CIO

If IT's a Crapshoot: How Much Are You Willing to Risk?

Operational risk is moving well out companies' walls as organisations look to increase operational efficiencies in their supply chains through increased transparency with partners.

There's a common thread that runs through the 1984 Bhopal chemical factory disaster, the rogue trading of Nick Leeson a year later, the collapses of Ansett in 2001 and HIH in 2002, and the mass recall that recently engulfed Pan Pharmaceuticals.

No, it is not just they all made it to the top of national news agendas and stayed there for weeks or months as the reputations of the affected companies got serially hammered. They are also all stark examples of gross failures in operational risk management.

The notion of operations risk has had currency since the Committee of Sponsoring Organisations of the Treadway Commission (COSO) coined the term in 1991. Nick Leeson kicked it along in spectacular manner after his rogue trading activities caused the collapse of Barings Bank, and he has been a poster boy for advocates of operational risk management ever since. But now CIOs in a range of industries are being forced to take operations risk seriously, pushed along by the June 1999 reforms of the Basel Committee on Banking Supervision requiring banks to reserve capital to cover their operational risk exposure and fostered by the new sense of vulnerability exposed by the September 11, 2001 terrorist attacks on New York and Washington.

"I think operational risk has always been there, but for financial services in particular [September 11] brought home that things happen that can severely disrupt the business," says Kevin Pleiter, industry leader, financial markets/risk and compliance, consulting services, IBM Global Services. "Managing risk ultimately comes down to your obligations to your shareholders, and at the end of the day, it's your obligation to shareholders to demonstrate that the business that you run is sustainable, and that the profitability of the company is sustainable."

But having recently relocated to Australia after 10 years in the UK and US, Pleiter is highly critical of the "naivety" of the many Australian businesses which have proven slow to accept that a September 11 or any other catastrophe could happen here, and says the response of many businesses has been far too reactionary. The Australian Prudential Regulation Authority (APRA) has made it clear that operational risk, major IT projects, strategic outsourcing and many other major impacts on the operation side of the business will be a keen focus into the future, and CIOs have to adjust to that fact.

Too many organisations have their "heads in the sand", Pleiter says, and whether it's based on ignorance or avoidance (or both) it's dangerous because ultimately "operational risk and the catalyst to actually do something shouldn't be a reactive thing".

He says although it is hard to point to companies doing a good job on operational risk, there has been a revolution in thinking, at least in the financial services companies, where there is growing internal awareness of the value in focusing on operational risk. But he says progress will not really be made until organisations undergo a cultural change where lines of business begin to realise that good operational risk management is good business - not just from the standpoint of their reputation, but also for operational efficiency reasons.

"It's a journey that certainly has a long way to go, but from some of the discussions that we've had most recently, we're starting to see that there is certainly some decent degree of encouragement. I think people that are championing it internally within organisations are certainly becoming very encouraged by the simple fact that some of the understanding and the change that is necessary is starting to happen, because the knowledge is being built up, the intelligence internally is being built up, which is then enabling people to make those decisions."

Page Break

Basel's Brush

The Basel Committee defines operational risk as: "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events".

Computerworld recently reported spiralling compliance costs were compounding the pressure on Australia's financial services sector to set a risk management methodology under the New Basel Capital Accord (Basel II) by the end of this year. "Australian Basel II experts estimate it will cost banks, insurers, trust fund managers, some commercial real estate providers and other financial institutions between $90 million and $140 million each over the next two to three years to establish a satisfactory risk profile under Basel II," the report says.

Banks, which must be compliant by 2007, will need to build up databases, reporting systems and integration technologies such as extraction, transformation and loading technologies to take advantage of proposed risk management standards.

Potential operational risks are many and varied, ranging from computer failures through lax procedures, human error to accounting mix-ups, IT systems failure to Trojan Horse attack. In fact, any risk that is not credit risk or market risk can be defined as an operating risk, and the potential hazards seem to be growing in complexity even as at least some organisations begin to buckle down and take the issue seriously.

In the IT area security breaches, piracy, fraud, major system failures and computer viruses can all be classified as operational risks. And although all organisations have always been subjected to political risks, the events of the past two years have forced a new appreciation of the need to assess and deal with geopolitical risks that are largely beyond their control. That need is fast becoming a necessity.

"The obligation from an operational risk standpoint is to make it very, very clear to your shareholders that the governance framework that you have in place gives you an opportunity not only to understand and measure the risk that you have, but you also have a framework for management of risk," Pleiter says.

B@nkFin Consulting managing director Bryan O'Connell says driven by - but no longer confined to - the financial industries, operational risk has grown in importance as banking has shifted over time to become a much more complex business. Managing a business today requires many more skills from both middle and senior management than were demanded in the past, and some organisations are rising to the challenge.

