No Excuses E-Book

Pages

cover

toc

iii

iv

ix

x

xi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

177

176

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

Guide

Cover

Table of Contents

Begin Reading

List of Illustrations

Chapter 1: Surviving a Series of Unfortunate Events

Exhibit 1.1   Integrating Operational Risk and Business Process Management

Chapter 2: What Is Operational Risk?

Exhibit 2.1 Commonly Used Operational Risk Framework

Exhibit 2.2   Proactive Operational Risk Management Framework

Chapter 3: What Is Business Process Management?

Exhibit 3.1 Life Cycle of a Paradigm

Exhibit 3.2 Life Cycles of Successive Paradigms

Exhibit 3.3 Alternating BPR and BPI Programs

Exhibit 3.4 Enhanced Approach to BPM

Exhibit 3.5 What Is a Process?

Chapter 4: Integrating Process and Risk Frameworks: Prologue

Exhibit 4.1 Side-by-Side Review of the Operational Risk Management Framework and Business Process Management Framework

Exhibit 4.2   Operational Risk Management and Business Process Management Integrated Framework

Chapter 5: Aligning Risk Appetite with Business Goals

Exhibit 5.1   Set and Update Risk Environment

Exhibit 5.2 RACI Chart for

Set and Update the Risk Environment

Exhibit 5.3 Process Decomposition of PCF 4.0 Deliver Products and Services

Exhibit 5.4 Graphical Decomposition of PCF 4.0 Deliver Products and Services

Exhibit 5.5 Enhanced Decomposition of PCF 4.0 Deliver Products and Services

Exhibit 5.6 PCF 4.0 Including Supplier Performance Management Process

Chapter 6: Determining Potential Risk of Business Processes

Exhibit 6.1 Diagram of Blue Grass Airport

Exhibit 6.2 “Appraise and Develop Suppliers” Process Design

Exhibit 6.3 “Appraise and Develop Suppliers” Process Model

Exhibit 6.4 Simulation of Operational Risks

Exhibit 6.5 RACI Chart for Determining Potential Risk

Exhibit 6.6 Supply Chain Management Process Model

Exhibit 6.7 Supply Chain Process Model Simulator “Cockpit”

Exhibit 6.8 Results of One Turn at the Controls

Exhibit 6.9 Overview of Exception Handling Knowledge Structures

Exhibit 6.10 Summary of Exception Management Approach

Chapter 7: Monitoring Process and Risk

Exhibit 7.1 Monitoring Operational Risk

Exhibit 7.2 RACI Chart for Monitoring Operational Risk

Chapter 8: Active Risk and Process Management

Exhibit 8.1 Active Management of Operational Risks

Exhibit 8.2 Scoring Deficiency Risks Based on Impact and Probability

Exhibit 8.3 Scoring Mitigation Costs Based on Quantity and Frequency

Exhibit 8.4 Scoring Deficiency Risk versus Mitigation Cost

Exhibit 8.5 Deficiency and Mitigation Scores Using Fulfillment Timing Example

Exhibit 8.6 RACI Chart for Active Management of Operational Risks

Exhibit 8.7 Cost/Benefit Decision Analysis Tool

Chapter 9: Integrating Process and Risk Frameworks: Epilogue

Exhibit 9.1 Operational Risk Management and Business Process Management Integrated Framework

Exhibit 9.2 ORM-BPM Integrated Framework Details

Chapter 10: Role of Technology

Exhibit 10.1 Objectives, Risks, and Controls by MOF Life Cycle Phase

Exhibit 10.2 Linking Business Goals to IT Goals

Exhibit 10.3 Linking IT Goals to IT Processes

Exhibit 10.4 COBIT

®

4.1 PO9:Assess and Manage IT Risks, Control Objectives

Exhibit 10.5 Mapping of ITIL v3 with COBIT

®

4.1 for PO9

Exhibit 10.6 ITIL Service Delivery and Support Frameworks

Chapter 11: Role of Outsourcing and Offshoring

Exhibit 11.1 Sourcing Options

Exhibit 11.2 Outsourcing Life Cycle

Exhibit 11.3 Summary of Generic Steps in Outsourcing

Exhibit 11.4 Key Focus Areas in Outsourcing/Offshoring

Chapter 12: Role of Organizations

Exhibit 12.1 Aligning Risk Management Activities to Business Process Management Activities

