Operational Risk Management Is a New Imperative

Risk has always been an integral part of business, but our recent Governance, Risk and Compliance (GRC) benchmark research shows that companies deal with risk with varying degrees of effectiveness – especially operational risk. A majority of companies lag in their overall GRC maturity, as I covered in a recent blog post. Operational risk management should be of greater interest to executives today because they can have greater control of it than before. The expansion of IT systems to automate and support most business processes has made it easier than ever to measure, monitor and report on what’s going on in a company. It’s now practical to expand the scope of operational risk management and improve companies’ effectiveness in handling risk events when they occur.

Our research shows that managing risk more effectively is the main reason why people want a better approach to GRC. Nearly eight out of 10 (77%) want to be able to identify and manage risks faster. Another 59 percent want to achieve a better risk control environment – for example, they want to ensure that rules and procedures are being followed. In many instances, it possible to use information technology to keep people from not following rules and policies. For example, there’s a long-standing approach to reducing financial fraud by having a policy for separation of duties that keeps people who approve invoices separate from those who sign checks or issue payment instructions. Because invoice approval and payment are done via computer systems today, the process can be designed to enforce separation of duties and to continuously monitor systems and process execution to ensure this policy is followed.

Computing systems also can be used to stay on top of compliance to limit the chance that someone fails to do what they are supposed to do. Was a critical piece of maintenance performed on schedule? Has everyone who needed to sign off on a regulatory filing?

Managing risk is an ongoing process that must be defined, refined and re-examined regularly. Managing risk effectively means having ongoing discussions about risk, usually face to face. But IT is a critical piece of effective risk management. Technology can automate many aspects of risk management – separation of duties and identity management are two examples. Reporting systems can be used to enable managers and executives to monitor operations more efficiently by reliably providing alerts but only doing so when some situation requires their attention.

One analytic technique that’s applicable to managing operational risks is predictive analytics, a subject I’ve covered in the past. “Predictive” does not necessarily mean that you can foretell the future; rather, this approach sifts through a lot of data, tells you if some key aspect of the business is behaving the way it should and alerts someone if it isn’t. Do order patterns signal a problem? If you can spot the negative trend on the fifth business day of the month rather than in the monthly review, you may be able to address the causal factors before you have a big problem. Predictive analytics can inform managers that they will need to add shifts or workers to address some supply chain snag that has developed.

Predictive analytics is a powerful tool that’s becoming increasingly accessible to many businesses. However, many companies face a fundamental issue: They don’t have the data. Our research shows a mixed picture. Participants were pretty much split on how easy it is to access and use the data necessary to measure and assess risk. About half (53%) took the middle ground, saying that is neither easy nor difficult. Of the remainder, 24 percent said it’s easy or very easy and 19 percent said it’s difficult.

Companies are not completely ineffective in managing operational risks – only about one in five said they have ineffective operational risk controls for handling natural disaster, supply chain disruption, competitive threats, reputation loss, internal fraud and demand disruption. (I think this is because companies that have ineffective controls usually go out of business.) However, the data also shows that even fewer rate their risk controls as very effective. For example, only 15 percent assessed their controls for natural disasters as very effective, and just 12 percent rated their supply chain controls as very effective. The research shows that companies are least good at controlling the impact of demand disruption: More than one-fourth said their controls are ineffective while just 5 percent said they are very effective. Just 8 percent are very effective at controlling separation of duties and sources of internal fraud at an operational level. While most companies rate themselves somewhere in the middle, I think “very effective” ought to be the standard companies apply to their operational risk management. And the fact that a majority of organizations think they’re doing reasonably well in controlling operational risk is itself a risk. This sort of assessment typically leads to complacency and a lack of effort to improve operational risk management.

Managing risk intelligently is one of the key capabilities of successful organizations because it can deliver a competitive edge. Companies that are good at managing risk can make aggressive moves more prudently, spot negative trends faster and respond more quickly and effectively when disaster strikes. IT continues to be one of the main sources of innovation in operational risk management. Executives and managers must become familiar with the technology if they want to manage risks as intelligently as they should.


Robert Kugel – SVP Research

Mobile Customer Service: New Generation of Interaction Technology

Recently a flurry of vendors have announced new products that enable companies to build mobile customer service applications that I have analyzed, including Genesys, Interactive Intelligence, Jacada and NICE Systems. All are intended to respond to customer demands for self-service through mobile devices. At a recent customer engagement day, I gave a keynote address on the likely impact of mobile apps and social media on customer service, and I chaired three round-table discussions on the subject of mobile apps with senior customer service and contact center managers so I could gather their side of the story.

Our brief was to debate the assertion that “smart phones and tablets will drive big changes in service delivery.” The good news for the vendors is that the collective view of the participants was a resounding “yes.” The round-table sessions included a mixture of companies that already have these apps, ones that were actively developing apps and those making their minds up; all said they view mobile apps as meeting customer demand and thus having a major impact on how they deliver customer service.

One example illustrated the power of such apps. One of the companies released a mobile app without consulting with or announcing it to its customers. Yet within a few weeks the app had been downloaded more than 10,000 times and an independent forum had been set up to advise the company on how to improve the app.

Another case illustrated a potential downside. Several of a company’s customers were contacting them for help, but in many cases they were asking about using the tablet, not the app. Obviously this is not the kind of customer service the company wants to offer.

Although there was almost unanimous agreement that mobile apps would have an impact, none of the participants said they will replace other support channels, so their use has to be put in the context of one option in a multichannel customer service strategy. The participants in the discussions felt the success of mobile apps is dependent on a number of factors:

  1. The apps should be designed with customers and their needs in mind. Our research into the use of technology in contact centers shows that other self-service applications, such as IVR and Web self-service, have not been as successful as companies hoped, largely because they were designed to suit the company’s processes and not the customer’s.
  2. A popular phrase that emerged during the debates is that apps have to work “in the moment,” like other activities consumers typically carry out on their smart phones or tablets, namely make a phone call, send a text message, chat or post to social media. The apps therefore ought to work in real time, and if companies let customers access information from the app then it must be absolutely up-to-date. I can see that providing this capability might be a challenge for many companies, because they must first decide what source of data to use and then ensure that the system managing that data is working in real time.
  3. Another key requirement is that the apps have to be easy to use. They should not just replicate the functionality of a Web browser but should make full use of common smart phone and tablet features such as the touch screen, simple dials to select data, integrated GPS and video and photographic features.
  4. Users should be able to close the loop on what they are doing in the app; that is, if they start a process, they should be able to finish it without leaving the app, even if circumstances require speaking with an agent.
  5. Finally, the apps should personalize responses and information based on the user ID (and security information) the user provides while signing in to the app. This should apply equally if the user has to make a call; many of the participants insisted that such a call should be passed straight to an agent, bypassing IVR, and that the agent should know who the customer is and what the user has done before making the call.

All in all these discussion groups expressed high expectations of mobile service apps. The good news is that the vendors I have reviewed to date have products with capabilities that should allow companies to design and build apps that meet these requirements. The big unknown is whether companies will design apps that customers come to like and use often; otherwise the industry could find itself facing a “customers hate mobile apps” situation in the same way as they are reported to “hate IVR.” Using mobile technology for customer interactions is part of maturing customer relationships and interactions to meet the requirements that should be defined in your customer journey maps that our customer relationship maturity benchmark research found help advance the customer experience. I’d be interested in your thoughts, so please collaborate with me on this rapidly evolving technology.


Richard J. Snow

VP & Research Director