The ugly stepchild
Wikipedia defines operational risk as follows: Operational risk is “the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses”. (https://en.wikipedia.org/wiki/Operational_risk_management)
The Wikipedia definition of Operational Risk Management (ORM), defines it (sadly) so well: “The term operational risk management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events. Unlike other type of risks (market risk, credit risk, etc.) operational risk had rarely been considered strategically significant by senior management.” (https://en.wikipedia.org/wiki/Operational_risk_management)
Enter stage left, a plethora of very practical and very real, non-financial risks, non-compliance-based events that are, and have been rocking the collective corporate world (regardless of the size of the enterprise). A huge metaphorical chasm started appearing as a global economic crisis and its consequential fallouts, together with our own socio-economic and political challenges, were deepening the disparity between the traditionally administrative approach to ‘governance, risk and compliance’, to the very big question about the huge juvenile elephant in the room: who is going to actually, practically and physically do something about it, and what? Nothing was fitting into the pre-drafted corporate compliance checklists any more.
Then, like a dark spectre of metaphysical tsunami-like proportions, the world is gripped by the effects of wave after wave of the horrors and impacts of a global pandemic… Across the globe, men and women in corporate crystal towers and titanium corporate silos suddenly have to breathe the infected air of cracked facades and crumbling kingdoms. Much like trying to drive a one-of-a-kind, high-performance, bespoke sports car on an unmaintained gravel road somewhere in the Karoo…
In the last few weeks I saw a mass of mid- to supervisory-level managers, fervently dashing about to, by any and all means, get things in place, ‘making a plan’ on-the-fly to get practical copy-cut-and-paste policies and procedures in place to deal with the COVID-19 outbreak and the subsequent lockdown. Everyone had to, instantaneously, become operational risk managers – by hook, crook, or copy-cut-and-paste. But this was nothing new; we are specialist fire fighters, not fire-proofers.
There is a very real world out there, that must be faced and practically dealt with. Someone has to get very real about things.
Outcome: Drag in the unloved-red-haired-bastard-stepchild called operational risk management. Mostly a temporary function; sadly, rarely a person.
“He is a strange one, that one…” There is no decorum (good manners aside). Given the chance and the platform, he comes straight at you. He questions and probes and pokes everywhere! No modesty or consideration for sensitivities. He just very unseemly and simply tackles the “most complex” sensitive issues with no consideration of the owner, their position or any sensibilities. Weakness? He sniffs it out. Dissects it. Shoves it in your face: “See there? That’s the bloody problem! What arse decided to bloody do that?!”
“Yes, yes, we understand and see your point … but there is simply no budget for it,” are the murmurs around the boardroom table after hours of ‘getting real’ about it. “And really, what are the chances of that actually happening? We cannot gear for everything. It’s impossible.”
The spectre of risk convergence
In the last decade, non-financial risk management (operational risk management) has grown organically in importance, scope, complexity, intricacy and dimensionality. This holds true for the various disciplines that are inside the enterprise today: IT, cybersecurity, supply chain, ethics and conduct, operational management, business resilience, business continuity, financial management, compliance management, security management, OHS management, facilities and infrastructure management, etc.
These disciplines, organisationally, are operated in silos. No matter who tries to put whatever new-age, contemporary management spin on this. That’s how it is, period.
The biblical ‘Left hand not knowing what the right hand does’ is much more prominent in corporations than in any church out there. That’s the reality. The reason: egos and tradition.
The silo approach has blatantly resulted in both ineffectiveness and inefficiency. However, the very real spectre of risk convergence in the past decade has been instrumental in:
(a) Exploiting that, and
(b) Pointing out the glaringly obvious.
It is no longer ‘if they come together,’ but rather ‘when they come together’ that the merging of risks across these disciplines, in mere minutes, turns into that proverbial Finger of God tornado that indiscriminately tears all decorum and corporate hoohah to shreds and brings an enterprise to its knees.
