Good ORM Means Resiliency and Adaptability

“The only constant is change.” Heraclitus circa 470 BC

If we look at life on this planet, one of the things that is truly fascinating, miraculous even, is nature’s remarkable ability to adapt.  Scientists continue to discover living organisms existing under conditions so extreme that they were once thought impossible to support life.  Humanity has this ability too.  But in our contemporary, environmentally controlled, risk redacted, cubicle enclosed world of buttoned-down existence, we sometimes lose site of the truth of Heraclitus…that everything changes.

This simple, singular truth has profound implications on the world of operational risk management for one very important reason. The vast majority of all risk management tools exist as of a specific point in time, under a very specific set of circumstances. Risk assessments, loss events, risk profiles, risk tolerances, management reports – all exist as of a point in time that will never, ever exist again.  Awesome.

In order to build world class operational risk management systems we have to accept the fact that everything changes, and not always for the better.

• Staff members leave or change jobs, taking with them institutional knowledge, skill sets and relationships forged over time.  They possess knowledge that may be helpful or a threat in their new position (e.g., Jérôme Kerviel, Kweku Adoboli). New staff members take their place, ignorant, untrained, unskilled and uninitiated
• Competitive landscapes change – new competition emerges, old ones fade away, all changing the conditions under which your business competes
• New threats emerge every day – destructive weather, new and more elaborate fraud schemes, new security threats based on increasingly sophisticated technology
• Legal and regulatory changes are never ending, which impact and disrupt how you are allowed or required to conduct business
• Technology must be constantly upgraded and replaced in order to remain competitive

Some of these changes we invoke upon ourselves, some are thrust upon us. Some change is good, some is bad, some, well, it’s hard to tell. But the constant in all of this…is change.  Change can render risk assessments suspect at best, and at worst, irrelevant.  Change marginalizes historical loss data, all of which occurred under a specific set of circumstances which may, or may not, still exist.  Change alters risk profiles, possible taking them above or below tolerance levels. And, even worse, change can introduce whole new risks that were never considered, or provisioned.

But there is good news. If we as operational risk managers look down into our bag of tricks, we see several very important tools that are uniquely and specifically designed to mitigate the impact of this immutable uncertainty.

• First and foremost, a culture of transparency and communication – We have to be able to openly and honestly talk about changes that are happening and how we are prepared to respond to those changes. Willful ignorance to the effects of change is not just a poor management technique, it is downright negligent. Risk managers can be both advocates and liaisons in promoting healthy discussion around change management and incident response.
• Key Risk Indicators (KRIs) – Much maligned, frequently abused and heatedly distrusted, like it or not, KRI’s are a risk manager’s best friend when it come to managing the effects of change, and for one very important reason. KRI’s bring life to risk assessments. All risk assessments are built as of a specific point in time and based on a specific set of assumptions. A good KRI, mapped to a risk and tied to a specific “moving part,” can help the business in monitoring subtle changes that may represent an elevated risk. Just remember, KRI’s only tell you there is smoke, not that there is fire. That is the risk manager’s job to evaluate.
• Incident response teams – A pre-positioned, trained incident response team with carefully documented incident response procedures can be a huge mitigating factor when it comes to unexpected events. (This will be covered in greater detail in a subsequent article.)  The fact that so many organizations don’t have world-class IR teams is unfortunate. The operational risk manager should make it a priority to see that one exists.
• Risk assessments at the point of strategy – The fact is that the seeds of risk are sewn in strategy and if the first time that somebody asks “What is the risk?” is after you move to production, something went tragically wrong. The problem here is that we are all creatures seeking gratification.  Once someone becomes enamored with what their new system or process or vendor is going to get them, they become increasingly less willing to honestly ask what it could cost them (in terms of incremental risk.) This is where risk managers must do their job and help in asking the hard questions.
• Documentation – Remember, documentation makes an organization self-healing. One of best tools for resiliency is to reduce the impact of the loss of institutional knowledge when staff leave or change jobs. Guess what? You don’t have enough documentation, I guarantee it.  A key process that is not documented is a high risk, regardless of what the process owner says.
• World class change management processes – This means that all changes are communicated in the design phase, not implementation. This means that stakeholders are identified and engaged throughout the change process. This means that approval requirements are clearly documented and enforced. And finally, this means that all changes include a risk assessment which is agreed upon just prior to implementation, even in summary form, to show that someone thought through the impact of the proposed change and gave the stakeholders an opportunity to weigh in.
• Finally, learn from your mistakes – This was covered extensively in the recent piece The Most Valuable Information You Aren’t Using, which talks about learning from failure, embracing it even, and asking the hard questions about what happened, what did it mean, and what are we going to do about it. If you aren’t getting stronger due to your mistakes, you’re not managing risk (because you’re probably going to make the same mistakes again.) This is another spectacular area where risk managers can be brokers of learning.

What all of this means for management, and for risk managers, is you have to stop assuming that just because something worked yesterday that it’s going to work tomorrow. That the assumptions that you took to bed with you the night before may have no bearing on reality by the time you’ve finished your morning coffee. Accept that what was a good idea yesterday may be a really bad idea today. And realize that change can happen very fast, or very, very slowly. You have to have mechanisms in place that can both detect and respond to all types of change effectively and expediently.

Remember, change is not the enemy of effective risk management, but it is most certainly the antagonist.  Risk management cannot only be about assessing risk (or worse, just modeling it.)  Risk management is only a useful tool if it helps us deal with the changes we invoke and encounter on a day-to-day basis, creating a business that is both resilient and adaptable.

For more information on developing an effective risk management program contact Eric Holmquist at Accume Partners at (856) 793-1581 or eholmquist@accumepartners.com. Visit accumepartners.com