"I think there is a lot more sophistication applied to risk management," O'Connell says. "If you look for instance at the way in which banks look at their risk management profile, both their customers and also the industries that they operate in, they're using a lot more of their resources internally, both their economic resources and their credit resources, to focus on giving a much more sophisticated analysis of risk these days."

The increased focus has led to banks and other organisations closely examining their processes and systems and has encouraged them to categorise the various sectors of the economy and develop risk profiles and guidelines in relation to each vertical segment, O'Connell says.

That is a little bit easier in the banking industry than in some other industry sectors, because banks have a vast amount of historical data to turn to in developing risk profiles, but even so the problems in making progress can be huge. For instance, in 2002 the Operational Risk Loss Data Collection Exercise (LDCE) asked participating banks to provide information on individual operational losses during 2001, internal capital allocation for operational risk, expected operational losses, and a number of exposure indicators tied to specific business lines. Overall, the combined data for the 89 participating banks included more than 47,000 individual loss events. Yet gaps in data collection mean even this vast collection of data fails to give any comprehensive sense of the range of potential operational risk loss events experienced by banks.

Whatever the complexities, assessment of operational risk is becoming an important weapon in the CIO armoury, particularly in the US. The Kingson Group is experienced in assessing operational risk for large IT projects and is directly involved in the identification, measurement, prioritisation and management of all types of risk using enterprise risk management (ERM) tools and processes. At one corporation, president and CEO Gary Bierc used ERM processes to jump-start an SAP installation, assess the risks and develop strategies to manage them and ensure the SAP project was brought in on time and was effectively achieving its objectives.

"It is our perspective that risk is anything that will impact the achievement of objectives including in the operational area, both threats and opportunities," says Kingson Group managing director Mary Jean Herron. "A very effective way to handle risks is to use an enterprise risk management approach, which is an integrated process that enhances the ability to achieve objectives by identifying, measuring and responding to risk.

"Unless you understand the objectives of the CIO and of the corporation, you do not understand the risks that they are facing. Once you have identified the major risks, measured their potential impact and prioritised them based on how they will impact your objectives, you can then assess what is the best tool or process to mitigate the risk or take advantage of the opportunity."

Page Break

Employee Pitfalls

According to Simon Walker, a director of US-based consultancy Clynes Hales Walker, CIOs should be considering constantly the way the environment is changing and their responses to that change. There are too many old school CIOs who remain far too focused on hardware and software, and not nearly enough on people issues, he says, in a world where too many employees are more loyal to their own career prospects than to their company. And increased use of contractors has also vastly increased operation risks, he says.

"For operational risks you need to screen employees as much as screen software for viruses. The internal threat of disgruntled employees stealing intellectual property and maliciously tampering with data and that type of thing is a much higher risk these days than software failure," Walker says. "The profile is all changing and the CIOs have to keep up to date with the changing profiles. It's a matter of continual education . . . There is no finish line, you just have to continue studying throughout your career, and keeping up to date

"There are huge risks if you outsource too far - as some organisations I suspect may - and outsource [technology development] so that the external organisation holds your intellectual knowledge. Then if that company goes belly up you have suddenly lost all your intellectual knowledge, through no fault of your own."

Pleiter says when it comes to the measurement of risk, the more CIOs can begin to articulate back into the business an understanding of where the risks lie then use models to quantify those risks and generate leading indicators to events that appear to correlate with losses, the better management will be informed about those risks. It is that knowledge they need to begin making informed decisions, and which will ensure those informed decisions take into account the necessity to mitigate operational risk.

There is technology to help. Aberdeen Group believes organisational size and digital complexity now often mask the linkage between a business decision and its operational consequences. As a result, even the most brilliant decision makers are unable to grasp the full impact of their choices without technical assistance.

"Although business has always been intricate and cross-functional, only a few aspects were truly unpredictable. Contrast that with the daily instabilities of today's big business: fluctuations formerly reserved for international currency markets now pervade the day-to-day activities and well-established relationships of commerce," a recent Aberdeen white paper says.

"Against this backdrop, a new technique, corporate performance management (CPM), promises to deliver the perceptiveness and agility managers require for effective decision making. CPM presents managers with an integrated, analysable view of the entire enterprise. To balance the enterprise and prevent operating units from clashing, CPM uses metrics and key performance indicators (KPIs), underpinned with analytics, to calibrate management actions with broader enterprise strategies. CPM unabashedly borrows the best concepts from management theory, injects causality into the Balanced Scorecard, and gives decision makers an analytic lens into strategic decisions."