Egocentrically, the standard excuse has always been that such an incident had been ‘the storm of the century,’ when in reality it had been brewing and flaring up for decades. The reality is that, across enterprises, this phenomenon has now become part of the daily landscape. That ‘one-in-a-hundred-years storm’ (like COVID-19) merely drags the issues unceremoniously into the light. It had always been there, growing, moulding, expanding, flaring – being kept in check by the excellent, well rehearsed corporate ability to firefight and deal with it once it ‘eventually’ does happen. And now it did, and now it does.
Outside of the administrative realm of traditional GRC (governance, risk and compliance), in a mostly (if not purely) financial risk management discipline, risks are dealt with as follows:
Sweepingly: As in ‘under the carpet’. Operational risk management requires an unfettered and very raw approach to really look under the hood. Lack of true leadership has removed the tolerance for making any mistakes and learning from it.
Corporate culture is a punitive culture. Recognising and learning from mistakes is excluded for the fear of a culture in which mistakes will be made too often. The outcome is a culture of covert cover-ups and quietly ticking time bombs (which will normally explode when the person is three jobs along, leaving a poor sod – that just did not want to rock the boat – to deal with the fallout). Not knowing or understanding is regarded as weakness that could be exploited by detractors. So we fake-it-till-we-make-it.
Dismissively: Humans do not like to deal with risks. We don’t like looking for it. We don’t like facing it. We don’t like considering the potential impact. We don’t like the absolute terror and overwhelming sense of doom that it stirs, once found and assessed. Yet there it is. So, what do we do? Suddenly, very low likelihood and probability ratings are fictitiously assigned in order to dismiss, and subsequently, avoid to having to deal with it – or even worse, get someone from the outside to assist us. Heaven forbid.
One of the best demonstrations of this principle, considering critical risks, is best outlined in this YouTube video (https://www.youtube.com/watch?v=w3mxDP0C6Nk) titled ‘Black Swans – an enhanced understanding of risks’.
Ignorantly: More often than not, people in decision-making positions (regardless of the degree thereof) fail to identify and/or assess risk simply because of a stubborn belief system (in which they quite openly evangelise their personal experiences and doctrine), or just simply punt an ignorant lack of knowledge and understanding.
The greatest risk here is when the individual does not know what he does not know. True mastery starts with the understanding that you can never know enough. A true master never stops learning or stops gaining understanding. The problem is that mastery, as an underlying culture, has been replaced with line-towing ‘dronery’, simply because of the ignorant perspective that true mastery can rarely be afforded.
The fact is that true mastery must be developed, nurtured and grown inside the enterprise, for the enterprise, and by the enterprise. The purchase of the latest and the best new ‘box’ will only be as good as the underlying principles, skills and mastery that led to that purchase, rather than the box itself. The same applies in the application of operational risk management, or firefighting.
Fearfully: The lack of budget or the implied costs to effectively and physically deal with risk is often the reason why no, or weak, or poor operational risk management measures are applied. Unless very specialised consultation is required (as in legal compliance issues), risk assessment and management planning should originate organically from the enterprise.
The inability to do so will underline severe gaps in personal capacities and capabilities. This is often the sole reason why it is simply not done. People just don’t know or understand. Ask a business unit manager to draft an operational risk assessment for his unit with a risk register and risk management plan and you will see sweat and nervous ticks.
The identification, assessment and subsequent planning for the management of operational risk are the first all-powerful steps in getting ahead in the decision (and therefore reactive) curve in operational risk management. Policies, procedures, new systems and the adaptation of existing systems can achieve much in adapting enterprise behaviour and posture towards operational risk and the effective management thereof – much more than the outright purchase of a solution, which has so easily become the trend in the marketplace.
Demystifying operational risk management
From the perspective of security management, it is critical to understand that it is a very integral part of operational risk management. It is, however, also critical to have a broad understanding of its underlying concepts and principles and how to translate that into practice.
In the following series of articles, we will take a very practical and realistic view of operational risk management. We will look at identification, assessment, presentation and management strategies and formulas. We will make customisable templates available, to assist in the documentation and presentation of all aspects of operational risk management to the industry.
Heinrich J. van Eck is an independent risk consultant. He specialises in the management of operational risk convergence in the SMART City | SMART Enterprise environment. He can be contacted on firstname.lastname@example.org.
© Technews Publishing (Pty) Ltd | All Rights Reserved