Is Your Company Poised to Address Operational Risks?

February 12th, 2007

Is your organization ready to deal with internal risks that could cause business interruptions or negatively impact your bottom line? Recently I’ve had the opportunity to talk to managers and business owners from all corners of the globe to assess their risk readiness. Here are some perspectives that could be helpful to consider.

“The Enterprise,” while we always refer to it in the aggregate, is actually composed of many different types of businesses – from online virtual businesses like EBay to electric utility companies, from oil and gas companies to financial service companies. Many of the businesses that make up the enterprise are public companies that are discovering a new set of compliance issues with the passage of the Sarbanes-Oxley (SOX) legislation and have embraced a relatively new concept: enterprise risk management.

Although SOX may have given birth to a new focus on Enterprise Risk Management (ERM), SOX is only part of a larger concern: operational risk in general. Every business, large and small, should learn to better manage its operational risk. Many tenants of the World Trade Center discovered that on 9/11, and many New Orleans companies had the same epiphany after hurricane Katrina.

Especially in asset-rich industries, risk management is about the relationship between SOX compliance and every other government regulation passed before it and since. It is about any other strategic or operational risks a company needs to consider and how to assess both the asset and portfolio risk of the enterprise.

Operational risk management takes into account the links between the operational and the financial aspect of any compliance effort. What are the costs of compliance? What are the costs of being out of compliance? But it is more than a financial compliance and reporting mindset, it is about an integrated approach to corporate, financial, strategic and operational systems.

If the enterprise is to be protected, insofar as that is possible, more than just the ordinary financial risks must be considered. What would happen in a terrorist attack? A natural disaster? An oil spill?

A new ERM model emphasizes the need to go beyond internal financial controls and audit-related compliance and look at the operational interdependencies and associate the risk of these interdependencies with an organization’s strategic assets. In order to be successful, this ERM framework requires the use of systems and industry knowledge.

To create standardized internal controls, companies need to leverage industry specific people and industry-proven technologies with a centralized dashboard on which an executive responsible for operational risk management (a CRO, or a Chief Security Officer) can see everything in the company for which he or she is responsible. Systems specifically used for project management, asset and service management, EH&S, crisis management and financial management should be integrated to realize the full capability for an enterprise.

Tags: erm oil and gas companies operational risk management sarbanes oxley

Entry Filed under: Operational Risk Management