Aberdeen Group believes attaining excellence under CPM will require an amalgam of new and existing technologies, both of which are analytic and transactive in nature. On the plus side, it says CPM is accretive; each technical building block increases the value of each of its predecessors. CPM is flexible; the methodology can absorb small-, medium- or mega-doses of technology, depending on the company's available resources. And CPM promises to be a boom market. Aberdeen expects CPM-related spending to near $US5 billion by 2005.

Covering the five disciplines of CPM - corporate objectives, accounting, reporting/analysis, prediction and optimisation - the Aberdeen white paper says CPM requires a corporate culture and technical platform that presents workers with the business and financial import of any action. Helping the enterprise to observe and balance the actual with potential short- and long-term effects of decisions, CPM can boost a corporation's financial and operational performance by:

  • Creating corporate and market knowledge - using scenario-driven analysis, metrics, KPIs and optimisation techniques to discover the most efficient use of capital resources, including cash, people, material goods and intangibles

  • Increasing the quality of business decisions - providing role-based information that employees at each operating unit and level can use to understand the financial and operational consequences of possible courses of action

  • Reinforcing common goals - adopting a common internal language to ensure that the corporation coordinates its tactical decision-making processes with overall enterprise strategies.

Page Break

Getting Started

CIOs wanting to lift their game on operational risk need to start small and recognise they are embarking on a journey. Pleiter says banks, which operate almost as financial conglomerates and which find many different parts of their businesses regulated, have a head start in taking the learnings developed in those areas and figuring out how they can leverage those enterprise-wide.

"At the end of the day, where operational risk really fronts up, is the board room," Pleiter says. "What you're basically enabling the members of the board to do is to make informed decisions. If they're aware of all of the issues that relate to the ongoing nature of the business - and that's in people, process and technology - it enables the board then to make a strategic decision, which ultimately will affect the profitability of the business ability to run as an ongoing concern and by virtue of that, managing and mitigating operational risk.

Over the Wall

Operational risk is moving well out companies' walls as organisations look to increase operational efficiencies in their supply chains through increased transparency with partners. Arvind Joshi, COO of ICICI-Infotech, the spin-off of India's second largest bank, ICICI Bank, says that in supply chain partnerships risk is inherent.

"I think there isn't a lot of choice any more," Joshi says. "You have seen it in financial services, but even if you come outside of that you start looking at just basic manufacturing, in manufacturing a large amount of risk is between the buyers and suppliers . . . And CIOs are starting to take a look at things like ERP II which is adding partner relationship management to the core ERP product - extending them outside the enterprise and extending the enterprise to include the suppliers, so that a critical element of your operations is not impacted because of a wrong fact or a wrong communique on the telephone."

With such a high amount of risk riding on the supply chain, the CIO must be involved in ensuring relationships are tightly managed, that there is strong collaboration between buyers and suppliers and that information is available on the risks associated with doing business with individual suppliers.

The ultimate aim is a fully integrated risk management model where risk identification is tied to compensation of individual employees, and where shareholder value and operational risk are brought together. "And coming up with the results and actually being a lot more transparent with the regulators, that is the only way to drive it, because the cost of measuring and maintaining and determining operational risk is so high, that most industries will shy away from it unless they're forced to," Joshi says.

SIDEBAR: Waving the Red Flags

This column is written anonymously by a real CSO

Security can play a major role in ensuring the integrity of the organisation

There is bo Baldrige award for corporate integrity, but if there were, the security executives of this world would be among those with a bullhorn on the nominating panel. Or at least they ought to be.

I can't think of a role more attuned to the mission of overseeing risk than ours. In my view, no member of the corporate governance team is more qualified to deal with the key elements of oversight than the CSO. The security department can administer the programs required to assure the organisation's integrity, and the CSO is in a good position to be an advocate - an owner of sorts - of a variety of business-conduct policies. In addition, he can fill the role of adviser to top management on issues affecting the reputation of the enterprise.

Some would argue (and current governance movements underscore the notion) that it is the auditors, both internal and external, who are the logical overseers for integrity assurance. Not so. Audit is cyclical, and it is not meant to be an investigative function in the same way that security is. As a matter of fact, the corporate ethics or compliance department of an organisation may have input into security policy, but neither group would - or should - have the scope and reach of security.

How about the members of the human resources team? They certainly can participate as an employee advocate, but as a department, they lack the objectivity that security brings to the table.

No - at least as I see it - it is the security department that has the unique perch to see the cautionary signals that are a part of daily corporate life, and we're paid to understand that aspect of operational risk better than anyone else on the executive team. When corporate security provides its share of oversight and control maintenance in an organisation, it can see a variety of red flags that others don't.

Yet in all of the current commentary and debate on corporate scandal and wrongdoing, I've not seen one word acknowledging the CSO's - or even the corporate security department's - role in risk management. If you don't believe me, just do some research on corporate governance and see how many times you find a reference to the security function or the CSO as a member of the team. You won't, I promise.

