eBook - ePub
Operational Risk Management
Organizational Controls and Incentive System Design
Jasmijn Bol, Jenna M. Blanche
This is a test
Share book
- 150 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Operational Risk Management
Organizational Controls and Incentive System Design
Jasmijn Bol, Jenna M. Blanche
Book details
Book preview
Table of contents
Citations
About This Book
To remain viable, let alone competitive, organizations must manage risks. In this book, we explore the concept of operational risk as well as the mechanisms used to diminish the impact and occurrence of risks: the organizational control system. Since the scope and scale of operational risks are unique to each organization, our objective is to explain the theory behind why and how managers respond to the unique combination of threats that challenge their organization. We emphasize employee management and the complexities surrounding the design of management controls, incentive systems in particular, because risks related to employee actions are faced by virtually every organization. Overall, we provide empirically grounded insights into the process of diagnosing operational risks as well as designing, implementing and maintaining a control system that properly manages those risks.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Operational Risk Management an online PDF/ePUB?
Yes, you can access Operational Risk Management by Jasmijn Bol, Jenna M. Blanche in PDF and/or ePUB format, as well as other popular books in Business & Managerial Accounting. We have over one million books available in our catalogue for you to explore.
Information
PART I
Operational Risk Management
CHAPTER 1
A Structured Approach to Risk Management
There is no one-size-fits-all control system for organizations. There are only control systems that best match organizational needs. Risk management, therefore, requires decision makers, usually managers, to intimately understand their organization and the factors that influence control system design. This is a complex and challenging task; thus, we put forth a step-by-step process to provide a structured approach to risk management. Unstructured attempts to manage risk can easily become overwhelming, causing decision makers to reach faulty conclusions that make the achievement of strategic objectives less likely rather than more.
Our recommended approach is logically structured, empirically supported, and consists of four essential steps:
1. Understand the organizational strategy
2. Define the control objectives
3. Identify and assess the risks
4. Implement the controls
As will become clear, risk management is a perpetual process. To that end, managers should repeat these steps regularly or, if conditions warrant, promptly.
We will now discuss the first two steps of the risk management process: understand the organizational strategy and define the control objectives. In the following chapters, we will continue our discussion with steps three and four.
Step 1: Understand the Organizational Strategy
An organizational strategy determines the direction and scope of a firmās operations over the long run as well as how resources are allocated to meet the needs of stakeholders, such as customers, investors, employees, communities, and so on. The strategy defines the organizationās unique market position and communicates how capabilities and resources should be combined and leveraged to create competitive advantage. When top managers set out to determine the strategy, they typically start by considering numerous factors, such as the market dynamics, the core competencies of competitors, and the availability and constraints of firm-specific resources. Based on these considerations, top management formulates a strategic plan that will allow the organization to successfully compete in the market. Broadly speaking, the strategy declares āwhere the organization wants to goā; it is the roadmap to the achievement of organizational objectives.
Organizational controls and the control system, on the other hand, focus on the implementation of the strategic plan. They aim to increase the organizationās likelihood of achieving its objectives by providing structure and guidance along the path to success. Whereas the strategy can be viewed as āwhere the organization wants to go,ā the control system can be viewed as āhow the organization can get there.ā Now it should be readily apparent why decision makers must start the risk management process by understanding the organizational strategyāif you do not yet know where you want to go, it does not make sense to figure out how to get there! Or as the great stoic philosopher Seneca said, āif a man knows not to which port he sails, no wind is favorable.ā
Distinguishing between strategy and control should provoke another realization: Even though control systems are designed to get the organization where it wants to go, a well-designed control system does not guarantee the accomplishment of this goal. The strategy is an equally essential element of organizational success. If a strategy is lacking, even the best execution could prove futile. That is, a well-designed control system by itself will not lead to organizational success; a viable strategy is a critical prerequisite. Furthermore, managers cannot deduce the quality of the control system from the success of the firm. Some organizations fail simply because of flawed strategies, independent of their control systems. Other organizations might be profitable, at least in the short run, without reliable control systems. Such is the case when a firm is the sole provider of a good or service. For example, in the United States, each state typically grants a single company a monopoly over telephone services in any given prison. Since customers have no alternative, the service provider can raise prices without repercussions to remain profitable. Therefore, profitability is not always a true reflection of a well-designed control system.
