Developing a cost-benefit approach to risk and control frameworks has long been a goal for operational risk teams. Boards, senior executives, and the business could use such analysis to make better decisions about where to invest in their control frameworks. However, some feel that this kind of analysis simply isn’t possible without sophisticated approaches such as Big Data, artificial intelligence (AI) or machine learning (ML).
The reality is that most firms should be able to undertake cost-benefit analysis with the data they collect today and the right risk assessment software. This fourth blog – the last in a four-part series – will explore how operational risk teams can create their own cost-benefit analysis relatively quickly and easily. This brings together approaches discussed in the first three blogs – on risk and control self-assessments (RCSAs), key risk indicators (KRIs) and loss event data.
Calculating costs quickly and easily
The first step in performing a cost-benefit analysis is to get a sense of the costs. For many firms, this can be perceived as a significant stumbling block, as some consultants will suggest that expensive and time-consuming activity-based accounting is the only way to acquire information about costs.
This is simply not the case. What is really needed for the cost of controls is not a precisely accurate number, but rather a ballpark figure. What organizations need to take decisions is not precise numbers, but relative ones. That is, they need to understand costs of controls relative to each other, rather than as a precise figure.
To achieve this, organizations can make use of easily available data such as:
• Total cost base of the firm (from published information)
• Total number of employees (from published information)
• How many employees to operate a control (from the control owner)
To compute, divide the total cost base of the firm by the number of employees, to find out the amount of cost base per employee. Next, multiply that number by the total number of employees that are required to operate a control.
This will provide a “good enough” number to understand the cost of the control. Operational risk executives then simply need to subtract this cost of the control from the monetary control benefit to arrive at a number that approximates the value of the control to the business.
Examining positive and negative value
Quite often this number will be positive – that is, the value will exceed the cost. However, sometimes this number will be negative, indicating that the cost is greater than the benefit. In those cases, senior management and the board could consider changing the control structure, looking more closely at the cost of the control, or other factors to turn this into a positive relationship. Sometimes – for example, if the control is one mandated by regulators – it is not possible to change the control at all. In this case, the control becomes a cost of doing business.
Once organizations have these kinds of calculations completed, they could potentially provide senior management and the board with rankings of the best and worst controls in the business. Such a ranking could enable the organization to think about how resources are allocated to controls. They could perhaps consider redistributing investment from areas that appear to be “over-controlled” to areas that could do with more investment in the control framework. This analysis is made much easier by using good operational risk management software to automate it – in this way, the op risk team could provide regular reports to key stakeholders.
In summary, creating a cost-benefit analysis of a firm’s control framework can help senior management, the board, and the business make more thoughtful decisions about investment in the control framework – optimizing the use of the firm’s resources.
RiskLogix hopes that these four blog posts on ways to better use the information on controls that the organization already has at its disposal have been informative. To learn more about how RiskLogix can help your firm make the most of the data it already has within its control framework, please contact us.