Exhibit 12.2 Example Assignments for Operational Risk Management Staff

Exhibit 12.3 Independent Operational Risk Management Unit

Exhibit 12.4 Colocated Operational Risk Management Unit

Exhibit 12.5 Balanced Risk and Business Management

Chapter 13: Role of Corporate Governance

Exhibit 13.1 Monks, and Minow’s View of Corporate Governance

Exhibit 13.2 Alternative Model of Corporate Governance

Exhibit 13.3 Typical Governance of Corporate Risk

Exhibit 13.4 Single-Thread Risk Governance

No Excuses

A Business Process Approach to Managing Operational Risk

Copyright © 2009 by Dennis I. Dickstein and Robert H. Flast. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty:While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifi cally disclaim any implied warranties of merchantability or fi tness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials.The advice and strategies contained herein may not be suitable for your situation.You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profi t or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at http://www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Dickstein, Dennis I., 1952

No excuses : a business process approach to managing operational risk / Dennis I. Dickstein, Robert H. Flast.

p. cm.

Includes index.

ISBN 978-0-470-22753-4 (cloth)

1. Risk management. 2. Management. 3. Corporate culture. 4. Business—

Data processing—Management. I. Flast, Robert H. II. Title.

HD61.D53 2009

658.15'5—dc22

2008029059

PREFACE

Many books have been published about managing risk or business processes. We believe this is the first to integrate the two while demonstrating how it is best to manage each by managing both. Our book introduces a practical tool set that executives and managers can readily put to use. Considering how many people, process, and system mishaps have occurred over the past several years, coupled with the increased attention on risk management by investors, regulators, and credit rating agencies, we think the time is right for a book on this subject to help executives and managers of all sorts of enterprises—public and private, large and small.

Not all organizations have invested the time and resources necessary to assess their processes and manage their operational risks. The concepts, framework, and tools introduced here do not require substantial investment to utilize and will help you successfully manage and mitigate operational risk in your business.

We divided the book into four parts: (1) explaining operational risk and business process management; (2) presenting our new integrated framework and associated tools; (3) offering ways to apply this framework to technology, outsourcing, offshoring, risk organization design, and governance; and (4) discussing how best to embed this framework as a long-term solution for your business. Each chapter begins with a case study of a real risk event and how the organization involved handled or mishandled it.

As chronicled in these case studies, anyone can experience the often catastrophic consequences of operational risk mismanagement, from the employees and shareholders of public and private companies to their customers, regardless whether they are consumers of electrical power, passengers on an airplane, or parents of young children. For those entrusted with the responsibility of protecting and serving these diverse groups and individuals, there are proven ways to manage such risks. What you will come to realize as you read this book is that there really are “no excuses” when it comes to managing operational risks and business processes.

The idea for this book was conceived in June 2006. At the time, one of us had just installed an operational risk management framework after years of actually managing the risks of various corporate businesses. The other one of us had been working as a business consultant for a number of years advising corporations and government organizations on improving their systems and processes, after having managed a diverse set of technology enabled business processes in major corporations. Both of us live in the same neighborhood, our wives are close friends, our children are of similar ages, and we share a passion for improving organizational effectiveness. The joining of our work and personal experiences was truly serendipitous and culminated in the realization of our basic hypothesis that integrating business process management with operational risk management will increase an organization’s chances of achieving optimal business performance.

