Getting Started
CIOs wanting to lift their game on operational risk need to start small and recognise they are embarking on a journey. Pleiter says banks, which operate almost as financial conglomerates and which find many different parts of their businesses regulated, have a head start in taking the learnings developed in those areas and figuring out how they can leverage those enterprise-wide."At the end of the day, where operational risk really fronts up, is the board room," Pleiter says. "What you're basically enabling the members of the board to do is to make informed decisions. If they're aware of all of the issues that relate to the ongoing nature of the business - and that's in people, process and technology - it enables the board then to make a strategic decision, which ultimately will affect the profitability of the business ability to run as an ongoing concern and by virtue of that, managing and mitigating operational risk.
Over the Wall
Operational risk is moving well out companies' walls as organisations look to increase operational efficiencies in their supply chains through increased transparency with partners. Arvind Joshi, COO of ICICI-Infotech, the spin-off of India's second largest bank, ICICI Bank, says that in supply chain partnerships risk is inherent."I think there isn't a lot of choice any more," Joshi says. "You have seen it in financial services, but even if you come outside of that you start looking at just basic manufacturing, in manufacturing a large amount of risk is between the buyers and suppliers . . . And CIOs are starting to take a look at things like ERP II which is adding partner relationship management to the core ERP product - extending them outside the enterprise and extending the enterprise to include the suppliers, so that a critical element of your operations is not impacted because of a wrong fact or a wrong communique on the telephone."
With such a high amount of risk riding on the supply chain, the CIO must be involved in ensuring relationships are tightly managed, that there is strong collaboration between buyers and suppliers and that information is available on the risks associated with doing business with individual suppliers.
The ultimate aim is a fully integrated risk management model where risk identification is tied to compensation of individual employees, and where shareholder value and operational risk are brought together. "And coming up with the results and actually being a lot more transparent with the regulators, that is the only way to drive it, because the cost of measuring and maintaining and determining operational risk is so high, that most industries will shy away from it unless they're forced to," Joshi says.
SIDEBAR: Waving the Red Flags
This column is written anonymously by a real CSO
Security can play a major role in ensuring the integrity of the organisation
There is bo Baldrige award for corporate integrity, but if there were, the security executives of this world would be among those with a bullhorn on the nominating panel. Or at least they ought to be.
I can't think of a role more attuned to the mission of overseeing risk than ours. In my view, no member of the corporate governance team is more qualified to deal with the key elements of oversight than the CSO. The security department can administer the programs required to assure the organisation's integrity, and the CSO is in a good position to be an advocate - an owner of sorts - of a variety of business-conduct policies. In addition, he can fill the role of adviser to top management on issues affecting the reputation of the enterprise.
Some would argue (and current governance movements underscore the notion) that it is the auditors, both internal and external, who are the logical overseers for integrity assurance. Not so. Audit is cyclical, and it is not meant to be an investigative function in the same way that security is. As a matter of fact, the corporate ethics or compliance department of an organisation may have input into security policy, but neither group would - or should - have the scope and reach of security.
How about the members of the human resources team? They certainly can participate as an employee advocate, but as a department, they lack the objectivity that security brings to the table.
No - at least as I see it - it is the security department that has the unique perch to see the cautionary signals that are a part of daily corporate life, and we're paid to understand that aspect of operational risk better than anyone else on the executive team. When corporate security provides its share of oversight and control maintenance in an organisation, it can see a variety of red flags that others don't.
Yet in all of the current commentary and debate on corporate scandal and wrongdoing, I've not seen one word acknowledging the CSO's - or even the corporate security department's - role in risk management. If you don't believe me, just do some research on corporate governance and see how many times you find a reference to the security function or the CSO as a member of the team. You won't, I promise.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.