A new era of operational risk

Risk managers will face new challenges coming out of the pandemic

operational risk
  • The pandemic has exposed major operational risks at companies in every economic sector
  • Most companies lack frameworks for managing high-impact but low-probability risks
  • Enterprise risk management tools and other tactics can help companies build risk resilience

Editor’s note: A version of this story also appeared in Workflow Quarterly: The Resilience Issue

If the COVID-19 crisis was a rude awakening for many tech CEOs, it was doubly so for enterprise risk managers.

For years, they gained experience navigating different kinds of financial crises, from the dotcom bust of 2001 to the 2008 market crash and ensuing recession. But there were no actuarial or risk models to guide them through what the pandemic threw at them—an overnight jump into remote work, employee health challenges, a spike in cybersecurity attacks, supply chain slowdowns and stoppages. The experience exposed major non-financial risks that many companies never expected or planned for.

“It was one of the biggest disruptions most companies have ever faced, and it put a lot of corporate frameworks of risk to the test,” says Tom Campanile, a partner in Ernst & Young’s financial services advisory.

Now for the bad news: The pandemic was just the start, according to Campanile and other risk experts.

Just a few months away from 2022, many businesses face another shift in the way they manage an increasingly important area of risk— operational risk. The dramatic jump in the number and severity of cyber attacks, particularly ransomware events, has sent companies scrambling for new types of security solutions. The emergence of long-term hybrid working models similarly demands new planning about risk related to human resources and IT management.

Other continuing plot twists of 2021—including the spread of the COVID-19 Delta variant—have kept the enterprise in a state of flux. When it comes to getting people back in the office, “many organizations are trying to achieve the equivalent of putting the horse back in the barn,” says Mark Nicholson, principal with Deloitte Risk & Financial Advisory, adding that risk management processes, such as incident management and fraud mitigation tactics, are under more stress than ever. “Additional controls are required, which are somewhat difficult to automate given the current circumstances.”

New focus on operational risk

Much of this is still new territory for many companies. Until last year, operational risks hadn’t been widely scrutinized and analyzed, but now they’re taking center stage. According to a 2021 study by Risk.net, IT disruption, data breaches, and resilience risk rank as the top three operational risks in the enterprise.

Managing operational risk more comprehensively is crucial heading into 2022, says Campanile. “Risk has typically been managed in silos, but connecting the dots across those risks is key and requires different disciplines, plans, and working on different time scales.”

While arguably ignored, operational risk models have been available for years. ISO 31000, for example, is a set of guidelines from the International Organization for Standardization that identifies a wide variety of corporate risk factors. COSO, another framework developed by the Committee of Sponsoring Organizations of the Treadway Commission, is designed to uncover and prevent business fraud. It also has significant accounting and auditing components.

But the pandemic has exposed additional weaknesses. “The industry is still figuring this out,” says Nicholson.

Many employees in the financial sector, for example, are required to work at the office, specifically for risk management reasons; fudging accounting numbers is harder to do under direct supervision, Nicholson says.

But how will companies keep tabs on accounts with workers in hybrid environments? Some solutions simply increase other risk factors. Employee-monitoring systems can compromise privacy. Data stored on consumer devices invites security risks.

Avoiding risk traps

While most companies have processes for managing compliance and IT risks, such as service outages, many lack frameworks for handling larger yet more unforeseen threats. “They often end up focusing on high-likelihood but low-impact risk at the expense of anticipating and mitigating high-impact operational risk, such as the emergence of COVID-19,” says Barbara Kay, senior director of product marketing for security and risk at ServiceNow.

What’s really needed is a high-level framework that focuses foremost on business resilience.

Executives must assess new risks as they navigate ongoing pandemic challenges. For instance, does working from home long-term— which reduces workplace safety risks—increase compliance and control risks?

“Take a step back and focus on the experience gained and lessons learned during this disruption,” says Campanile. “What worked and what didn’t? What assumptions in your response plans were underestimated or overestimated? Where did contingency plans or risk assessments fall short?” A post-mortem assessment to identify opportunities for better alignment, he adds, “will be the foundation for revisiting the framework.”

A new approach

Digital enterprise risk management (ERM) systems can also be a helpful tool, allowing CFOs, CISOs, and others to centralize and consolidate risk management across different business functions. Tools such as desktop monitoring and configuration management, for example, “can help mitigate risk at the individual level, but what’s really needed is a high-level framework that focuses foremost on business resilience,” Campanile says. “This is an opportunity for leadership to paint a firmwide picture of vulnerabilities.”

The use of simulations can also help managers develop operational risk-assessment models. ERM platforms can conduct data-supported scenario analyses and live testing. “Tabletop” exercises, meanwhile, can involve a roundtable discussion about how to manage a hypothetical crisis. In Campanile’s words: “The intention is to play out a hypothetical scenario and use the output to strengthen existing capabilities.”

The Dodd-Frank regulations, passed in the wake of the 2008 financial crisis, showed that new risk measures are usually imperfect, and managing risk is an increasingly complex discipline. “We’re at the intersection of data, identity, expectations of privacy, ethics, and more,” Nicholson says. “It’s playing out at a rapid pace, but I don’t think we’ll see a resolution for up to a decade.”