We could not have completed this work without help from several people. We thank Sheck Cho, our editor at John Wiley & Sons, who provided us encouragement, advice, and excellent assistance in weaving through the many facets of preparing a complex manuscript. We thank Mark Klein of MIT for familiarizing us with his research into exception handling. We thank Chuck Saia of Deloitte and Touche, and Ira Miller of Computer Sciences Corporation, for reviewing our draft manuscript and offering invaluable suggestions. Finally, for their continuous support and many ideas that we have used, we each thank and dedicate this book to our families, specifi cally: Dennis’s wife, Susan, and their two sons, Jonathan and Daniel; and Bob’s wife, Lauren, and their three children, Lily, Drew, and Ben.

Dennis Dickstein and Robert FlastJanuary 2009

Part OneWHERE WE ARE NOW

Chapter 1Surviving a Series of Unfortunate Events

As we left the twentieth century and welcomed the beginning of the twenty-first, the world economy appeared to be in greater shape than ever before. Things were probably going well for you, too. You had an enjoyable job, working for a first-rate company. Every day you looked forward to your commute. On any given morning, you would make your way downstairs to your front door to be the first to take the morning’s newspaper. Opening the paper, you would read the headlines. Let’s take a look at the following news headlines and consider how much you or your company’s board members would like to see headlines like these about the first-rate company for which you worked:

Exxon Takes a Spill in Alaska

Newsday         April 2, 1989

Heads Roll at Showa Shell

The Independent – London       February 26, 1993

Kidder Scandal Rocks Wall Street

The Plain Dealer       April 19, 1994

NASDAQ: An Embarrassment of Embarrassments

BusinessWeek       November 7, 1994

A Big Bank Goes Belly Up

Los Angeles Times       February 28, 1995

How Many Other Barings Are There?

Wall Street Journal       February 28, 1995

Boss Resigns as More Daiwa Losses Emerge

South China Morning Post       October 10, 1995

Enron Falls—With a Whimper

Miami Herald       January 16, 2002

Andersen, Enron Get Federal Review

Washington Post       January 26, 2002

Allied Irish Plunges after Suspected Fraud

Reuters News       February 2, 2002

MCI Expected to Pay Massive Fine in SEC Deal

Wall Street Journal       May 19, 2003

Citigroup Private Banks Kicked Out of Japan

New York Times       September 20, 2004

Prudential to Pay Restitution and Fines of $600 Million

Deseret Morning News       August 29, 2006

Note that these headlines not only point to the financial impact on companies, but also have consequences beyond their earnings—from the personal to the greater community. Many people, especially those never involved in any wrongdoing, have been hurt and even ruined. Aside from resulting in headline news and adversely affecting a variety of industries and thousands of people, these obviously independent and unfortunate events have something else in common. Let us examine one of the more famous cases to help us better understand this unique commonality.

Crime of the Century

On February 26, 1995, Barings Bank, the oldest bank in Great Britain, was unable to meet its funding requirements and was declared bankrupt. Barings was founded in 1762, helped finance the Napoleonic Wars, the Louisiana Purchase, and the Erie Canal, and 233 years later, on March 3, 1995, the Dutch Bank, ING, bought it for a total of £1.00. How did something like this happen? Virtually all of the stories about this subject blame one man: Nick Leeson. These stories, often told and retold, are virtually the same.

Nick Leeson grew up in a suburb of London, England, and first worked for Morgan Stanley. He later joined Barings and was asked to fix an operations issue in their Indonesia office, which he successfully accomplished within a year. As a result of this, he was moved to the Barings office in Singapore, and then by 1993 was promoted to general manager of that office, giving him authority over both the traders and the operations, or back office, personnel. He then passed an exam that allowed him to trade on the Singapore Mercantile Exchange (SIMEX) and then acted in the capacity of a trader, in addition to managing other traders and back-office personnel.

Leeson was an unlucky, or perhaps a poor, trader and began to mount major losses. He was able to hide these losses in an error account and show profits in his trading accounts. Being the head of both the front and back offices, he was the senior person to review both the trading and error accounts and decide what to report to Barings management at headquarters. Once Barings’s senior management realized what had happened, the bank’s losses had accumulated to $1.4 billion, and Barings was not able to meet its cash obligations to SIMEX, resulting in bankruptcy. Meanwhile, Leeson had fled the country and then was found and arrested in Frankfurt, Germany, on March 3, 1995, the same day ING purchased Barings for £1.00 (or $1.60 at that time).