Page Break

Connecting the Dots "I was so busy, I never saw it coming!" This from the line manager who's just fired an employee for misconduct. With downsizing, rightsizing and "doing more with less", the velocity of business dealings often masks control weaknesses.

But given the dynamics of risk in the world today, can anyone reliably claim that their organisation has bullet-proof safeguards around the assets that contribute to shareholder value? I doubt it. Most corporations have a limited knowledge of risk because the risk analyses they do are insufficient to uncover key vulnerabilities.

Yet if a company isn't doing effective risk analysis, it will have to assume it has exploitable vulnerabilities. (I highlight exploitable because risk is increased as vulnerabilities become known to an increasingly large group of knowledgeable, trusted and empowered insiders.)

Security is in a position to see such weaknesses in its investigative findings and should influence managers to pause and understand the risks we are all charged with monitoring. In fact, we have a fiduciary obligation to ensure such vulnerabilities are addressed at a sufficient level to deter opportunity. That dictates one part common sense and three parts due diligence.

Got Supervision? First-line managers are the key to maintaining a climate of integrity and effective risk management. Even when top management makes its commitment to integrity clear, the action is in the trenches. Unless supervisors are risk-aware and work within an accountability model that makes their roles clear, they are not likely to be part of an effective system of controls.

Beyond the internal supervision, outsourcing and offshore relationships are also integral parts of the competitive environment. Yet we are increasingly assigning high-risk jobs to individuals or vendors about whom we know very little or nothing. Our relationships with these outside organisations need to follow our integrity model - we must insist that they apply the same standards of ethical expectations to themselves as we do to our own organisation. Easy to say, but not so easy to do.

Where is the CSO's role here? Think back to the "I-was-so-busy-I-never-saw-it-coming" guy. "Look," he says, "it's your job to give us a heads up! You guys in security may see this stuff as a routine part of your job, but I've got a committed team here busy working 24x7, and we didn't have a clue."

If your culture shoots the messengers of bad news, don't be surprised when various managers - even those who have been diligent enough to have "seen it coming" - may clam up when concerns are aroused. Explore this issue in your organisation. You'll probably discover that a lack of notice is more indicative of a climate of fear or wagon circling than anything else.

Then there are the interesting places we find ourselves housing critical business processes. We are working in very complex global and technical environments. We depend on global data networks and dispersed computing environments that live within very risky local infrastructures with differing standards of care. While it is recognised that a resilient recovery strategy is essential, don't forget that the cultural issues around corporate hygiene can land you on the front page of The Australian Financial Review or The Wall Street Journal faster than you can say "scandal".

And then there's honesty. It's acknowledged that the "honesty quotient" within our workforce has declined during the past few decades. Don't argue with me - the evidence is everywhere. Effective background investigations, however, will screen out the most serious threats.

Page Break

On the Radar If you think the rank and file doesn't watch to see how the stars get treated when they trip and fall, you're fooling yourself. And the whole process of integrity administration is up for question. It's great that security folks are learning new things and passing that information along. But at the end of the day, the CSO needs to translate into a clearly articulated set of expectations the view from the top. And that needs to be reinforced by equally consistent applications.

The CSO should manage a formal takeaway process from every internal misconduct or criminal incident. If you have no plans for doing post-incident analysis and sharing lessons learned, your organisation is destined to repeat its mistakes.

What would you think about a business unit that had either multiple or a broadly based misconduct experience that combined little or no risk analysis? What if it failed to pay attention to security recommendations on background or due diligence findings? What if it didn't participate in post-incident learning efforts or failed to hold managers accountable for problems on their watch?

That's why it's important to have a governance team. That's where it's important to connect the dots.

Security and other inputs from colleagues on the governance team provide a vibrant picture of health and hygiene in the company. A quarterly interchange between human resources, security and internal audit on issues within specific risk-ranked business units can yield a synergy - you know, that 1+1+1=4 thing - on assessing the adequacy of applicable controls and influencing the audit plan. When presented as a collaborative give-and-take exercise with no surprises, the result can be very positive in terms of the relationship as well as in the measurable improvement of issues of concern.

And where proactive doesn't work, maybe the courts can help get attention.

So, where does this bring us?

First, it argues for creating a role for the chief security officer that encompasses a 360-degree view of the operational risk environment. It means letting the CSO serve as a peer with the other members of the senior corporate governance team. The CSO's ability to connect the dots within his scope resulting in a perspective unique to the management team is an asset that cannot be missed in these risky times. Second, it argues mightily for a CSO with clear strategic and operational accountability for the full scope of security functions.

OK, so there is no Baldrige Award for Corporate Integrity. But there is a booby prize: If companies don't pay attention to ethical behaviour, they'll reap their rewards with a lack of shareholder confidence and customer defection.