How to use operational governance to create sustainable business value

About Operational Risk Management  

Governance, risk & compliance (GRC) programs were initially regarded as added, unnecessary expenses that didn't drive real business value. These original GRC efforts were primarily focused on financial objectives and often exposed a ‘just to pass’ culture towards regulatory compliance.   

Since those early days, organizations have realized that identifying and controlling risks strengthens the company. Corporations recognize that increasing transparency of operational processes and risks is a responsible approach to protecting them from costly hazards and creating added value.   

GRC, when treated as a holistic endeavor, helps govern companies by reconciling financial objectives and business strategy with operational tactics and execution. It provides reasonable assurance that risks are fully identified, monitored, and managed so they are controlled to best meet corporate goals and policies. 

This new approach to GRC reinforces operational governance as a complement to financial management. Combining the two is the best way to improve decision-making in the risk environment and ensure better long-term performance.   

This article discusses how operational governance sustainably strengthens GRC programs. It focuses on three steps to implementing a program to create visibility into a company's infrastructure and effective operational risk management (ORM). 

ORM is back in the spotlight for financial institutions 

As significant businesses experienced operational crises in recent years, it became a wake-up call for many institutions to change how they managed operational risks. These events showed the need to understand risk exposure across the organization comprehensively.   

They also revealed how difficult it was for institutions to have a clear, integrated view of operational risks because information and data in business lines were usually siloed, with little sharing. Before the economic crisis, ORM was addressed in some regulations.   

Basel II defined how banks could better guard against risks and established ORM as a fundamental requirement. However, financial institutions should have dedicated more resources to ORM because their primary goal is to address financial risks.   

Knowing the economic crisis was caused by financial breakdowns and operations failures, companies slowly realized that ORM initiatives are essential for success. 

Companies often react to losses – or the fear of losses – by implementing more controls than are necessary or appropriate to ensure that an event doesn't occur. While adding rules may prevent a future loss, the cost of excessive powers may be too high concerning the risk, significantly if the ultimate goal is improved business performance. 

In addition, controls may decrease the flexibility and agility necessary to meet business challenges. The real challenge is implementing the right level of efficient and effective management to manage operational risks and maximize performance within the boundaries of legal restrictions and risk thresholds. It balances what is necessary and what makes the most sense. 

Operational governance is based on a comprehensive understanding of the organization 

The first step in establishing an operational governance program is obtaining a firm understanding of the company and a clear view of organizational roles, responsibilities, and ownership to clarify accountability.   

This demands enterprise-wide knowledge, which a business process-based approach can deliver. This approach to operational governance provides a clear understanding and accurate knowledge of the company structure, providing managers with a complete view of how the organization runs. 

It offers the added benefit of the company accounting for variables, employee actions, the impacts of new projects, and other vital factors. The next step in establishing operational governance is to define policies, describe them as specific processes and operations, and include them as an integral part of best practices.  

Once again, understanding business processes and operations facilitates the development of an approach that is fully aligned with goals and quickly adopted by stakeholders. Finally, in operational governance, communication is essential.   

While policies may be defined, if they aren't communicated and understood, the problem of failed execution may still exist. The final step is to share the guidelines and then monitor and evaluate whether and how well they have been completed. 

Step 1 of implementing operational governance: Roles, responsibilities, and ownership 

Operational governance starts with clearly defining roles, responsibilities, and accountability. This establishes who is responsible for which decisions and corporate and business unit executives' roles in the process. Support for operational governance begins with the board of directors and is transmitted to all levels of the organization through education and communication.   

The board sets up the enterprise's financial targets. It defines the mission, fundamental objectives, risk appetite, and risk management strategy. While roles and responsibilities for risk, control, audit, and compliance functions may differ slightly from one company to another, business line managers must be integrated into this process in all cases. Managers are expected to improve risk and control self-assessment for their departments and align with the overall risk management strategy.   

Then, they must monitor the process to ensure that policies are followed. With a responsible, accountable, consulted, informed vision – known as RACI – managers are liable for risks and for creating action plans to monitor and mitigate them.   

This group must include risk management as a critical element of their job and develop a risk culture and awareness among their employees. The board must ensure that all accountabilities are met as defined. They and the risk, compliance, audit, and control functions and business line managers must collaborate closely to ensure sound decisions. 

Step 2 of implementing operational governance: Policies and practices 

Operational governance programs define and formalize a company's policies or how it needs to work concerning its objectives. These programs set out how to communicate these objectives, practices, and knowledge.  

Compliance and ORM initiatives, as integral parts of GRC programs, can be considered an investment opportunity that provides better corporate transparency, accountability, and financial security, not a costly constraint. 

Better ORM requires effective operational governance 

Recent failures at Credit Suisse, Silicon Valley Bank, and FTX are reminders that sound operational risk management (ORM) is no longer optional. These events raise serious questions about the effectiveness of the supervision and execution of controls by those institutions.  

Part of the challenge involves recognizing that, even with the right level of risk policies and controls, people within the organization might not follow recommended actions because they aren't aware of them, don't see the benefits, do not understand them, or are not appropriately trained.   

A comprehensive ORM program requires a robust operational risk methodology to define the company’s risk profile and culture. This demands a strong understanding of company processes and operations. This clear view across the company will provide all stakeholders with the information they need on ORM policies, accountability, and execution requirements. 

Operational governance is centered on critical operating decisions made by executives and managers and follow-through on the execution of policies. It presents a framework for managers to improve how decisions are made and carried out and contributes to better ORM. 

Including operational governance in GRC programs allows the company to adjust processes and transformation operations, anticipate future events, foster a company risk culture, and manage issues that can result in unforeseen risks. 

Shared and centralized policy information is a foundation for operational governance. This essential information must be accessible throughout the organization to eliminate the problem of siloed groups operating independently.   

GRC programs rely on a shared information repository to centralize and provide widespread access to consolidated, up-to-date risk and control information. This ensures a comprehensive approach to operations, completing the value chains owned by managers. 

A clear definition and transparent communication of policies and procedures with employees and stakeholders ensure that operations are aligned with strategies and objectives. Employees must understand the dos and don’ts within the corporate environment.   

It shows whether the company has successfully provided the knowledge individuals need to execute correctly. 

Step 3 of implementing operational governance: Communication 

Communication is essential for operational governance programs to continuously provide up-to-date and relevant information adapted to ongoing business needs. A focus on risk perception, attitudes, behavior, and communication ensures the accountability of everyone in the company.   

While people may understand policies and procedures, it is vital to make sure that they know how to carry them out properly. Clear deliverables and collaboration processes must be defined with stakeholders to ensure adequate communication for business users.   

Companies with operational governance programs typically provide a continuous training program to ensure that the entire workforce is educated about the importance of ORM. GRC programs help facilitate this through training, where surveys and testing can objectively measure how well policies are understood and adopted.  

Effective and constant communication programs help to reinforce collaboration. The easier for individuals and groups to work together, the greater the enterprise benefits. With a united workforce, risks can more easily be identified and managed. 

Conclusion 

In conclusion, operational governance is crucial to successful GRC programs that help companies achieve their objectives and mitigate risks. By implementing an effective operational governance program, organizations can comprehensively understand their infrastructure, define policies and practices, and improve communication and accountability. 

This approach to GRC reinforces the importance of operational risk management. It strengthens the overall risk management strategy of a company. Focusing on operational governance can ultimately lead to better decision-making, improved long-term performance, and increased transparency and accountability across the organization.