Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Storage & Clustering Community Blog

Stakeholders, Accountability and Operational Risk

作成: 08 Jan 2013 • 更新: 11 Jun 2014
dennis_wenk の写真
0 得票数:0

Stakeholders are becoming increasingly concerned about accountability and management of operational risks.  Regulations like HIPAA, Sarbanes-Oxley, and Basel II are placing requirements that are more stringent on corporate governance.  More and more high technology is embedded in the operating fabric of the organization and, in many respects, technology is the organization.  Amazon and eBay are outstanding examples of businesses created by and totally dependent on technology.  It is this reliance on technology and escalating dependency on interconnected infrastructures that has elevated the exposure to business interruptions.  These interdependencies ripple through an organization, as well as outside to major stakeholders:  customers, suppliers, lenders, and partners.

Simultaneously, non-conventional threats such as, denial of service, hacking, and September 11th 2001 changed the very nature of operational risk instantaneously and on a scale not previously envisaged.  These newborn threats seek-out and exploit the vulnerabilities of an organizations’ soft underbelly.  Short-term interruptions, once considered minor, can now quickly mushroom into significant and serious financial loss analogous to a major disaster.

Widely publicized accounting irregularities and high-profile incidents intensify stakeholder concerns. The financial debacles at HeathSouth, Enron, and Worldcom fuel stakeholder doubts by underscoring dubious internal controls that aggravate operational risks.  Furthermore, the sudden demise of one of America’s best-known professional services firms, Arthur Andersen, raises doubts regarding independent oversight practices.  Yes, stakeholders are concerned because today’s business environment appears to be supported by a sensitive technical platform that has soaring exposures and is operating without the safeguard of adequate control or oversight.

The foundation of this stakeholder concern is operational risk and the lack of its effective treatment by business management.  Many managers appear to be jousting with the windmills of guesswork and best practices, rather than taking a businesslike approach to managing the growth of operational risks.

Managers are under great pressure to cut costs, and often do not know how to build a strong business case for expenditures to achieve regulatory compliance and manage risks.  Success dealing with risk requires more than guesswork and luck. Competent managers know how to keep the odds in their favor if they must make a gamble.  As the great philosopher Immanuel Kant said, “We have a duty - especially where the stakes are large - to inform ourselves adequately about the facts of the situation”. The stakes in today’s business environment are particularly high and a bad choice about operational risk could be fatal.  Risks need to be measured, but many managers doubt that this can be done.             

However, without the benefit of a measurement of risk managers resort to their intuitive judgments, little more than stabs in the dark and certainly subject to error.  Rapid, intuitive judgment operates as a substitute for more careful study of risk and lead to devoting costly resources to little problems rather than big ones.  It also causes concern about risks that are actually quite small and indifference to risks that are extremely serious.    

Simply classifying a ‘Serious’ risk does not usually lead to a “serious” budget allocation.  Business lines need to be given financial incentives that motivate them to reduce operational risk.  Unless risks can be put in a comparative economic context, managers end up doing very little to address risk. Historically, the lack of an economic comparative of risk has cause risk-reduction investments to be made to avoid the appearance of negligence and/or to meet minimal audit requirements rather than cost-effective reduction of risk.  This has caused managers to appear to be complacent about operational risk but actually they are simply unsure of the business-value of the risk-reduction investments.  What is needed is a quantitative basis for risk management decisions.

Risk losses are caused by the exposure to threat events.  Threat events are quantified by estimating their rate of occurrence (or probability), and the duration of the service interruptions they cause.  Business processes are characterized by their potential for loss when impacted by threat events.  The product of the threats and loss potentials is expected loss, the monetary loss one can reasonably expect to experience expressed at an annual rate.  This makes it simple to identify the material threats.

Next one can evaluate the Return On Investment (ROI) of proposed mitigation measures by comparing the anticipated reduction in expected loss (the return) with the cost to implement (the investment.)  Obviously, managers will want to select mitigation measures with a strongly positive ROI, and avoid the money losers.  It is also important to address potential fatal risk exposures.  By addressing all the exposures collectively, one evolves the optimal risk management strategy on a sound businesslike basis.

