30 January 2007

Shareholder Value: Through Integrated Risk Management...

Supply chain risk management is getting more attention these days. As institutions get their own house in order with operational risk losses they are moving outside and auditing their suppliers. The complexity of the supply chain is increasing as organizations become leaner. A recent AMR Research Study results reveal that supplier failure and continuity of supply is the number one risk factor for 28% of firms.

The Enron scandal and the emergence of Sarbanes-Oxley compliance, the 9/11 terrorist attack, SARS and avian flu threats, the Asian tsunami and Hurricanes Katrina and Rita, and high-profile business failures have forced companies to evaluate how well-prepared their organizations are to handle catastrophe and unplanned events. For other firms, strategic and execution risks are front of mind, such as hitting a launch window for a short lifecycle product.

Additional survey results include:

  • 33% of firms say they have dedicated budget line items for supply chain risk management activities.
  • 54% of firms plan to increase their budgets for risk management over the next 12 months. Of those firms, the average spending increase will be 17% year over year.
  • The top areas of application spending to support supply chain risk management are sales and operations planning, inventory optimization, business intelligence and supply chain analytics, and supply chain visibility and event management applications.
And while much of these manufacturing and distribution organizations are focused on the supply chain, in the financial sector, two international laws will affect how organizations retain, recover and report on data. BASEL II, which took effect Jan. 1, requires the worldwide banking community to uniformly capture data to allow operational risk factors to be identified and analyzed. This is just the beginning of additional financial sector scrutiny as the hedge funds exposure becomes a regulators new target zone.

Concern that booming lending to hedge funds may have led to a relaxation in credit standards has prompted US and European regulators to start the first joint investigation into whether banks and brokers are managing such risks appropriately.

The move is a sign that regulators are stepping up transatlantic co-ordination. It comes after a call by Angela Merkel, the German chancellor, for closer US-European Union co-ordination on financial regulation.

Officials from the Securities and Exchange Commission, the UK’s Financial Services Authority, the New York Federal Reserve and other European regulators met last month to discuss credit issues, according to David Cliffe, an FSA spokesman.

They want to know if the collateral required of hedge funds from their lenders is enough to cover losses, and whether margins are set at appropriate levels to help avoid systemic risk in the event of trading losses.

Operational Risks span the enterprise from the front office to the back office. From the servers room to the trading room. It's no wonder that Boards of Directors and corporate management have now realized that Enterprise Risk Management is the name of the game:

"The creation of shareholder value through the integrated management of risk."

New rules on the evidentiary discovery of clients' electronically stored information, international banking rules and more detailed interpretations of the Health Insurance Portability and Accounting Act will spur customers to put mechanisms in place to more quickly discover and retrieve archived data.

2007 is going to be another year of growth and opportunity. How you manage risk is going to be a deciding factor.

23 January 2007

ORM: Automation Revolution...

There are many organizations out there evaluating the now more mature Operational Risk platforms for their institutions. Just as the dawn of Enterprise Resource Management (ERM) such as Peoplesoft, SAP and others; there will be a fight for maket share and end users will look to their trusted advisors for expert resources. How do you know what application is right for your organization?

The question remains, are you ready? Is your department and staff up to speed on what this means for the process changes necessary in your enterprise for an ORM application to succeed?

OpenPages ORM automates the process of identifying, measuring and monitoring operational risk, integrating all risk data – risk and control self assessments, loss events and key risk indicators – in a single solution. OpenPages ORM combines powerful document and process management with a monitoring and decision support system that enables organizations to analyze, manage and mitigate risk in a simple and efficient manner.

Risk self-assessment capabilities enable organizations to document and evaluate their risk frameworks, including processes, risks, events, key risk indicators and controls. Executive-level dashboard and reports provide visibility into key risk metrics and policy compliance, while business process automation capabilities provide for real-time event escalation; automated risk processes, such as loss event root-cause analysis; and, streamlined remediation of issues and action items.

With loss event tracking, risk managers can track loss incidents and near misses, recording amounts, determine root causes and ownership. OpenPages ORM provides statistical and trend analysis capabilities and enables end-users to track remedies and action plans. Key risk indicators provide capabilities for tracking risk metrics and thresholds, with automated notification when thresholds are breached. OpenPages ORM provides facilities for both manual and automatic data inputs from internal and external data sources.

With OpenPages ORM, organizations can embed operational risk management and governance into the corporate culture, making procedures more effective and efficient while providing management with peace-of-mind that the corporate brand is protected.

How do you make a decision on OpenPages, SunGard or SAS? Like the implemention of ERM platforms you end up with new challenges, both technical and human oriented. Making a choice requires at some point a consensus of the end user, the departments impacted by the decision and the costs of customization or configuration. The total project will also require:

  • Choosing the correct technology solutions with your specific business challenges.
  • Rapidly integrating new technology with the remainder of your IT infrastructure.
  • Effectively fine-tuning business processes to address your organization.
  • Continuously re-evaluating the deployment to ensure maximum ROI.
As with most large IT projects it's important to have Program Management Office (PMO) functions up and running prior to making a final purchase. And if you are a true Operational Risk Management professional, you have already performed your analysis of the threats and hazards to the successful implementation, training and launch of your new ORM system.