In practice, organizations do not always formalize a strategy before focusing on the execution. Strategy development can be an emerging process in the sense that the strategy is slowly established over time rather than in a single, definitive step. For example, a business might start out selling flooring, such as carpet or tile, to commercial and residential properties; but when buyers begin to insist on repair services rather than replacement products, top management decides to move into the service sector, offering floor cleaning and repair for homes and businesses. Sometimes a successful control system can actually drive a change in strategy. Imagine a textile producer that is able to make fabrics that are of significantly higher quality because of its superior quality control system. This competitive advantage might be what prompts the organization to move into the high-end segment of the market. Nevertheless, whether a strategy is tried and true or is still emerging, there needs to be consistency between what the organization is trying to achieve at a given point in time and its control system.
Step 2: Identify the Control Objectives
The second step in our structured approach is to identify the control objectives. A control objective is a desired outcome or condition for a specific action or set of actions. Moreover, control objectives provide management with a basis for identifying risks and evaluating the effectiveness of controls. Naturally, organizations have many control objectives. Some will be vital to maintaining a safe and productive operation, while others will merely provide additional support; but, if realized, all should increase the likelihood that the strategic organizational objectives will be achieved. As with the strategy, each organizationās control objectives are unique. There are, however, a few fundamental conditions that the decision makers should always keep in mind.
First, control objectives must be consistent with the organizational strategy, meaning the priorities of the organization need to be reflected in the control objectives. Think, for example, of two organizations that both produce handbags. Company A is a luxury brand. Its purses are fashionable and made of the highest quality material and, in turn, the organization can charge a premium price. Company B, on the other hand, is competing on cost in the low-end of the market. Its purses are by no means the same quality as those of Company A, but the prices are much lower. Each organization will want to have both quality and cost control objectives for their purse-production process. However, because control objectives should align with the strategy, Company A should have much higher standards for its quality control than Company B. If the quality of the premium purse is not worthy of the price, there can be very severe reputational consequences with a long-term financial impact. Comparatively, for Company B, it is more important to control costs. If its production costs are not properly managed, the organization will likely operate at a loss due to its slim margins. Thus, control objectives need to flow from the strategy, reflecting the priorities of the organization.
Second, control objectives need to be explicitly defined. Specificity in control objectives is a necessary condition in order to link the objectives to the specific risks that are identified later in the risk management process (see step three.) Management must specify objectives relating to all the aspects of essential operational activities. To that end, the organizationās activities should be partitioned in different ways, such as by division, department, project, process, and task. For example, an e-commerce company will want to have control objectives for not only the transaction process but also the task of backing up user data. Ideally, control objectives will be defined such that all the subobjectives serve the overall strategic objectives. As one would expect, an organization will compile a long list of control objectives, of which a few could easily be overlooked. Therefore, it is important that this step is performed at multiple levels, for example, organizational level, regional level, departmental level, and so on, to ensure all the necessary control objectives are defined.
Risks are inherent within an organization at all levels and in various facets. Therefore, managing operational risks is not solely a task for top management; it is the responsibility of the entire workforce. When it comes to establishing control objectives, ideally, the manager and the key employees of the specific unit, project, or process are involved. However, it is also critical that top management receives an overview to ensure that no control objectives fall through the cracks. For example, when each department head is focused on defining the control objectives for the functions specific to their department, some broader objectives could easily be missed, as each department head may assume a certain task falls under the purview of another manager. Top management also needs to make sure that efforts are not duplicated. For instance, each department might consider ensuring the physical security of their space a major control objective, yet having each department separately manage the risks associated with this objective would be a mistake. It is more efficient to define control objectives for the physical security of all locations of an operation. Thus, control objectives need to be specific, but if they concern the entire organization equally, the objective should be stated at the organizational level.