Governments and regulatory bodies have recognized the reluctance of businesses to account properly for operational risk.  Not accounting for operational risk makes certain functions or systems appear artificially attractive.  The stakes have become so high, in fact, that governments have taken swift and compelling action to force the issues of operational risk to the forefront of business management.

Companies can expect stricter regulation and oversight by government regulators.   Internal controls are no longer ‘Nice-to-haves’, they are ‘Must-haves”.  As an example, Section 404 of the Sarbanes-Oxley Act requires public-company executives and auditors to certify the controls and procedures.  Section 409 of Sarbanes-Oxley requires prompt reporting of material changes in both financial and operating conditions, i.e. material impairments due to business interruption events.

There are severe civil and criminal penalties related to non-compliance of Sarbanes-Oxley. Much more that the customary slap-on-the-wrist to business executives, these penalties have teeth, long and sharp.  Failure to comply could result in fines up $25 million and/or prison terms of up to 20 years.  These liabilities land squarely on the key executives, as the law also prohibits company-backed loans to pay the fines or from making extraordinary payments to insiders during an investigation.                  

Business executives must learn to manage operational risk and that requires that they first learn how to measure it, and evaluate it proprtly through quantitative assessments.  Second they must assess the tradeoffs by exploring the costs of alternative preventative measures, also in quantitative terms.   Third, to make best use of scarce resources, they must choose the optimal mitigation solutions for the most serious risks.

Blog Author:
Mr. Wenk is Principal Resiliency Architect for Symantec’s Storage and Availability Management Group. He has consulted worldwide with large Fortune 500 customers; Generating demand for Cloud Infrastructures and architecting private cloud solutions for technology-intensive organizations in over 20 different countries; tackling some very challenging, complex, and ambiguous problems. His experience includes developing architectures and strategies for highly available, resilient and secure infrastructures in heterogeneous IT environments. He has performed quantitative operational risk assessments that were used to justify the significant investments required to build, transform and maintain resilient infrastructures; he has performed technology assessments, IT consolidation and transition strategies, and developed site selection criteria for complex heterogeneous technology consolidations. In addition, he has developed charging methodologies, performed capacity planning and performance evaluations in large, complex IT environments. Dennis has developed a number of risk-based services that quantify the return on technology investments that increase resiliency and improve continuity programs. His background includes experience with EMC Consulting as Senior Cloud Architect and with Hitachi Data Systems as Principal Global Solution Architect for High Availability Solutions, IBM Global Network as an Outsourcing Project Executive; Comdisco where he was Western of Director Technology Consulting; KPMG where he was Senior Manager, Group Leader for IT Operations and Transformations, as well as Heller Financial where he served as VP/Information Processing. Dennis Wenk earned an MBA in Accounting and Finance, BS in Computer Science from Northern Illinois University. He is a certified Information Systems Auditor (CISA), Certified Data Processor (CDP), and Certified Systems Professional (CSP), certified in ITIL Service Management. He was awarded Best Management Paper by Computer Measurement Group, and currently he sits on the Advisory Board for Continuity Insights and Serves as their Technology Chair. He has held the Cloud Special Interest Group Leader for the Outsourcing Institute and the Business Continuity Focus Expert for Information Technology Infrastructure Management Group. He is an advisor to Business Continuity Services Group. Dennis has written award-winning professional articles, white-papers and has been published in Information Week, Computer Performance Review, Trends and Topics, Continuity Insights, Infosystems, Computer Measurement Group, and DR Journal. He is a regular speaker at world-wide industry conferences. Some current topical expertise include; ‘3 Simple Complexities of Data Protection’, ‘Think About Never Failing, Not How To Recover’, ‘Focus On The Largest Source Of Risk: The Data Center’, ‘Risk Economics’, ‘Gaining Competitive Advantage: The Myth of the Resiliency Paradox’, ‘Eco-Friendly Data Center’, ‘Virtualization, a Resiliency Enabler’, ‘Economic Impact of Interruptions’, ‘Risk-based Business Continuity’, ‘High-Stakes Business Impact Analysis’, ‘A Risk-Based Approach to Internal Controls’, and ‘Resiliency: Clearing the Five Nines Hurdle’.