Four Challenges to Effective Ops Risk Reporting – and Tips to Overcome Them

Posted by Brian Barnier, ValueBridge Advisors

“Our execs say our reports ‘make my head hurt.’” “Business line leaders think my reports sound like Charlie Brown’s teacher ‘wa-wawa-wa-wa.’” “How do I better engage ‘the business?’” Through live workshops and webinars, I received hundreds of questions this year. In operational risk reporting, four challenges emerged as big obstacles to providing insight for action. Let’s take a look at what traps pose dangers and tips to get out of them.

The first two challenges deal with getting the “right information.”

Right Information

The first challenge is getting the right quality and amount of information. This is a bit of a double whammy. In rare event types, institutions are short of data. In more frequent events (such as a polling hundreds of controls), they are overwhelmed with data points that are difficult to structure, compare or get to an actionable level of detail. In other types of events, they may be flying blind.
Typical Trap: For rare event types, institutions create “synthetic data” with statistical techniques (with the problems documented elsewhere). In the more frequent events, institutions are overwhelmed. Another trap is looking only at control type data (trading limits verified), rather than environment threats (trading volumes spiking and overwhelming systems).
Tip: Here, a frequent solution to the data management problem is automation tools. These can save huge time and cost in cleaning, aligning and managing volumes of data. Yet, jumping to tools before understanding the nature of the data can create the “slaves to the machine” syndrome (and get flaming emails sent your way). Worse, it can divert attention from fixing problems.

The second challenge is getting a picture of how events unfold in real life.
Typical trap: Those institutions that primarily take a “controls and compliance” view of ops risk can get trapped into looking more at what happens at the end of a chain of unfolding events (a litigation loss), rather than looking at earlier causes (customer service representatives struggling to answer new product questions) in the chain. If your car dies while driving down the highway, then that is a data point event. With this view, they can’t get to an actionable level of detail for other rare or frequent loss events. Controls or indicators on root causes are what matter – engine oil, cylinder pressure, air flow, oil pressure, gas in the tank -- they give you a chance to reduce the impact and consequences of an unfolding chain of events. This becomes crucial to understanding the difference between threats, events that occur when threats are realized, impacts and further consequences. Confusion in these points often leads to dramatic errors in risk estimation. A classic example is "reputation risk." Damage to reputation is a consequence, not a risk. Click here for an example of a simple event chain.
Tip: The good news is that one tip can address problems with both rare and frequent events. By using “root cause” analysis techniques, an ops risk leader can: 1) create a much more frequent and actionable data set than rare major frauds or litigation loss events; and 2) sort through the mountain of more frequent data points to get to the source of problems and key causes of snowballing chains of events. In addition, for those events that are not controllable, the analysis will point to preparedness actions.
Bonus Tip: While there are many books written on these techniques, it matters how they are applied. Workshops with cross-functional teams are far more effective and efficient in getting to actionable data than asking a few analysts to come back with diagrams.

In the next article, we’ll take this to the next step and look at two challenges in reporting in the “right way.” As a bonus, we’ll touch on a table that makes insight easier by pointing to root causes that lie at the source of multiple problems.


About the Author: Brian Barnier is a principal at ValueBridge Advisors. He has worked in both business line and IT roles. He researches, teaches and writes on business-IT effectiveness. Brian served on the international task force that created Risk IT and chaired ISACA’s IT Governance, Risk and Compliance Conference. He contributed to the Wiley & Sons book, Risk Management in Finance. Contact him at brian@valuebridgeadvisors.com.


This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.