Leeson was convicted of fraud and sentenced to six and a half years in a Singaporean prison. During this same time, statements like the following were made in many articles and magazine articles:

“One man single-handedly bankrupted the bank that financed the Napoleonic Wars….”

“The failure was caused by the actions of a single trader….”

“The activities of Nick Leeson led to the downfall of Barings….”

“Leeson, acting as a rogue trader, accumulated over a billion in losses….”

Even Leeson himself admitted his guilt, and while in prison he wrote a book on the subject, entitled Rogue Trader: How I Brought Down Barings Bank and Shook the Financial World. That book was then made into a movie, called Rogue Trader, starring Ewan McGregor as Nick Leeson. And finally, TIME magazine includes the collapse of Barings among the top 25 crimes of the twentieth century!1

Yet these stories and newspapers and magazines got it wrong. Yes, Leeson had engaged in unauthorized trading for over two years and exposed the capital of Barings Bank to almost unlimited potential loss. Yes, he committed fraud and needed to be punished for that crime. And yes, he took full responsibility for his actions, pleaded guilty, and spent time in jail. However, the collapse of Barings Bank cannot be placed squarely 100% on him. This was not a crime of just one person.

Another View of the Barings Collapse

While the vast majority blamed Nick Leeson as the “lone gunman” that killed Barings, a few dissenters emerged with a different, if not more enlightened, view. One such view, surprisingly, came from England’s Board of Banking Supervision. The Board operated under England’s 1987 Banking Act and then was subsumed within the Financial Services Authority (FSA) in 1998 (under the 1998 Bank of England Act). Immediately after the Barings collapse, the Board of Banking Supervision was requested by the Chancellor of the Exchequer to conduct an “Inquiry into the Circumstances of the Collapse of Barings” and issued its report on July 18, 1995.2 This report paints a different picture of Barings Bank and its senior management. Rather than showing Barings management as a victim of a clever criminal of the century, the Board of Banking Supervision laid the responsibility for the collapse of Barings on the company’s Board of Directors and management.

Beyond what the Board of Banking Supervision concluded, reviewing the facts would lead someone who understands risk management and control to conclude that Barings management allowed themselves to become bankrupt. How could this happen? Management of any thriving company would typically want their company to stay healthy and afloat. Barings management did not purposefully drive their company to bankruptcy, nor did they attempt to design a structure that would endanger company profits. This was a case of management inattentiveness and indifference, the results of which were the same as if management purposefully drove their company to ruin. What did management do or not do? Investigations found several things, including the following:

Allowing a lack of segregation between front-office and back-office operations

No senior management involvement

Lack of supervision

Poor control procedures

Barings management allowed the lack of segregation between front- and back-office operations, a clear violation of a basic control in every business, especially banking. When Leeson was made general manager, Barings management allowed him to trade while simultaneously supervising back-office personnel—the same personnel who were supposed to independently review and process the trades executed by Leeson. What an absurdity—to be the manager of those who are supposed to independently review your work!

Even Barings’s internal audit department became involved, as they should in every corporation as a normal course of business. In 1994, James Baker, the internal auditor assigned to review Leeson’s operations, noted the lack of segregation of duties (by having the same manager supervise both front- and back-office operations) and recommended in his report that the “back office should be reorganized so that the General Manager is no longer directly responsible for the back office.”3 Leeson agreed to this recommendation in writing and then proceeded to ignore it. No one followed up to ensure that the promised action actually took place. This is just one of many examples where senior management did not bother to involve themselves in a significant operation.

On paper, Leeson had several supervisors. In reality, he had none, mostly because no one felt fully responsible for his actions. In fact, when Leeson first began his Singapore business at Barings in 1992, James Bax, the head of Barings Securities in Singapore, complained to senior management in London that Leeson’s unclear reporting lines would create a “danger of setting up a structure which will subsequently prove disastrous.”4 This warning was ignored and Leeson was able to march ahead without suitable supervision or direction, without proper checks and balances. Anyone could easily go astray if even some minimal type of feedback is not provided.