CHAPTER 2
The Risk Concept
Before we continue with our structured approach to risk management, we need to facilitate a strong theoretical understanding of risk. People generally claim to know what āriskā is, but this conventional knowledge tends to be very inconsistent and incomplete. For example, āchance of loss,ā āpresence of threats,ā and āopportunities whose rewards are not certainā are some common ways people define risk. Under further examination, however, these definitions all seem to fit risk but do not perfectly overlap. As a result, in order to work with the risk concept, we must first establish a complete definition.
The Risk Concept
In this book, we follow Yates1 and define risk as a construct consisting of three critical elements:
1. The potential for loss
2. The significance of that loss
3. The uncertainty of that loss
Potential for Loss
Loss is the deprivation of an outcome formerly possessed or expected to be acquired. When a person experiences a loss, he or she is left with less than he or she had or could have obtained. In general terms, the situation that an individual is left with is less desirable. Importantly, when assessing whether losses can or have occurred in an organizational setting, managers should define loss in broad terms. Loss in value obviously is the primary concern, but value is not strictly a financial term. Performance loss, where processes, materials, or products do not operate as intended, is another type of loss. For instance, a factory will be subject to enormous performance losses if its production equipment stalls, leaving idle workers and reduced capacity. Reputational loss also is a common cause for concern. Actions or even inaction can lead to an organization losing its reputation as, for example, a reliable producer or a socially conscious company. Another potential loss is that of time. An organization loses precious time when operations are inefficient or require rework. Although all of these losses ultimately translate into financial setbacks, considering loss strictly in financial terms may cause some significant operational threats to go overlooked until it is too late. Effective risk management requires proactive efforts, so waiting until a loss has a measurable financial impact may cause harm that could have been avoided. Furthermore, the inability to put an exact dollar value on a loss does not mean it should be regarded as insignificant. For instance, we do not need to put a number on the loss of human life to understand that it is critical to protect it.
References
In order to determine if the current outcome is a loss, the outcome must be compared to something else. We call this āsomething elseā the reference outcome or, simply, the reference. Any outcome that is more preferred to the reference is a gain and any outcome that is less preferred is a loss. Thus, whether an outcome is considered a gain or a loss depends on the reference used. To illustrate, when receiving a B grade on a class assignment, a student may compare it to the best possible grade, an A, and feel that his or her grade is a loss. However, if the student compares the B to the class average of a Bā, the student could perceive his or her grade as a gain. Instead of the average of the class, the student could also compare it to the average of his or her academic performance thus far. Obviously, there are many different references that can be used to make a loss/gain determination. Again, we follow Yates2 who distinguishes several types of references:
ā¢ Status quo reference: A status quo reference is whatever a person presently has. In our student example, this would be the studentās grade in the class leading up to the assignment.
ā¢ Personal average reference: A personal average reference is an outcome representative of those an individual has experienced most often in the past and, therefore, reasonably might expect in the future. In our example, this would be the studentās GPA.
ā¢ Social expectation reference: A social expectation reference is an outcome that people who are important to an individual expect the individual to achieve. Continuing with our example, parents might expect their child to be an A-student and anything less would be a disappointment and, thus, a loss for the student.
ā¢ Target reference: A target reference or aspiration level is an outcome a person actively works to attain. Some targets are established solely by individuals for themselves. In other situations, targets are set by other people. In the case of grades, it can be the target grade that a student set for him or herself, or it can be the average grade required by scholarship provisions.
ā¢ Best-possible reference: A best-possible reference is the most attractive outcome that is possible in the given situation. In the U.S. grading system, that is an A, while in many European countries, the best possible grade (ref...