Linking operational risk management to performance

By Richard Pike, Chief Product Strategist of ARC Logics™, a Wolters Kluwer business

In an increasingly volatile, high-stakes global marketplace, risk management has become a primary concern for executive decision-makers and corporate boards. Without a sufficiently thoughtful and forward-looking approach, however, risk management can amount to little more than trying to avoid yesterday’s operational problems.

Optimally, though, risk management should be a key enabler of improved near and long-term business performance.  That is, it should help ensure that all decisions regarding the avoidance, mitigation, transfer and acceptance of risk are well-aligned with the actual goals of the organization.

But one size does not fit all when it comes to risk management.  That’s why risk managers should consider applying different models for risk management to the different hierarchical levels of the organization where they are appropriate.

At the most basic operational level, for example, companies can build a catalog of their various business processes—and then measure the maturity of those processes using scales such as Capability Maturity Model (CMM).  Specific metrics, such as error rates and the maturity of change controls, can then be used to provide decision-makers with visibility into process risk.  Decision-makers can then use this visibility to prioritize remediation initiatives and track the progress of those initiatives across all of the company’s catalogued processes.

At a somewhat more strategic level, companies can define risk “appetites” for their various business objectives.  They can then develop scorecards for each objective that include key indicators by which they can measure current risks against defined risk appetite thresholds.  By monitoring these scorecards, decision-makers can ensure that the company remains within its risk boundaries.

This kind of discipline does more than help the company avoid various specific operational risks.  It also helps the company optimize allocation of resources, better execute its business plan and more effectively deliver shareholder value.

But even this approach is probably not strategic enough for companies seeking to grow aggressively and to transform market uncertainty from a management problem to a business opportunity.  After all, companies that develop differentiated ways of navigating uncertainty and change will gain a competitive advantage over those that continue to “play defense.”

It is at this level that companies should strongly consider embracing scenario-based risk management.  Scenario-based risk management looks beyond its internal processes and immediate transactional relationships to identify and consider the larger contextual variables that drive risk.  These contextual variables can include everything from geo-political trends and currency exchange rates to emerging technologies and climate change.

Scenarios essentially encourage companies to tell stories about the future—and to then assess the impact of forces beyond the control of the company on its current strategies, objectives and processes.  So, instead of managing risk exclusively as it may have existed last month, last quarter or last year, decision-makers can plan intelligently for the multiple possible futures the company faces.

Indicators can even be defined to evaluate whether any given scenario is becoming more or less likely.  These indicators can also be refined over time based on performance to further enhance the ability of the company to manage risk predictively, rather than reactively.

Ultimately, then, effective risk management can be understood as more than the ability to protect the company from this or that particular adverse occurrence.  It is instead the ability apply appropriate models to each aspect of the business—from the most elemental work processes to the most strategic market initiatives—so that decision-makers have visibility into all the factors that can potentially impact business performance, including the likelihood and degree of that potential impact.

This is obviously easier said than done—but it is also quite doable.  For one thing, we now have the modeling tools we need to measure risk factors such as process maturity and aggregate them quantitatively into balanced scorecards or other risk frameworks.  We also have the ability to present this data in intuitive dashboards so that decision-makers can quickly discern vulnerabilities and act accordingly.

These capabilities have emerged just in time.  Volatility and uncertainty have escalated to a point that is rendering traditional approaches to decision-making obsolete.  It therefore behooves corporate leadership to adopt new approaches to risk management—including the implementation of the kinds of multiple, hierarchically appropriate models outlined here—so that their organizations can thrive, rather than merely hope to survive, in today’s hyper-dynamic markets.

Richard is Chief Product Strategist of ARC Logics™, a Wolters Kluwer business. He served as Product Director of Sword (now part of the ARC Logics) and has more than 15 years experience in risk management and treasury IT.  He has analyzed, designed and managed the development of core risk management systems for large international financial institutions. Richard was recently chosen as one of the 50 most influential people in Operational Risk, by Operational Risk & Compliance magazine. He is a regular speaker and writer on risk management issues.

ARC Logics, a Wolters Kluwer business, is a provider of proven audit, risk and compliance software solutions, information and services that enable organizations to rapidly address evolving audit, risk and compliance issues. The organization’s prominent brands include: TeamMate, Sword and Axentis. Please visit our website for more information.

Other Resources from ARC Logics™ | Sword

ISO 31000: Using ERM to Chart a Safe Passage in Dangerous Waters
Is your Organization heading for the Iceberg or navigating safely? Join Michael Rasmussen from Corporate Integrity and Mike MacDonagh from Sword, part of ARC Logics, a Wolters Kluwer business as they explore how ISO 31000 can be used as a guide to implement enterprise risk management processes and principles.  Register for on demand webinar here.