Deploying an operational risk management program that does the intended job remains a challenge for many businesses today. The industrial sector and others have witnessed rapid changes that significantly altered the way businesses operate. Global commerce continues to expand and supply chains are becoming more complex. Furthermore, regulations influence every interaction, and social media provides another means for regulators and other government entities to scrutinize the businesses.
Another problem companies face today involves the funding of the operational risk management strategy consistently. Verdantix, an independent consulting firm, recently conducted a study on behalf of DuPont Sustainable Solutions. This study found that 65 percent of businesses lacked the funds for this purpose, according to the respondents. They stated it remained a barrier they were finding difficult to overcome.
This study involved 75 senior leaders spread across eight different industries and ten countries. Verdantix asked them about risk management to learn more about ORM strategies within their organization and their perception of these strategies. These interviews led to DuPont Sustainable Solutions recommending the following seven steps for anyone looking to implement an operational risk management program successfully.
Start at the Top
The leaders at the top of the organization must be fully behind the operational risk management program for it to be effective. Approximately 80 percent of businesses in the survey stated the corporate level remains accountable for risk management. The leaders need to understand the internal operational risks, as this allows them to make better decisions and direct employees to take informed risks. They need to discuss what happens when there is a breakdown in regular operational processes, systems, and people. The risks can be controlled and avoided when team members assume responsibility for identifying the risk before evaluating and addressing them. The top five operational risks are collaboration, cultural, customer, people, and technology risks.
Risk Accountability at All Levels
However, leaders serve as only part of the equation. They need to train all employees to make risk-based thinking part of everyday operations. These individuals must be held accountable when something goes wrong in the area they remain responsible for. In the survey, 38 percent of businesses reported they didn’t hold shop floor employees accountable in this area. Any person within an organization can make a risk decision. Nevertheless, this task should be reserved for the person with the authority to minimize or eliminate the identified risk before implementing any necessary controls. This is currently how the Federal Aviation Administration handles it and other businesses have followed suit.
Timely Risk Assessments
Companies must comply with new regulations as they arise, which helps to explain why risk management must always remain a top priority. However, each company must determine how often they need to conduct an audit based on their unique characteristics and operational footprint. Of the firms surveyed, 92 percent stated they carry out this assessment at least once every year. They do so to ensure their risk profile remains current and they incorporate necessary changes in a timely manner. However, this serves as only part of the process.
Every company needs to determine risk triggers. For instance, an oil rig in the Gulf of Mexico needs to be battened down when a hurricane is forecast to hit the area. They know this trigger increases the risk of damage to the rig and take steps to prevent this damage. Each company needs to determine the root cause of each risk and protect against the risk event in every way possible.
Quantifying and Prioritizing Risks
When optimizing the operational risk management program, companies must quantify each risk in terms of its probability and severity. Once this information has been gathered, they calculate the benefits and costs associated with mitigating each risk to determine if it is more costly to mitigate than to allow it to remain. These calculations allow the organization to target its efforts effectively.
Select Metrics and Key Performance Indicators
To successfully implement an operational risk management program, the company must know which metrics and key performance indicators are needed to monitor and assess performance accurately. This ensures the company is putting its efforts and resources where they are needed most. Fortunately, many companies recognize they need to make this a priority and are turning to outside sources for help in determining which metrics and key performance indicators are best for their organization.
Many business owners associate key performance indicators and metrics with general business management, accounting, and finance. However, they remain necessary in every organization, as they help with achieving specific targets. The company might identify targets related to exposure reduction, minimization, or mitigation. For instance, a business may monitor the number of transactions that have a fault or error and the number of cumulative hours the IT system is down. It all depends on the business.
When a business chooses to implement control measures to mitigate risks actively, particularly those that have been determined to be a priority, they must use controls that are cost effective, consistent, and well-documented. Although 98 percent of respondents in the survey stated they have measures in place, only a quarter of the businesses believed the measures to be cost effective. This demonstrates the need for companies to look for better solutions when it comes to managing and controlling risks they have identified.
Companies must recognize operational risk management needs to be an ongoing process. Furthermore, regular communications on ORM performance serve as a requirement when it comes to effectively ensuring employees remain engaged in this area. Tailor these communications to different levels and functions across the organization, as different areas and departments have distinct priorities and areas they focus on. There is no need to share a communication meant for one department with everyone in the organization, as excessive communications lead to people tuning out, particularly when the majority of the communications don’t pertain to them. Avoid this by sharing messages with certain audiences rather than across the board.
Operational risk management differentiates competitors. Companies that make this a priority find their product performance improves, brand recognition increases, and financial results are easy to sustain. If you have yet to make this a priority in your company, do so today. You cannot afford to miss out simply because you haven’t focused on ORM enough. This needs to change today so you can stand out from competitors and increase your market share.