Finally, what control procedures did Barings have in place? At some point in 1993, Barings reportedly tried creating a risk committee to review trading positions. That effort dissipated soon thereafter. Then, in April 1994, Barings management read the news of Wall Street trader Joseph Jett of Kidder Peabody, who created false profits of $350 million, resulting in major losses for that company. In response, and like many other financial services firms, Barings management began to review its controls in an attempt to prevent a similar incident at their bank. Even though control inadequacies were found, no changes were made. This is not surprising. A company that was willing to have a trader in a satellite location unsupervised with management oversight for both front- and back-office operations would not only be lacking in control procedures, but also unwilling to make the painful, yet important, changes necessary to ensure a return to some control over its risk.

Therefore, the eventual collapse of Barings Bank, whether brought into the open by the antics of Nick Leeson or by some other person, was due to the lack of controls at Barings Bank. Moreover, the collapse of Barings was due to the bank’s lack of operational risk management.

A Story Closer to Home

The Barings story is truly fantastic and one that hopefully would not be repeated at another company, if its lessons were truly and fully learned. In fact, these are life lessons that need to be applied to all parts of business. Consider the following fictional account that could be happening at your company. Granted, this is a small event, and purposefully so. Such things may happen often and you are not aware of it. Perhaps what is happening at your company is not exactly like this incident, but something close….

Ken Clarkson has been very happy in his three years at Unicon Inc. He moved from operations to sales just a few weeks ago and believes that he is moving up in the company.

“Here you go, Ken.” Alicia, the sales department’s administrative manager handed him a familiar white envelope. “Your first official paycheck in sales.”

He laughed as he took the envelope from her. While it was his first time being paid in his new department, it was the same process throughout Unicon. The envelope did not contain a check, but instead a statement of his earnings for the past two weeks, noting gross earnings, deductions for federal and state taxes, insurance and 401(k) benefits, and finally net earnings. Being a progressive company, Unicon places all of its employees on electronic direct deposit, thereby preventing losses and mistakes with printed paychecks.

“Oh, look at this,” said Alicia. “You have a second one.” She handed Ken a second envelope.“Must be some hours left over from your previous department. Or maybe it’s just your lucky day!” She laughed and walked over to another worker.

Ken knew that he was appropriately paid just two weeks earlier, so the second envelope could not be for any hours left over. He opened the first one—everything was what he expected: correct salary, correct deductions, and the correct net amount deposited into the correct bank account. He opened the second—same salary, deductions, and net amount also directly deposited into his bank account.

What should he do?

“Keep it,” volunteered a coworker.“It’s their problem.”

“No,” said a second coworker,“they are bound to catch it sometime and then you’ll be in trouble.”

“You won’ t be in any trouble,” answered the first worker. “They made the mistake, and you thought one check was for your time in your previous department.”

This is not a lesson in morals. People act according to their beliefs. In real life, Ken presented the two statements to the company’s payroll department, where he was told “Thank you. We would never have caught this if you did not show us.”

You say:This does not happen in my company.

Think again.

Does your payroll department have controls to prevent double paying an employee? Do payroll employees validate what was actually paid out to what was supposed to be paid out?

You say: Our payroll is all online with no paper, so something like this can’ t happen.

Think again.

Do you ever have people being hired, leaving, or changing departments? If so, then each of those events requires a manual effort by someone, and that means mistakes can happen. Additionally, is the access to your payroll system controlled so that only authorized people can make changes? If not, then further problems could occur.

You say: My payroll is outsourced, so my vendor pays for these mistakes.

Think again.

Have you read the agreement with your payroll vendor? Do you know the terms and the responsibilities of each party? Your payroll vendor is responsible only for paying out exactly what you tell the vendor to pay. You are responsible for controls to ensure what you give the vendor is correct. To make matters worse, while your payroll department may not have such controls, it probably checks the vendor’s output to what it sent the vendor, which is simply performing the control the vendor is responsible for performing itself.