19 January 2007

Investigations: Rules of Engagement...

Sarah Scalet at CSO has asked the question: What are the 10 commandments of responsible investigations?

The topic is a result of the HP scandal. What are the prudent rules of engagement to answer the original question? Who is leaking information from this Board Room to the media?

Sarah says, "I did a lot of thinking and had a lot of conversations about how to run corporate investigations in a responsible way.

By responsible, I mean not only done in a legal and ethical way (although those things, too), but also done in an effective and appropriate way. There are a lot of gray areas in investigations, and there are complicated and expensive ends to which you can take things. If we've learned anything from the mainstream media coverage of the HP debacle, it's the importance of making sure that an investigation meets the suspected crime."

In any investigation of fact finding and to find the truth there will be data leaving a trail of answers, the key is to make sure you have the correct hypothesis. If you haven't first created a sound and cohesive test plan, the results will not answer the question, hunch or theory. And that is where investigations go down a path of emotional intent as opposed to a process of factual discovery. The data collection didn't answer the emotional question so go find some information that does. This is where the real flaw lies in most investigations.

Let's take a quick quiz to make a point:

Business crime losses are typically the result of:

a. Non-violent acts committed by insiders.
b. Non-violent acts committed by outsiders.
c. Violent acts committed by insiders.
d. Violent acts committed by outsiders.

If you answered "B" then you are incorrect. The answer is "A". Insiders are the first place you begin to look when accounts are missing money, the system has been hacked or vital corporate information has fallen into the wrong hands.

From the behavioral sciences perspective it is axiomatic
that a protection program will not succeed unless it:

a. Meets the personal needs of the vast majority of the workforce.
b. Cultivates the willing cooperation of those affected by it.
c. Incorporates sufficient disciplinary sanctions to convince the workforce to follow
prescribed procedures.
d. Provides for termination of employment in the case of repeated violations of mandatory procedures.

If you answered "C" then you are wrong. The answer is "B". The willing work force, employees and society in general follow and obey the laws that they can identify with the most. In the Board Room the normal procedure is to have people sign a non-disclosure agreement. By having people submit to the act of promising not to talk about what happens behind closed doors, you are creating a forum for trouble.

The Ten Commandments of Responsible Investigations would not be necessary if transparency and policy governance was imbedded in the culture. If this was in place, people would not have as much of a motivation to break the rules. At the root of the issue, you have to go back to one of our earlier blogs on Trust.

12 January 2007

Policy Governance: The Road to Change...

The Board of Director's at your company are talking again about Policy Governance. The reason is that change is necessary and when it's time for a new worldview, there are only a few real choices anymore. The old way hasn't worked and now it's time to start with a blank sheet of paper.

So what is Policy Governance?

Policy Governance�, an integrated board leadership paradigm created by Dr. John Carver, is a groundbreaking model of governance designed to empower boards of directors to fulfill their obligation of accountability for the organizations they govern. As a generic system, it is applicable to the governing body of any enterprise. The model enables the board to focus on the larger issues, to delegate with clarity, to control management's job without meddling, to rigorously evaluate the accomplishment of the organization; to truly lead its organization.

In contrast to the approaches typically used by boards, Policy Governance separates issues of organizational purpose (ENDS) from all other organizational issues (MEANS), placing primary importance on those Ends. Policy Governance boards demand accomplishment of purpose, and only limit the staff's available means to those which do not violate the board's pre-stated standards of prudence and ethics.

Is management clear on the mission? Is the CEO out of synch with what the Board of Directors "Ends" are and what direction they are heading in? Policy Governance may be the answer. Yet a new mindset shift or a new methodology will not get you to where you want to be without effective Governance Strategy Execution.

Reinventing your board isn't easy and putting a fence around the CEO perimeter may be even harder. The goal is to make sure that your policies are resilient and endure beyond the potential longevity of a CEO. If you can accomplish this, then it takes the personal human to human potential for conflicting personalities or styles out of the equation. You have to start high enough and in the most broad context:

The CEO shall not cause or allow any organizational practice, activity, decision or circumstance that is in violation of commonly accepted business and professional ethics and practices...

Now that you have the outer perimeter set, you can start to narrow it down and provide greater scrutiny in places you are really concerned about.

As an example, and this is not a one way street:

  1. The Board will not provide orders to people who report directly or indirectly to the CEO.
  2. The Board will not review or evaluate staff other than the CEO.
At the end of the day or the fiscal year for that matter, being on the Board of Directors requires courage and the ability to make hard decisions. Policy Governance is one way to take the change process and to make it happen like you never have in the past. And remember, John Carver and the Policy Governance model are one in the same. He is the inventor and steward for this mechanism of change in the global corporate enterprise.