Article

Rethinking operational risk

A new crisis brings new threats

operational risk
  • The pandemic has exposed major operational risks at companies in every economic sector
  • Most companies lack frameworks for managing high-impact but low-probability risks
  • Enterprise risk management tools and other tactics can help companies build risk resilience

In the aftermath of the 2008 financial crisis, many U.S. businesses put significant effort into modeling and managing risk and uncertainty in the financial markets.

New federal laws, such as the Dodd-Frank Act, enforced stronger federal controls on speculative investments and created new regulatory processes to limit risk by mandating greater transparency. For many companies, compliance with those controls has been a burden but also a bulwark against disaster. That is, until the pandemic fundamentally altered how organizations think about risk.

COVID-19 “is one of the biggest disruptions most companies have ever faced, and it has put a lot of our frameworks of risk to the test,” says Tom Campanile, a partner in Ernst & Young’s financial services advisory.

Because those frameworks are mostly non-financial, most companies hadn’t, until a few months ago, scrutinized them with the same rigor given to operational risks. These risks cover a range of issues, including:

  • Health and safety concerns for workers
  • Privacy operations
  • Cybersecurity threats
  • Regulatory compliance issues
  • Third-party resilience issues, including management of power outages and the supply chain

Managing operational risk more comprehensively is crucial today, says Campanile. “Risk has typically been managed in silos, but connecting the dots across those risks is becoming key and requires different disciplines, plans, and working on different time scales.”

Standard risk frameworks

Operational risk management resources have been widely available for years. ISO 31000 is a set of guidelines from the International Organization for Standardization that identifies and manages a wide spectrum of business risk factors. COSO, a framework developed by the Committee of Sponsoring Organizations of the Treadway Commission, is designed to uncover and prevent business fraud. It also has significant accounting and auditing components.

COVID is one of the biggest disruptions most companies have ever faced, and it has put a lot of our frameworks of risk to the test.

But the pandemic has exposed additional weaknesses. “The industry is still figuring this out,” says Mark Nicholson, principal with Deloitte Risk & Financial Advisory. And in some industries, there is little time to waste.

Many employees in the financial sector, for example, are required to work at the office, specifically for risk management reasons. Cooking the books is harder to do under direct supervision, Nicholson says.

But how can companies keep tabs on accounts when so many employees are working remotely? Solutions that sound simple may actually create further risk factors. Employee-monitoring systems can compromise privacy. Data stored on consumer devices invites security risks. It’s one thing to manage these challenges on a limited basis. When an entire company goes remote for months, leaders need to adjust.

The good news is that while many of these risks are challenging, they aren’t novel, and many businesses have structures to mitigate them. For example, while the rush to remote working raises cybersecurity risks, companies have tackled similar issues in recent years as they migrated on-premise data centers to the cloud.

Avoiding risk traps

While most companies have processes for managing compliance and IT risks, such as service outages, many lack frameworks for handling larger, more unforeseen threats. “They often end up focusing on high-likelihood but low-impact risk at the expense of anticipating and mitigating high-impact operational risk, such as the pandemic risk we have seen with COVID-19,” says Barbara Kay, senior director of product marketing for security and risk at ServiceNow.

Executives must tactically assess new risks in the COVID era. For instance, does working from home—which reduces workplace safety risks—increase compliance and control risks?

“Take a step back and focus on the experience gained and lessons learned during this disruption,” says Campanile. “What worked and what didn’t? What assumptions in your response plans were underestimated or overestimated? Where did contingency plans or risk assessments fall short? A post-mortem assessment to identify opportunities for better alignment, he adds, “will be the foundation for revisiting the framework.”

A new approach

Enterprise Risk Management (ERM) systems can also be a helpful tool, allowing CFOs, CISOs, and others to centralize and consolidate risk management across functional groups. Tools such as desktop monitoring and configuration management, for example, “can help mitigate risk at the individual level, but what’s really needed is a high-level framework that focuses foremost on business resilience,” Campanile says. “This is an opportunity for leadership to paint a firmwide picture of vulnerabilities.”

There’s no simple playbook for assessing risk, but a good first step is taking stock of an organization’s operating processes and assets. “You have to build that inventory, or you’ll be blind about the real risks you’re facing,” Nicholson says.

[Read also: A practical guide to understanding digital risk]

Simulations can also help managers develop operational risk-assessment models. ERM platforms can conduct data-supported scenario analyses and live testing. “Tabletop” exercises, meanwhile, can involve a roundtable discussion about how to manage a hypothetical crisis. In Campanile’s words: “The intention is to play out a hypothetical scenario and use the output to strengthen existing capabilities.”

But as the Dodd-Frank regulations showed, new risk measures are usually imperfect, and managing risk is an increasingly complex discipline. “We’re at the intersection of data, identity, expectations of privacy, ethics, and more,” Nicholson says. “It’s playing out at a rapid pace, but I don’t think we’ll see a resolution for up to a decade.”