Doing Things Right

Ask just about any CEO what the first thing that comes to
mind is when hearing the words risk management, and the response will
probably include phrases like trading risk, systemic risk or something else
considered strategic. However, there is another, often overlooked discipline
within risk management that is increasingly capturing the attention of
shareholders and other stakeholders: operational risk. It lurks in every part
of a company, and when it comes to prudent risk management, overlooking
operational risk is perhaps the biggest mistake a CEO can make.

CEOs consider risk almost exclusively from a strategic
perspective. That is, they ask, Are we doing the right things? At first
glance, this seems to be a reasonable approach. But it fails to adequately
address operational risk, which encompasses the risk of loss caused by
inadequate or failed processes, people and systems, and by external events. The
way to address operational risk is to ask another, equally important and
inextricable question: Are we doing things right?

Take, for example, the notion of consumer privacy and data
management. The common strategic position is, We protect customer data and
information. But without an operational plan focused on how to do it right,
that strategic intent begins to look more like a liability. What operational
measures have been taken, for instance, to prevent a disgruntled employee from
e-mailing a confidential spreadsheet containing personal data to a Hotmail
address?

Likewise, look at Toyotas strategic (and historic)
reputation for great quality and reliability. Yet recently, operational risk
reared its head in quality assurance and manufacturing faults that had gone
unaddressed. The resulting crisis not only significantly damaged the companys
bottom line, but also tarnished its hard-earned reputation as the paragon of
quality and reliability.

Another area where firms must pay close attention to
operational risk is supply chain management. In the food industry, several
businesses have recently had to recall products after receiving tainted or
unsafe food from one or more suppliers, resulting in significant costs and
liability, lost revenue and a sharp decline in trust among consumers.

All these scenarios demonstrate that the real foundation of
prudent risk management is to integrate and balance approaches to operational
risk management with those focused on strategic risk. Unfortunately, for many
organizations, this is more easily said than done.

Why? Because operational risk does not enjoy the same mature
and developed risk models typically used to assess market and credit risk.
Operational risk lurks in many different parts of an organization, and is
further complicated by the typical challenges of communication across any
organization.

So, whats a CEO to do? First, make it imperative for each
segment of the firm to conduct a risk assessment. Involve people from all parts
of the business and those with intimate knowledge of operations. Identify what
could go wrong, how to prevent it and how to recover from inevitable,
unavoidable operational risk events. Your goal should be a comprehensive risk
plan for each division or line of business.

Second, the CEO should break down the silos in management
in order to identify potential risks that run across different divisions or
even different personalities among a companys leaders.

Last, but not least, once the risk assessments are complete,
its critical to think seriously about tolerance for risk. Risk assessments are
just thatportraits of what could go wrong, how much it could cost and how
controls can be employed to reduce the risk. But minimizing risk costs money. A
company cant fully address the costs of mitigating operational risk without
identifying its overall tolerance for risk. Unfortunately, a model hasnt been
invented yet to calculate it.

Therefore, it falls to the CEO, the executive team and the
board to apply their experience, skills and awareness of stakeholder
expectations to set risk limits as well as to design and implement a risk
control framework, including operational risk, consistent with these
established limits.

Seth Shapiro is a senior vice president and risk
strategist at Kibble & Prentice.