Following close on the heels of ISO 31000 Risk Management, the Society of Actuaries has published an extremely interesting and valuable paper “A New Approach for Managing Operational Risk – Addressing the Issues Underlying th 2008 Global Financial Crisis”.
Quite correctly, the paper points out that most of the failures resulting in the recent global financial crisis were in fact operational in nature. By implication, operational risks are predictable and avoidable or at least manageable. That insight alone should reverberate among GRC professional. Control testing does not manage operational risk.
The paper suggests a shift to what they call “Modern ORM” from today’s flawed “Traditional ORM”. The advice is pragmatic and well supported.
As one might expect in a paper by actuaries, there is some quantitative support for their position, and most GRC professionals should be able to follow the logic.
But what’s going to keep this paper from being added to the clutter of GRC frameworks that already exist? There are dozens of papers and frameworks, not all of equal merit.
It’s good to have a better way of calculating operational losses. But will this paper contribute the eliminating catastrophic corporate failure?
The aviation industry has driven down aviation failure continuously for decades. They have done so by continuously assessing Context risk (where can failure occur), Event risk (what can go wrong) and Behavior risk ( will people perform) and imposing an integrated framework to deal with the results.
It doesn’t do much good to reduce engine failure if the wings fall off or the pilots don’t know how to cope with emergency conditions.
This paper provides valuable insight. The actuarial profession clearly has plenty to say and they know how to say it.
If they want to drive down corporate failure, the Society of Actuaries should ask for a place at the COSO table.
COSO began with the goal of reducing fraudulent financial reporting. I don’t think they have succeeded. But I’d suggest they raise their sights and expand their mandate. We need to drive down catastrophic corporate failure and we need an interdisciplinary approach to do it.
Actuaries would help immensely if they would apply some of their insightful thinking and quantitative techniques to the study of control failure and better control design. I’m convinced that our knowledge of internal controls is not far removed from naturopathic medicine: good intentions, strong belief, practitioner judgment, but few facts. (For example, just how good is segregation of duties as a control? Statistically how long can segregated duties be expected to last in any situation? What is the average error rate in account reconciliations or journal entries?) I’m convinced much of what we “know” to be true about controls is based on belief and not fact. Control management is at least as important as risk management and there have been few innovations or new insight in decades. We need help here.
Finally, I believe far more study is needed to understand and manage Behavior risk. One of the lessons from the aviation industry is the fact that statistically most aviation catastrophes have their roots in human failure and human failure can be dramatically reduced. Whether this requires actuarial skills or psychological skills, it certainly requires clear, concise thinking, and the actuaries have proven they are more than capable of that. The paper clearly recognizes the role of human failure but does not add much insight. We need help here.
This paper is a great starting point. But left alone it will end up on the bookshelf with all the other insightful but partial solutions. This paper is too good to let that happen.