You say: This is not much money and will not hurt my company.

Think again.

Of course, this is a simplified example. While research on losses due to operational risks is in its infancy, when the Basel Committee on Banking Supervision’s Risk Management Group surveyed 89 banks in 2002, these banks reported 47,000 individual loss events with amounts in excess of €10,000 for 2001, or €7.8 billion in total, or an average of approximately €90 million per bank. Clearly, this was just the tip of the proverbial iceberg. When these losses are categorized by event type, frequency, and amount of loss, the distribution would be as follows5:

Percent of Loss Events

Percent of Loss Amounts

Losses due to internal and external fraud

46%

23%

Losses due to other causes, including processes, systems, products, damage, safety, etc.

54%

77%

While fraudulent activities may have exploited weaknesses in processes, systems, and so forth, nevertheless, they represented less than half of the number of losses and less than a quarter of the money spent on losses. Therefore, mistakes, inappropriate controls and procedures, lack of segregation of duties, and other operational risks cost companies and their shareholders—both in tangible terms as previously summarized and in intangible terms such as lost productivity and lost opportunity.

Beyond the economic and reputation costs, there are even simple survival issues at stake. Witness what transpired at Arthur Andersen, in the aftermath of Enron, where a global accounting firm could be forced to cease operations by the irreparable damage to its reputation caused by one incident. The thousands of employees of Arthur Andersen and Enron became unwilling victims of a series of unfortunate events, showing the cost of highly questionable legal and ethical risks, provoking failures in processes and systems.

The Firefighter and the Fire Marshal

Do you think it would be worth your while to put in simple controls to prevent such mishaps? Incidents like the ones experienced at Barings, Enron, Arthur Andersen, Daiwa, Kidder Peabody, and many others are examples of operational risk (i.e., the risk of loss resulting from inadequate processes, people, or systems). This is the type of risk people normally wish to avoid rather than incur by design.

There are times that you or your company will want to take risk. That is normal. Business risk—just taking the risk of trying to make money selling your product or service—is the first thing that comes to mind. There is also market risk, where you buy or sell stock or property and your profit is subject to the ups and downs of the market. Credit risk is another risk you might incur on purpose. You or your company may loan money to another person or company at some interest rate. You now have taken on the risk of that person’s or company’s being able to repay the loan plus interest.

However, operational risk is a type of risk that you do not want to take on. It is everywhere around us and in every action of a company—when a company agrees to mail you a book you purchased over the Internet, when a company operates a factory in a community that may complain about noise or pollution, and on and on.

Your company may be good at fixing problems when they arise. How good is it at preventing problems in the future? Prevention—that is, managing and controlling operational risk—is important to reducing a company’s costs and protecting shareholder value. Even more important is to learn how to manage this risk now, to prevent future loss incidents.

A dramatic but familiar analogy of the difference between fixing and preventing problems is what differentiates a firefighter from a fire marshal. The firefighter works very hard to put out fires, to stop fires from spreading, and to reduce the number of people and property hurt by the fire. The fire marshal is responsible for the investigation and prevention of future fires. This analogy can be applied to companies—all companies have firefighters. Do they have fire marshals?

We do not intend to improve your company’s firefighting abilities. We are sure that your company has excellent firefighters, helping to fix a problem or remediate a broken process. You may be a firefighter yourself.

We do not intend to argue for fewer firefighters. Fires will always happen, and firefighters will always be needed.

Our intent is to help your company develop fire marshals. This book will provide you with the tools needed to be an operational risk manager and to investigate your business processes in order to prevent future operational risk losses. In doing this, we will examine the following questions that are essential to a company’s well-being in the twenty-first century:

Do you understand operational risk, how it affects the bottom line, shareholder value, reputation, and even survival, and what you face today if you wish to manage this risk?

Does your company have an inventory of its key business processes with documented controls and designated senior managers responsible, and how is operational risk taken into consideration when processes are designed?

