An Approach to Managing Operational Risk


You plan, you set expectations, and you deliver.  You meet your goals, and are happy and proud, and well rewarded.  There are handshakes, and slaps on the back we do it again, and again…”masters of the universe”…you, and your company, are on a role.

Then,… a butterfly flitters it’s wings six time zones away, and a snow storm of epic proportions closes O’hare airport.  This strands your head of sales in Omaha, who misses his son’s championship basketball game for the fourth year in a row, and decides to quit your company and take a job requiring less travel.  You successfully recruit a replacement with a stellar resume.  So stellar, in fact that she leaves your company after two quarters.  You miss your revenue expectation for three quarters in a row…the board wants to know what’s going on…

Life (and business) are uncertain, yet we often plan, make decisions, and manage our responsibilities as if they are.  Our successes are based on an ability to make things happen, to get things done, to get them under control.  We work hard and we experience successes which reinforce this idea, and it gives us a sense that there are no problems beyond our control.  The psychology makes it difficult for us to understand that we don’t control as much as we think we do.

This is exacerbated by the way we remember things, and the narrative – the way the story is told.  Sports provide a good illustration.  Though a New England Patriots fan, I am keenly aware that their recent Super Bowl victory was largely made possible by the result of a coin flip (“heads”) in Kansas City that gave the Patriots the ball first in overtime instead of the high powered Kansas City offense.  The subsequent interviews and speeches focus on the importance of a good week of practice and of course “doing your job”.  A more accurate portrayal would have started with thanking the gods (or butterfly wings at your preference) for the coin flip in Kansas City, and then the contribution of those other things.  But this is typical…the narrative, and our psychology, doesn’t allow room for uncertainty, for randomness, for the thought that some contributing factors are simply beyond our control.

When we do recognize uncertainty, we can manage it formally and this leads to better outcomes.  In fact, people can make better decisions and better manage to objectives when they have an accurate sense of uncontrollable factors.  A formal analysis might include an analysis of the probability of a condition or event occurring and an assessment of the cost of that risk weighed against the cost of mitigating that risk.  In fact, when organizations have taken the step to formalize decision making processes (Sony, GE, and Bridgewater Associates come to mind), a result has been the elevation of the identification of risk and explicit risk planning.  Next, as a basis for communicating a common approach, let’s take a look at the nature of uncertainty in three key dimensions of operations: core delivery, personnel, and in change initiatives.

The core delivery functions of an organization are the activities involved in creation, selling, and delivery of a companies’ products and/or services to their customers.  External uncertainties may include supply chain dependencies, and the impact of unexpected disruptions in the delivery process.   Additionally, in order to investigate the totality of risk in core delivery, it sometimes helps to think of the core delivery function as an asset, the result of a real investment in a way of delivering to a specific (temporal?) market.  This highlights a second risk area:  that is, changes to the customer interests, tastes, and expectations themselves (shifting markets), that might de-value the core delivery asset.  For instance, for a software company, the core delivery function would be the ability to write and sell software but a major risk to the core delivery function might be the erosion of a software market in favor of service-based platforms. 

Companies often have thoughtful personnel succession plans that minimize the risk of the departure of a key employee.    Managing this is a moving target, and requires the constant diligence of executive and human resources management.  Sometimes the real risk isn’t apparent, as leadership isn’t the issue as much as key operational resources with the unique knowledge and experience that is most difficult to replace.  The person in your organization who is the only one who can manage your (“platform migration” or “insert your challenge here”) goes home every day, and then you hope she chooses to come back.  We’ve also seen examples where particular departments experience inordinately high attrition.  This is more concerning as the implications are usually greater, and the root causes to the attrition that need to be addressed.   

A third area is managing change initiatives. Industry surveys suggest that the “disappointment rate” for these initiatives is 40%.  I think that figure is a bit pessimistic, but even if the failure rate is half that number, it behooves the thoughtful company to manage that risk.  One conclusion that is reasonable but not often pursued is to launch redundant or even competing efforts.  In other words, If you need to bet your companies’ future on an effort with those odds, maybe you bet on red AND black.

Against this backdrop of diverse challenges in three operating functions, we’ve developed a standardized approach that is applicable to the above as well as other areas that might be considered.  It is a simple framework intended to help formalize the process of managing risk. It should also be comprehensive – that is, it encourages the consideration of all risk areas including those that may not be directly on the radar screen.  Related, an Inclusive approach that provides for the input of all key contributors to the area is important.  Finally, it should be Focused so that results are actionable, and so that it limits effort/impact outside of the direct area of discussion.

Here’s a framework, with descriptions of each activity below.  

Illustration: Approach to Managing Operational Risk:


In simple terms, this approach seeks to identify all potential risks in an objective and comprehensive way, then narrows  to a relevant risk framework in conjunction with key stakeholders.  This framework is used as a basis for discussion and alignment around real risks in inclusive, brainstorming discussions, and finally for the formalization and documentation of risks, and putting execution plans in place.    Steps are further detailed below.  This is purposely broad and vague on details.  The key to results is applying this approach in a manner that works best for your organization:  

  • Inventory – Develop an outline of the areas to be included.  Develop an objective and comprehensive view of the risks for each outlined area.  Formal, published assessment frameworks may be helpful as a starting point.  While these are comprehensive, you will want to pare back some areas and add others.

  • Focus – Engage in discussions and work sessions to explore key contributor’s perspectives and concerns.  Generally, these should be forums with moderate structure that invoke a frank initial discussion of challenging areas.

  • Align – Involve key contributors in area-by-area discussions and discuss risks.  Position this positively as a “risk identification brainstorming”, and not as an “assessment”.  You may find these discussions are led/facilitated by a knowledgeable but neutral facilitator.  The product of these discussions should be prioritized lists of risks, with agreed actions.  Document and communicate outcomes. 

  • Execute - Develop and formalize action paths.  Determine on-going responsibilities for actions.

One caveat, never ignore the elephant in the room.  That is, if your company is facing a core challenge, make that an explicit dimension of this.  For instance, a brick and mortar retailer transforming to a digital world would be best served by investigating the operational risk of a hybrid/digital model rather than analyzing the risk of digital factors on their retail-based model.

At Orchestration Services, we’ve developed risk assessment frameworks for a number of industries and functional areas Please contact us for more information.