Thursday, April 21, 2005

Here is How to Protect Your Organization...

Rob Norton's cover story on Risk is a great primer to what corporate executives and board members around the globe have known for some time.

Crooked managers. Changing technology. Financial surprises. Who knows what company-killers lie ahead? Here’s how directors can protect themselves.

No single four-letter word is more likely to raise a board’s collective blood pressure these days than risk. The recent parade of corporate scandals can be blamed in part on a lack of effective systems to recognize and manage risk—not just insurance matters but broad operational and financial hazards to the enterprise. Now risk management has risen to the top of the agenda for many directors. Often the job falls under the authority of the audit committee, but some U.S. boards, including that of MCI (formerly WorldCom), have appointed special risk management committees. The boards of several European and Canadian companies have adopted formal processes aimed at alerting directors to the extent to which the outfits are exposed to risk and how it is managed.

The risks that blew up in the faces of boards at companies such as WorldCom, Enron, and Parmalat all come under the general category of operational risk, broadly defined as the danger of loss resulting from inadequate or failed internal processes, people, or systems, or from external events. These can include:

• Unscrupulous managers.
• Business interruptions caused by terrorism, war, or natural disaster.
• Supply-chain breakdowns.
• Changing technology.
• Increased competition.


Fortunately, the article mentions "Supply Chain Risk" as an area that needs more scrutiny as companies continue to increase offshoring and outsourcing to gain competitive advantages. This area of Operational Risk is a growing concern by not only shareholders, but the plaintiffs who follow the aftermath of Eliot Spitzer's investigations.

A significant business disruption (SBD) will occur at your organization each day, week, and month this year. The question remains that of what you are already doing to manage these inevitable incidents. We suggest a "4D" approach:

Deter

Detect

Defend

Document


This "4D" Managed Services approach to managing Operational Risk provides the initial framework for creating a strategic enterprise risk management (ERM) initiative in the organization. Each area has it's own tools, systems and processes yet each is connected to the Risk Nervous System via the 1SecureAudit Operational Risk Enterprise Architecture. (OREA)

OREA utilizes a proven and systematic approach for risk assessment, data capture, risk treatment and reporting. To facilitate efforts to transform the organization into one that has lower volatility of earnings growth and is more secure, 1SecureAudit co-designs the Operational Risk Enterprise Architecture (OREA), a business-based framework for organizational-wide improvement.

People
· Employee Fraud / Malice
· Unauthorized Activity
· Rogue Trading
· Employee Misdeed
· Employment Law
· Loss/lack of personnel

Processes
· Payment / Settlement
· Delivery / Selling
· Documentation / Contract
· Valuation / Pricing
· Internal / External Reporting
· Compliance

Systems
· Technology Investment
· Development
· Access
· Capacity
· Failures
· Security Breach

External
· Legal Liability
· Criminal Activities
· Outsourcing
· Suppliers / Insourcing
· Disasters / Infrastructure
· Regulatory / Political

OREA is constructed through a collection of interrelated “reference meta models” designed to facilitate cross-lines of business analysis and the identification of duplicative processes, departments, gaps, and opportunities for collaboration within and across lines of business (LOB). This OREA and Business Reference Model is intended for use in analyzing investments in Operational Risk projects and other capital assets. It also serves as a foundation for the development of a broader architecture that can serve as the platform for a comprehensive budget and performance reporting system that supports enterprise wide business risk integration and change management initiatives.

No comments: