I originally started this blog as I watched the Tsunami tragedy unfold in Japan. But then thought it may not relate well with readers in the US or Europe, far away from nuclear reactors built on the “ring of fire.” Then in July, I was stranded in New Zealand by excessive snowfalls and watched as residents couldn’t get to work or home for days. Last week in the US, there was a quake felt from Virginia to Toronto, quickly followed by the wrath of Hurricane Irene. Loss of power and flooding continues to wreak havoc on millions.
These recent events should raise the importance of operational risk for companies. Many of us sit complacently thinking that we will not be impacted so close to home, but these recent climatic events bring home the point that operational risk can pop up anywhere in the world. Many companies have disaster recovery plans in place that address some of the major issues, but DR plans may not capture all of the daily departmental processes that run manually. Also, while a DR plan may never go into effect for the corporation, individuals may be impacted locally. For example, if transportation is crippled, it can prevent someone from getting to the office to run a manual process that only he or she only knows. In fact, an event doesn’t have to be headline news on CNN to uncover where the operational risk may lie in an organization.
So the first step companies should consider is to evaluate the manual processes that are a key link in risk management or financial reporting workflow. Any spreadsheet process should be documented as if it were a system solution with the proper controls in place. This process can then be tested and the evaluation should be done periodically because, like mold, changes to manual processes tend to re-surface despite a good scrubbing. It may be difficult to implement a system solution or sometimes to even find one that would fit your customized needs, but at least identifying the risk is the first step.
One of the many benefits of Software-as-a-Service (SaaS) is that your solution is hosted over the Internet and the SaaS provider has the pre-requisite DR and back-up capabilities, including redundant power supplies on different grids. So if your employee can’t get to the office but can get to the Internet, then operations can still be performed. Look to see if your systems vendor has a SaaS alternative and revisit any ways to replace manual processes with alternative automated processes where possible.