In our industry, success or failure is predicated on the foundation of trust built with customers. Because of this, financial institutions have long placed value and scrutiny on operational risk management. Operational risk management is not a new concept, but several factors, including advances in technology, have increased the focus on it and given it new urgency. Among them are regulation: Legislation such as Sarbanes-Oxley, the Bank Secrecy Act, Basel II and PCI Data Security Standards are creating a need for reexamination and transformation of how risks are managed in highly complex, rapidly changing technology environments. Security: Threats such as malware have introduced a new wave of risks that cost businesses $13.3 billion in 2006. And, finally, globalization: Offshoring has introduced new challenges to risk management.
Time to market and balancing the need for 24x7 availability, real-time execution and faster development cycles can cause businesses to overlook obvious enterprise-wide risks. Businesses must manage risk based on a culture that fosters accountability at all levels of the organization and a model that makes it easy for customers. As businesses develop risk-management initiatives, they should keep the following in mind:
* Start every decision with the customer. Make sure customer ease-of-use is an integral part of the plan.
* Culture trumps everything. Create an environment that makes everyone accountable. n Don’t make risk a siloed function. It has to be an integral part of the business.
* Get the right risk people. People should manage risks, not frameworks and policies.
* Put risk management where it belongs. Resist creating broad risk policies that have little or no impact.
* Create business partnerships – combine business knowledge with risk knowledge. Ensure that any risk-management strategy aligns with the business and that the risk function is not viewed as merely the “police” or “order takers.”
* Stop recreating processes; process for process’s sake takes focus off the real issues.
* Don’t treat every risk the same. Apply the right strategy to the appropriate situation.
Businesses must develop a strategy based on improving risk management and not just creating risk administration. Technology can make it easier for customers and employees to do business and help an organization integrate risk management into its culture.
