Risk has always been an integral part of business. After all, “nothing ventured, nothing gained” is a very old observation. To address such exposure, businesses are lately embracing innovation. It’s a trend that should accelerate, with operational risk management technology, including predictive analytics and governance, risk and compliance software playing a larger role. IT increasingly delivers the ability to collect information about operational and financial risks and then provide timely alerts that can avert risks or diminish their impact.
Our recent benchmark research on governance, risk and compliance (GRC) found that virtually all companies (95%) are concerned about GRC, and almost half (42%) are very concerned. Managing risk is a central objective: 70% said reducing their companies’ risk exposure is the main reason for focusing on GRC tools, and nearly four out of five want to identify and manage risks faster. It’s not that most companies are ineffective in managing operational risks -- only about one in five told us they have ineffective operational risk controls -- but few rated as very effective their ability to manage risks stemming from natural disaster, supply chain disruption, competitive threats, reputation loss, internal fraud and demand disruption. Ironically, the research finds that companies in riskier businesses are more likely to describe their controls as ineffective than those in less risky undertakings.
Managing anything effectively requires that it be measurable. While it’s clear that risk is a primary concern for executives and managers, it’s also true that risk means different things to people in different roles. Organizations must therefore define the risks that matter most and focus on measuring and managing them. Objective metrics are required to manage risk objectively: Unless one can quantify the conditions and outcomes of a risk, it’s impossible to manage it effectively.
Why is operational risk management technology important? Operational risk management is an ongoing process. It involves identifying situations that pose a risk to the successful operation of an organization, estimating the monetary and other measurable impacts if a risk event occurs and establishing methods for attenuating their severity. It also involves continuously measuring the probability of the risk occurring in a certain period of time, periodically reporting on the risk environment to decision makers and alerting executives and managers when risk thresholds have been crossed.
More on operational risk management
Learn about sustainability risks
Build a strategy for supplier risk management
Understand risk in workforce management
Operational risk is something that now can -- and therefore should -- be managed more comprehensively. Wider availability of a larger set of corporate and third-party data, as well as the ability to process it quickly and explore implications in real time make it practical to expand the scope of operational risk management. The goal is improving the handling of risk events.
The issue of defining risk is relevant here as well. The operational risks that companies are measuring and monitoring mainly relate to a failure to meet objectives -- sales quotas or budgeted expense limits, for example. They are usually expressed in monetary terms and rarely monitored in real time. (The main exceptions are revenue and some sales-related data.) But many more operational risks could be measured, such as scheduled maintenance that has not been performed, order patterns that point to a sales slowdown or an increasing likelihood of higher overtime expenses.
Many companies do not understand how to measure operational risk. Among the exceptions are financial services companies, which are very good at measuring risk, including operational risk. Managing risk by using actuarial science is, after all, the main function of an insurance company. Banks have centuries of practical experience that has taught them what to measure to assess risk. And because these companies deal in numbers -- money is both their raw material and their output -- risks can be quantified relatively easily.
That’s not true in other industries. What, for example, are the risks faced by a fast-food franchiser? A mining company? An aerospace parts contractor? Some are easily quantifiable and mitigated; for example, ore and metal prices can be hedged. Others, such as production disruptions caused by mechanical failure, are harder to gauge and therefore track. Until now, it has been difficult to translate individual operational data points -- hours worked, machine sensor readings or beverage sales per order, for instance -- into risk measures.
Predictive analytics can help. It offers a reliable method of translating a range of operational data into a useful measurement of operational risk. Predictive models use patterns found in historical and transactional data to identify risks -- and opportunities. They can be used to identify risks far sooner and with greater insight than simple statistics. For instance, the total of sales orders through the 10th day of the month may appear to be in line with the forecast, but the pattern of the actual orders placed may signal an impending shortfall. Or the employee hours and revenue at a fine-dining restaurant chain may be tracking forecasts, but register timestamps and other data suggest that the manager is forcing employees to work overtime without compensation, in violation of labor laws.
Predictive analytics works by distilling large amounts of data to reveal positive or negative patterns, and recent IT advances make it increasingly useful in risk management. For example, “big data” supports predictive analytics by assembling and digesting the vast amount of information needed to spot otherwise unseen patterns. Consumer-focused companies are monitoring social media to detect negative sentiments and threats to their brands’ reputations.
Predictive analytics thus enables companies to find useful patterns and trends earlier than they could have in the past. Applying it to data collected from production machinery and other devices makes more robust operational risk management feasible. For example, maintenance in asset-intensive industries is a significant expense, and the unscheduled loss of a machine tool or some other productive asset can have a strong negative impact on a company’s results. Being able to monitor the performance of individual assets can allow companies to do preventative maintenance and perform such work only when necessary. Airlines already do this with some aircraft and jet engines, and it could be a boon to utilities, mining and other extractive businesses, and heavy manufacturing, to name just three more.
Some of the data needed for applying predictive analytics to risk management may not be available or readily accessible today, but there is considerable useful information that is not being tapped because relatively few companies use predictive analytics. Our business analytics benchmark research found that just 13% of organizations do.
IT trends make ‘risk analytics’ a feasible part of operational risk management. Predictive analytics once was reserved for specialized analysts, but technology has made it increasingly feasible for companies to build their own predictive models or hire consultants to do it. The volumes of operational data needed to feed predictive models are available, and the cost of the processing power and storage required to handle large amounts of data is steadily declining. Major software vendors have recognized the potential to create risk management applications that use predictive analytics. There already is packaged operational risk management software for financial services companies, but it’s not especially useful for other organizations. Off-the-shelf applications also are available that monitor ERP systems to identify suspicious transactions or indications of fraud or manipulation. Vendors and consulting firms are likely to take advantage of investments companies are making in “big data” to offer industry-specific risk analytics packages that draw on their large collections of data to measure and monitor operational risk.
Many companies already own some of the IT pieces to support operational risk management. Almost all large and many midsize companies have data warehouses, query and reporting tools and software for dashboards, scorecards and planning. They could accomplish more with small additional investments in technology and people. Most companies are already collecting a substantial amount of operational data in systems of record, such as ERP, customer relationship management and supply chain management systems that can be useful in managing risk through ratio analyses and simple trending techniques.
Managing risk intelligently is one of the key capabilities of successful organizations because it can deliver a competitive edge. Companies that are good at managing risk can make aggressive moves more prudently, spot negative trends faster and respond more quickly and effectively when disaster strikes. IT continues to be one of the main sources of innovation in operational risk management. Executives and managers must become familiar with the technology if they want to manage risks as smartly as they should.
ABOUT THE AUTHOR
Robert Kugel, CFA, is senior vice president and research director for CFO and business research at Ventana Research, based in San Ramon, Calif.