Does your company have a technology inventory with procedures and controls over application integrity, access, and data, and how is operational risk taken into consideration when technology solutions are designed or acquired?

Does your company have an inventory of its key outsourcing relationships with documented controls and designated senior managers responsible, and how is operational risk taken into consideration when entering into these relationships?

Does your company have an operational risk management or control function?

How do you or would you organize an operational risk management group in your company?

What relationship does or should your operational risk management group have with corporate management and other control areas, such as compliance, finance, and internal audit?

What corporate governance does your company use for approving, implementing, and monitoring products, services, and processes?

To what extent does your company link employee compensation or job performance to operational risk management?

Answer these questions, implement an operational risk management structure within your company, and imagine seeing the following headlines about your company over the next decade:

{Your Firm} Escapes This Year’s Accounting Scandals

Wall Street Journal       Someday, 2010

Annual Review: {Your Firm} Stands Alone in Service Excellence

BusinessWeek       Some week, 2012

Fifth Year of Record Profits for {Your Firm}

New York Times       Someday, 2015

Why Does {Your Firm} Keep Winning Awards Every Year?

The Economist       Some week, 2020

How Do We Get There?

What can one do about the risk of loss resulting from inadequate processes, people, or systems? Let us begin with people. People accomplish their work and deliver business results, good or bad, through their activities. Activities, in turn, are the building blocks of processes. If employees correctly and completely perform their critical activities and business processes in support of the business, there should be reduced opportunity for loss. So, one can say that losses incurred by people, except for blatant, willful, and malicious losses, are really losses that might have been avoided and more quickly detected if their activities were organized or monitored through more effective design and management of business processes.

Similarly, systems are generally implemented to support, enable, or otherwise facilitate business processes. Losses incurred due to systems might also be avoided through more effective design and management of the business processes calling for such systems and the system life-cycle management processes with which the systems are developed.

Finally, noncatastrophic external events, such as customer returns, especially when they appear to be trends, are probably the result of a business process that either failed to correctly determine customer needs or expectations, or failed to deliver a product or service that fulfilled those correctly known needs and expectations.

Therefore, given the foregoing, it does not seem far-fetched to suggest that designing and managing business processes is a critical factor to develop and implement successful operational risk management. In fact, since operational risk management is itself a business process, the principles of effective business process management should be applied to the design and implementation of the operational risk management process.

Over the next several chapters, tools for operational risk management and business process management will be introduced and explained. We will provide commonly used tools, plus new tools designed by the authors. Finally, by combining these new tools, a new integrated concept and framework will emerge to help risk managers—the corporate fire marshals of the twenty-first century—to be prepared. Exhibit 1.1 provides a sneak peek at this integrated framework.

We aim to help corporate fire marshals—new ones and even existing ones—who seek additional answers. This will be accomplished by first explaining operational risk management and business process management. Then, we will examine how one can integrate the two management processes into one framework. Finally, each of the several elements of this integrated framework will be explored, showing how to apply these concepts and working models into real practice. As a result, this book will help you understand operational risk, demonstrate to you the criticality of business process management to operational risk management, and deliver to you the tools you will need to successfully manage and mitigate operational risk in your business, your home, and your everyday life.

Exhibit 1.1   Integrating Operational Risk and Business Process Management

Notes

1

. Howard Chua-Eoan,“Top 25 Crimes of the Century,”

www.time.com

, Time Inc.

2

. Board of Banking Supervision, “Report of the Board of Banking Supervision Inquiry into the Circumstances of the Collapse of Barings,” London, England, 1995.

3

. Ibid.

4

. Barings Securities (Singapore) fax dated March 25, 1992, from James Bax to Andrew Fraser, Board of Banking Supervision, “Report of the Board of Banking Supervision Inquiry into the Circumstances of the Collapse of Barings,” London, England, 1995.

5

. “The 2002 Loss Data Collection Exercise for Operational Risk: Summary of the Data Collected,” Basel Committee on Banking Supervision, Basel, Switzerland, March 2003.