Risk avoidance and risk management are hot topics that seem to govern decision-making – and with good reason. Risk comes with potentially massive operational, financial, reputational and legal repercussions, so it makes absolute sense to do everything possible to model it, understand it, analyse it and ultimately mitigate it.
But not all risk is created equal. Nothing illustrates this point better than recent research showing how much global financial institutions lost to different types of operational risk during the last six years. As shown in the chart below, they lost $210 billion between 2011 and 2016, with more than $180 billion of that amount attributed to execution, delivery and process management combined with clients, products and business practices.
So, major banks lost more money because of bad process management than all other risks combined. I’d argue that client, product and business practices, which comprise the largest risk category, essentially come down to process application and management as well.
Despite the actual statistics, we hear more about data/technology and compliance risk. While these are significant and justified concerns, financial institutions don’t seem to realize they are losing more money due to other types of risks.
Therefore, I want to remind them – and all of us – that managing operational risk is an ongoing initiative, which needs to include better risk analysis, documentation, process impact analysis and mitigation.
While dozens of methodologies and systems are available in today’s marketplace, they only focus on or attempt to address the smaller, individual components of operational risk. However, all the risk categories listed above require an effective, practical and – most important – easy-to-implement system to address all the underlying components in a collaborative effort – not in isolation.
According to ORX, the largest operational risk association in the financial services sector, managing and thereby reducing risk involves managing four different but interconnected layers: people, IT, organizational processes and regulations.
More and more organizations seem to believe that once IT embeds their applications with the necessary controls to meet regulatory requirements, then all is right with the world. But experience has shown that isn’t true. Without adapting the processes using the applications, training employees, and putting sufficient controls in place to ensure all regulatory elements are not only applied but applied correctly, then technical controls alone will ever be effective.
And many will argue that little can be done within an organization regarding regulations, but that’s not true either. While regulations are developed and passed by governments and other external regulatory bodies, what really matters is how organizations adopt those regulations and embed them into their culture and daily operations – which is where all the layers of risk management intersect.
As part of his Nobel Prize-winning work, physicist and quantum mechanics pioneer Werner Heisenberg developed the eponymous uncertainty principle that asserts it is only possible to know either the position or movement of a particle but not both. This theory applies to many aspects of everyday life, including organizational operations. It’s difficult to know both an organization’s current state and where it’s headed, and every organization struggles with the same risk management question in this vein: how do we manage risk while also being agile enough to support growth?
ORX is clear that effective risk management requires implementing controls throughout the entire process ecosystem by integrating risk management into the organization’s very fabric. This means clearly defining roles and responsibilities, embedding process improvements, and regularly controlling process performance. Of course, the common thread here is more streamlined and controlled processes.
Make no mistake – effort is still required, but all the above is much simpler today. Thanks to new methodologies and comprehensive business process modeling systems, you can identify which risks are applicable, where they are most likely to occur, and who is responsible for managing them to reduce their probability and impact. Therefore, operational risk can be viewed and then addressed quickly and effectively.
In fact, erwin has worked with an increasing number of financial institutions launching process improvement, automation and management initiatives specifically designed to restructure their processes to promote flexibility as a growth driver without sacrificing traceability and control.
We can help you do the same, regardless of your industry.
To find out about how erwin can help in empowering your data-driven business initiatives, please click here.