or a similar variation) to assess and/or measure risks?
2. Do you use Risk and Control Self Assessments or operational self-assessments to measure risks?
3. Do you use surveys, interviews, or some other questionnaire to assess or measure risks?
4. Does your risk assessment program or processes frequently tell you something you didn’t ask it to tell you?
5. When you evaluate risks does it include a range of outcomes for each risk event with probabilities and confidence levels assigned to each outcome?
6. Do you maintain a dynamically updated stochastic library or database of risk incidents that can be used to run scenarios of statistical inference of risk?
If you answered yes to the first three and no to the next three questions your risk program may be failing to detect risks that are buried out of sight!
Here is why! If your risk program fits the descriptions above it has been designed to assess and measure uncertainty, not risks. The vast majority of risk programs are designed to assess the likelihood of an event that might occur!
There is a fine distinction made between a Risk and an Uncertainty. We know a Risk because it has been made tangible. The impact of a risk is recognizable by others even if one has not personally experienced it. However, each of us may perceive the same risk differently yet there is an understanding of the need to address it.
Uncertainties are harder to pin down. Hurricanes are a frequent occurrence and we know the risks BUT we don’t know what the actual impact will be, where the most severe damage will occur and there is little you can do but prepare the best you can. Fortunately, because of the risk of hurricanes we have learned to model their behavior to reduce the loss of life.
The tools that are used in risk programs to conduct the evaluation of uncertainty are subjective educated guesses with low statistical value because uncertainty is arbitrary and random by definition. In other words, uncertainty is nearly impossible to measure with accuracy.
On the other hand, risks are measurable. An operational loss or business disruption can be quantified. The frequency of a risk can be calculated and modeled with some degree of confidence, if historical patterns remain in tact. Risks can be reduced to more acceptable levels providing opportunities to save the firm money and improve operations. However, risks cannot be eliminated entirely yet the choices a firm makes for dealing with risks determines the success or failure of a risk program.
So why do nearly all firms spend 55% or more of its time assessing uncertainty? Wouldn’t the millions of dollars lost attempting to measure what might happen be better spent reducing real risks? Of course it would, but there is an insidious reason that risk professionals and business leaders avoid making the necessary changes to dramatically improve the odds of success in their risk programs. FEAR!
Plain and simple, we are afraid of uncertainty and the factors of surprise it entails. Uncertainty is hard to explain to management and it is even harder to justify why it happened on your watch. We have learned from behavioral scientist that losses loom larger than gains, which means that we are willing to spend $0.55 of every dollar to try to avoid uncertainty, rather than keep these savings and reduce risks.
It seems irrational to spend so much money assessing an immeasurable outcome but it is part of a phenomenon called intertemporal choice. Intertemporal choice is the process each of us uses to make decisions. It explains why we spend more time planning our vacation activities than saving for retirement. Or why we are willing to take $100 today rather than $125 one year from now.
Intertemporal choice also explains why our risk programs are failing. It is safer, we assume, to do what everyone else is doing and take comfort in the fact that it is called a best practice.
What’s needed? Robust diagnostic tools and education!
Medical doctors would be liable for medical malpractice if one common prescription is used to remedy all health risks. Likewise, risk professionals must develop a robust set of diagnostic tools to learn more about the real risks that exist in their business. The patient is the organization and it “presents” symptoms that send signals about the underlying risks.
Advancements in diagnostic tools and processes have accelerated in recent years and risk professionals must begin to become more familiar with how they work and can be used in their business. This is where education plays a significant role. The history of data science is still evolving but is critical to building sustainable and robust risk programs. As risk professionals become more comfortable with a range of diagnostic tools these processes can become operationalized and incorporated into business processes.
Until these tools and processes are in place risk professionals should begin to discuss the practical steps a business can take to better understand what is known and not known about risks. This is a journey, not a one shot process!
Uncertainty can also be modeled but not with precision. We must admit with humility that risk professionals are human and cannot see around corners. At least not clearly! When we reach the boundary of our understanding of risk and uncertainty caution is required. The proper use of data, diagnostic tools and education is enhanced where corporate culture is supportive of the learning process.
No one has solved uncertainty but you can benefit from it if you take measures to understand what you don’t know. Take Jeff Bezos‘ purchase of the Washington Post.
