Posted by Steven Minsky on Wed, Oct 26, 2011 @ 07:00 AM
View all posts | View current post
Two stories in the news recently that highlight failures in risk monitoring have caught my eye: one involving a listeria outbreak caused by tainted cantaloupe, and the other involving Citigroup losing $285 million for defrauding investors.
In the cantaloupe story, the deadly, nationwide listeria outbreak was traced to a packing facility in Colorado operated by Jensen Farms, in which factors such as workers and trucks accidentally carrying the disease into the facility, and machinery being hard to sanitize created the environment in which the bacteria could grow and thrive.
In the Citigroup story, the Securities and Exchange Commission (SEC) settled a civil suit against the banking giant totaling over a quarter billion dollars for failing to tell investors of the role of their investments or that it had made bets that the investments would fall in value. These charges have continued since we identified it first in 2009 and saw it happen to Goldman Sachs in 2010.
So what does cantaloupe and Citigroup have in common?
Both Jensen Farms and Citigroup were in compliance, yet failed to have effective risk monitoring in place.
The packaging facility that caused the outbreak was audited two days prior to the outbreak and received a passing grade of 96 out of 100, so their facility was in compliance. Despite passing, the conditions causing the outbreak were still present.
In Citigroup’s case, the investments themselves were in compliance with regulations; however it was the lack of risk disclosure that resulted in a loss of $285 million and a tarnished reputation.
The lesson to be learned from both of these cases is that just being in compliance is simply not enough. Organizations must additionally be able to fully assess, mitigate and monitor risks across all business functions and through every material level as well as see their connection to business performance.
The first step in seeing across silos and levels and seeing the link to business performance is evolving your organization’s risk taxonomy. Your taxonomy is the framework that manages the relationships between risks, activities, and goals and defines your organization’s standards, assumptions, and terminology.
Click here to see an example of taxonomy in action.
Posted by Steven Minsky on Fri, May 20, 2011 @ 09:00 AM
View all posts | View current post
While spreadsheets are still an excellent tool for data manipulation and one-dimensional analysis, they fall significantly short of delivering the capabilities a risk manager really needs to analyze trends and see the relationships the job entails.
The limitations of spreadsheets versus ERM software are systemic and largely stem from the way they manage data, their inability to easily show relationships, and their general inaccessibility.
Impractical
Risk management is an iterative process that requires collecting a great deal of information to glean the necessary insights. This often results in dozens of spreadsheets and documents each with multiple versions and revisions.
Not only does this impede the process of combining data into a coherent big picture, it also means any changes to data structure becomes a great undertaking. Dependent on spreadsheets, risk managers will spend countless hours validating data, double-checking formulas, and updating values instead of spending that time on much needed evaluation and mitigation.
Relationships
Risk analysis is not a static process; it’s dynamic and highly strategic. Assessment structure, information, and the people involved evolves over time as management’s requirements and priorities change.
Spreadsheets, however, are ridged. With each change to a spreadsheet, links between information are lost making it very difficult to analyze relationships over time. Without these relationships, how will you link risks and their controls to your organization’s strategic goals?
What’s worse, spreadsheets can actually limit the depth of risk analysis. You can only analyze the relationships your risk tools can uncover. Spreadsheets offer limited access to past and current data, you cannot easily aggregate and dissect information, and they require a high level of technical knowledge to compare data over time.
Simply put, spreadsheets prevent an understanding of the dependencies and consequences between departments, processes, and strategic goals. Without these connections it’s impossible to see how multiple risk can come together to create a disaster like the BP oil spill or the Japanese nuclear crisis.
Inaccessible
Risk management isn’t something that can be done in isolation. The information risk managers collect and analyze needs to be accessible to the rest of the organization. Spreadsheets, however, aren’t accessible to business intelligence software, to management, or to other support functions that could benefit from that data.
The result is a risk management function without support from management and an organization with an abundance of duplicate tests, controls, and information. Risk managers need to be able to aggregate and access information across business silos and multiple levels in order to engage the right people with the right information.
The Solution
Risk management requires dynamic tools that can organize and link data automatically, analyze dependencies and consequences enterprise-wide, and be accessed by decision makers and other silos.
The solution is ERM software with a robust risk taxonomy that can organize risk-information all in one place, link the relationships between data, and be accessible to the rest of the organization. Identify duplicate tests and controls, uncover the complex relationships between risks, and make that information accessible to decision-makers with one shared risk management platform.