WASHINGTON'S LEADING BUSINESS MAGAZINE

Home

Doing Things Right

To manage corporate risk in the post-financial crisis world, CEOs should focus on operational risk.
By Seth Shapiro |   May 2010   |  FROM THE PRINT EDITION

Seth ShapiroAsk just about any CEO what the first thing that comes to mind is when hearing the words “risk management,” and the response will probably include phrases like “trading risk,” “systemic risk” or something else considered “strategic.” However, there is another, often overlooked discipline within risk management that is increasingly capturing the attention of shareholders and other stakeholders: operational risk. It lurks in every part of a company, and when it comes to prudent risk management, overlooking operational risk is perhaps the biggest mistake a CEO can make.

CEOs consider risk almost exclusively from a strategic perspective. That is, they ask, “Are we doing the right things?” At first glance, this seems to be a reasonable approach. But it fails to adequately address operational risk, which encompasses the risk of loss caused by inadequate or failed processes, people and systems, and by external events. The way to address operational risk is to ask another, equally important and inextricable question: “Are we doing things right?” 

Take, for example, the notion of consumer privacy and data management. The common strategic position is, “We protect customer data and information.” But without an operational plan focused on how to do it right, that strategic intent begins to look more like a liability. What operational measures have been taken, for instance, to prevent a disgruntled employee from e-mailing a confidential spreadsheet containing personal data to a Hotmail address? 

Likewise, look at Toyota’s strategic (and historic) reputation for great quality and reliability. Yet recently, operational risk reared its head in quality assurance and manufacturing faults that had gone unaddressed. The resulting crisis not only significantly damaged the company’s bottom line, but also tarnished its hard-earned reputation as the paragon of quality and reliability.

Another area where firms must pay close attention to operational risk is supply chain management. In the food industry, several businesses have recently had to recall products after receiving tainted or unsafe food from one or more suppliers, resulting in significant costs and liability, lost revenue and a sharp decline in trust among consumers.

All these scenarios demonstrate that the real foundation of prudent risk management is to integrate and balance approaches to operational risk management with those focused on strategic risk. Unfortunately, for many organizations, this is more easily said than done.

Why? Because operational risk does not enjoy the same mature and developed risk models typically used to assess market and credit risk. Operational risk lurks in many different parts of an organization, and is further complicated by the typical challenges of communication across any organization.

So, what’s a CEO to do? First, make it imperative for each segment of the firm to conduct a risk assessment. Involve people from all parts of the business and those with intimate knowledge of operations. Identify what could go wrong, how to prevent it and how to recover from inevitable, unavoidable operational risk events. Your goal should be a comprehensive risk plan for each division or line of business.

Second, the CEO should “break down the silos” in management in order to identify potential risks that run across different divisions or even different personalities among a company’s leaders.

Last, but not least, once the risk assessments are complete, it’s critical to think seriously about tolerance for risk. Risk assessments are just that—portraits of what could go wrong, how much it could cost and how controls can be employed to reduce the risk. But minimizing risk costs money. A company can’t fully address the costs of mitigating operational risk without identifying its overall tolerance for risk. Unfortunately, a model hasn’t been invented yet to calculate it.

Therefore, it falls to the CEO, the executive team and the board to apply their experience, skills and awareness of stakeholder expectations to set risk limits as well as to design and implement a risk control framework, including operational risk, consistent with these established limits.

Seth Shapiro is a senior vice president and risk strategist at Kibble & Prentice. 

Related Articles

Representing Washington... Barely
Bezos and Ballmer rank on the "New Establishment" list. Sep 1, 2010
Paul Allen Sues Big Tech
Microsoft co-founder files patent infringement lawsuits against everyone. Except Microsoft. Aug 27, 2010
Seattle 13th easiest city to find a job in.
Juju.com's survey finds Seattle among the cities with the most available jobs. Aug 26, 2010
INawards
Aug 24, 2010
Enough With the Doom and Gloom
The stock market acts like it's the end of the world, but plenty of local companies are investing for the future. Aug 24, 2010
Share this Article
  • Twitter
  • Facebook
  • MySpace
  • LinkedIn
  • Google

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <p><span><em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Use to create page breaks.

More information about formatting options