Operational risk is an interconnected part of RBC's overall enterprise risk management strategy. The firm has a corporate-level enterprise risk management team led by a chief risk officer. Different units are responsible for the various categories of risk (operational, credit, market and so on) that span each of RBC's business segments. At the business-segment level, risk management teams are responsible for managing types of risk unique to those areas.
The focus on operational risk has led to RBC's consolidation initiative. "We've identified where there's overlap between our [operational risk] activities and compliance activities, such as Sarbanes-Oxley," Hempstead explains. "We've created a new cross-functional team comprised of executive sponsors and a working group....Basel II [is] the opportunity to bring all those related tasks under one operational framework." Hempstead says that initiative should be complete by mid-2006.
Tackle New Threats
It's a bit ironic that one of the emerging areas in which risk management technology is being applied is in assessing the growing importance of technology. "Increased integration of technology with business and increased dependence [on that technology] has caused more risk, and the risk management associated with information security is much different from other risks," says Cohen of Burton Group.
At American Water, which owns or operates more than 475 municipal water systems in North America, security director Bruce Larson calls it "informatic risk."
"Today information systems control the production and distribution of drinking water; and other systems manage our back-office business processes," he explains. "With the geographical footprint of our operations, collaboration and telecommunications are invaluable services."
Part of energy and water giant RWE AG Group, American Water has always faced many types of operational risks — power outages, weather, vandalism — and it has always applied the conventional risk management strategies of prevention, protection, response and recovery. But unlike these physical threats, risks to information are often harder to identify because they continually evolve and expand as the volume of information grows.
For instance, the company has thousands of sensors that monitor its IT network for attack, which can generate hundreds of thousands of records per day. "Any one record might be simply interesting or it could be critically important. We needed the ability to converge multiple, heterogeneous data sources, correlate activity in each of those sources, detect risk early and mitigate it," says Larson.
In late 2002, American Water installed a data visualization system from Advizor Solutions. The system's ETL tools normalize the data coming from each of the detection systems and aggregate it in an enterprise database. Advizor then generates alerts based on high-probability connections and patterns, and presents the results in a graphical format for Larson's team to analyze in search of data security threats. "You can beat up on the firewall all day long, and that's interesting," Larson illustrates. But if a connection is drawn to the same IP address later on the backside of the firewall, "That's really interesting," he says, because it suggest a hacker has found a way through security.
It's impossible to put an exact dollar amount on losses that have been prevented thanks to better security, says Larson, but he notes that American Water has been able to conduct 200% more data analyses in near-real time without having to increase security staff.
As these companies illustrate, risk management technology isn't defined by a single type of system but by a common objective: giving people confidence in the decisions they make and assurances they give. And in the post-Enron, Sarbanes-Oxley world — with top executives' skins on the line for those assurances — risk management technology has also become important as a personal safeguard.
As described in our lead-off feature, "Enterprise Risk Management: Illuminate the Unknown," page 26, the future promises growth not only for individual risk management technologies, but also for the practice of enterprise risk management (ERM). Not a single system, ERM is a holistic way of looking at risk across the enterprise, driven by top-level support (such as a chief risk officer) and supported by technology.
Technology has become an important part of risk management, but it's not the only part. "[Risk management] is a mix of people, processes and technologies," says Braunstein of Robert Frances Group.
Therefore, businesses that will be the most successful in their risk management efforts are those that stay focused on the objectives of identifying risks, assessing the impacts and taking the best course of action.
Michael P. Voelker is principal of Equinox Communications Inc. Write to him at [email protected] goequinox.com.