If there was ever any doubt that September 11 changed the world, that doubt was resolved for me yesterday at ESS Expo 2006 as I listened to Michael Rasmussen, a Forrester analyst who covers Enterprise Risk Management, discuss operational risk � a term I only began to hear about a year or two ago, but a term that defines a large and growing preoccupation of corporate executives.
Operational risk is the risk you have, when you are in business, of losing all or part of your business at any time because of inadequate or failed internal processes, people and systems, or from external events (remember Kantor Fitzgerald, the company in the World Trade Center that lost not only its physical assets, but over half its staff?)
This kind of business risk never goes away, but until recently financial risk was the only element of risk management that was deemed worthy of attention: will we have enough sales; will we get paid on time; if we invest our cash reserves, will we lose them; if we operate in a foreign country, will we be able to get our profits out of there? This is called �treasury risk� in the enterprise.
However, at the turn of this century, because of 9/11, people began to notice other kinds of operational risk, including loss of physical assets (think Katrina), rises in oil prices (think airline bankruptcies), and environmental health and safety issues. These risks bubbled up from further down in the organization, perhaps from the facilities management or the environmental areas rather than the corporate boardroom, but they quickly integrated themselves with the financial risks because of their common interest in government regulation.
Yep. Every year there is a greater risk of noncompliance with increasing and increasingly complex government regulations and reporting requirements. The federal Office of Management and Budget has a sub-agency just to count and keep track of new rules and regulations coming out of the government. The overall economic impact of these regulations on the US economy is over $1 trillion annually; there are 4000 employment and labor laws alone!
As the government began to regulate the disposal of hazardous wastes, safety in the workplace, and how we treat �protected classes� of employees, the operational risk aspects of noncompliance (your CEO goes to jail, or your company gets fined millions of dollars) became recognizable. Not only could you blow up your valuable plant and shut your lines down by handling your chemicals incorrectly, but you could also be fined for EPA and OSHA violations simultaneously.
So any operational incident invariably affects the bottom line of the company. In fact, in a survey done by ZDNet Media for MRO Software, 45% of enterprise companies have had an operational incident in the last twelve months, and each incident has an average cost to the organization of $16.9 million.
As a result, the worlds of compliance and risk management have begun to blur, and most large organizations seem to have some CxO who is responsible for managing all the risks. This can be a Chief Risk Officer, Chief Security Officer, or someone who is not at the �C� level at all, but has the responsibility anyway. As you can imagine, being in charge of all the eventualities that can possibly be imagines as business risks is a pretty big job.
How does this CRO get a handle on all this potential risk and manage it? Through software, of course. Fortunately, in the 21st century we have business intelligence, which allows an executive to see at a glance�through a desktop dashboard � whether he is in or out of compliance, in or out of danger, at any given time. All you have to do is choose a vendor, pay some money, and have the software deployed. The correct software automatically updates the regs, tells you what has changed, and modifies the tasks you have to do to comply with the new rules. Lest you think this is not a big deal, Rasmussen says 400 software vendors and 75 consulting companies are marketing operational risk management and compliance.
How do you choose a product in that crowded a space? Probably you want to choose the one with the broadest capability and the best integration between compliance and traditional risk management. (A small point made by Rasmussen that�s really telling: Operational Risk Management Magazine, a trade pub you have probably never heard of, has recently changed its name to Operational Risk and Compliance. And that�s because every notable incident in which there is significant loss of life or money is accompanied by increased government regulation.)
That product, of course, is ESS. Shameless promotion of a Stealthmode client, but fascinating anyway :-)