There's a common thread that runs through the 1984 Bhopal chemical factory disaster, the rogue trading of Nick Leeson a year later, the collapses of Ansett in 2001 and HIH in 2002, and the mass recall that recently engulfed Pan Pharmaceuticals.
No, it is not just they all made it to the top of national news agendas and stayed there for weeks or months as the reputations of the affected companies got serially hammered. They are also all stark examples of gross failures in operational risk management.
The notion of operations risk has had currency since the Committee of Sponsoring Organisations of the Treadway Commission (COSO) coined the term in 1991. Nick Leeson kicked it along in spectacular manner after his rogue trading activities caused the collapse of Barings Bank, and he has been a poster boy for advocates of operational risk management ever since. But now CIOs in a range of industries are being forced to take operations risk seriously, pushed along by the June 1999 reforms of the Basel Committee on Banking Supervision requiring banks to reserve capital to cover their operational risk exposure and fostered by the new sense of vulnerability exposed by the September 11, 2001 terrorist attacks on New York and Washington.
"I think operational risk has always been there, but for financial services in particular [September 11] brought home that things happen that can severely disrupt the business," says Kevin Pleiter, industry leader, financial markets/risk and compliance, consulting services, IBM Global Services. "Managing risk ultimately comes down to your obligations to your shareholders, and at the end of the day, it's your obligation to shareholders to demonstrate that the business that you run is sustainable, and that the profitability of the company is sustainable."
But having recently relocated to Australia after 10 years in the UK and US, Pleiter is highly critical of the "naivety" of the many Australian businesses which have proven slow to accept that a September 11 or any other catastrophe could happen here, and says the response of many businesses has been far too reactionary. The Australian Prudential Regulation Authority (APRA) has made it clear that operational risk, major IT projects, strategic outsourcing and many other major impacts on the operation side of the business will be a keen focus into the future, and CIOs have to adjust to that fact.
Too many organisations have their "heads in the sand", Pleiter says, and whether it's based on ignorance or avoidance (or both) it's dangerous because ultimately "operational risk and the catalyst to actually do something shouldn't be a reactive thing".
He says although it is hard to point to companies doing a good job on operational risk, there has been a revolution in thinking, at least in the financial services companies, where there is growing internal awareness of the value in focusing on operational risk. But he says progress will not really be made until organisations undergo a cultural change where lines of business begin to realise that good operational risk management is good business - not just from the standpoint of their reputation, but also for operational efficiency reasons.
"It's a journey that certainly has a long way to go, but from some of the discussions that we've had most recently, we're starting to see that there is certainly some decent degree of encouragement. I think people that are championing it internally within organisations are certainly becoming very encouraged by the simple fact that some of the understanding and the change that is necessary is starting to happen, because the knowledge is being built up, the intelligence internally is being built up, which is then enabling people to make those decisions."