Bezos has confounded his competitors since the launch of Amazon.com. There is a great deal of speculation about what Bezos plans to do with the Post. Only Jeff knows for sure but he has taken the strategic use of uncertainty to an art form and created one of the truly great organizations in America.
Special thanks to Jerry D. Norton, Partner with Candela Solutions, a CPA firm targeting Governance
Experts Reveal How Developing Operational Risk Tools Minimizes Operational Losses
(Note: The views expressed in this interview are those of Ger Jan Meijer and are not necessarily representative of, and should not be attributed to, Citco Fund Services (USA) Inc.)
Proactive action results in fewer regulatory fines and improved public confidence and trust Operational risk management have evolved from the simple calculation of capital requirements to a proactive, holistic approach. This new strategy ensures that operational risk managers maintain their organizations’ profitability and brand reputation. In fact, recent financial scandals revealed that operational risk can result in incredible losses that many organizations can sometimes never fully recover from.
According to Ger Jan Meijer, Director of Operational Risk Management for Citco Fund Services (USA) Inc., there are several key steps that all organizations must take to develop a holistic approach to operational risk governance. Meijer will speak about operational risk at the Global Financial Markets Intelligence
(GFMI) Proactive Operational Risk Management Conference, September 9-11 in New York.
“Companies need to take risks to create value and manage risks to protect value,” Meijer said. “The challenge is to find and keep a good balance between risk and reward in a fast-changing and increasingly complex environment. Companies have to deal with new technologies, more regulations and even new disaster scenarios because of climate change. You need to find the risk before its finds you.” Meijer pointed out that organizations must prepare for many types of operational risk, including:
Internal Fraud: misappropriation of assets, tax evasion, intentional mismarking of positions and bribery.
External Fraud: theft of information, hacking damage, third-party theft and forgery.
Employment Practices and Workplace Safety: discrimination, workers compensation, employee health and safety.
Clients, Products, and Business Practice: market manipulation, antitrust, improper trade, product defects, fiduciary breaches and account churning.
Damage to Physical Assets: natural disasters, terrorism and vandalism.
Business Disruption and Systems Failures: utility disruptions, software failures and hardware failures.
Execution, Delivery, and Process Management: data entry errors, accounting errors, failed mandatory reporting and negligent loss of client assets.
“I believe that the Basel II event type categories are still a good starting point for an initial risk assessment,” Meijer said. “However, every organization has its own risk profile with different vulnerability levels for each category of risk.” Meijer also pointed out that the most commonly overlooked operational risks inside an organization are those related to silos. “Silo mentality can result in a lack of understanding of operational risk as a driver for other risk types or could result in not identifying certain operational risks due to not fully understanding the entire process and interdependencies.”
This is the exact reason why Meijer emphasizes the importance of risk managers following a cross-silo (holistic) approach, which includes integrating the following strategies into their plan:
· Developing an organizational-wide view of operational risk, including determining the organization’s risk appetite.
· Designing and implementing a single, unified governance risk and compliance framework to identify, assess, mitigate and manage (monitor) risk.
· Developing systems to manage operational risk across different business units.
· Producing robust operational risk policies.
· Developing operational risk control matrices and risk reporting.
“It is not easy to objectively measure the added value of an effective operational risk management program,” Meijer explained. “However, certain statistics and trends can prove added value and success of an effective operational risk management program, e.g., incidents, KRI and KPI levels, client satisfactory surveys audit findings and exit interviews.”
As a speaker at the 2013 GFMI Proactive Operational Risk Management Conference in New York, Meijer looks forward to hearing from his risk management colleagues with other organizations about their challenges. “Operational risk management is a relatively new discipline and still in development,” he said. “I’d like to get new ideas about how to further develop the risk management framework of within my current organization.”
The GFMI Proactive Operational Risk Management Conference will take place in New York, September 9-11. For more information, visit the Proactive Operational Risk Management Web page or contact Tyler Kelch, Marketing & PR Coordinator, GFMI at 312-540-3000, ext. 6680 or firstname.lastname@example.org.
About Global Financial Markets Intelligence GFMI is a specialized provider of content-led conferences for the financial markets. Carefully researched with leading financial market experts, our focused quality events deliver key bottom-line value through targeted presentations, interactive discussions and high-level networking opportunities.
TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries. A one stop source for all things risk and compliance related.