Cost-benefit analysis – Driving business value from operational risk data

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

Developing a cost-benefit approach to risk and control frameworks has long been a goal for operational risk teams. Boards, senior executives, and the business could use such analysis to make better decisions about where to invest in their control frameworks. However, some feel that this kind of analysis simply isn’t possible without sophisticated approaches such as Big Data, artificial intelligence (AI) or machine learning (ML).

The reality is that most firms should be able to undertake cost-benefit analysis with the data they collect today and the right risk assessment software. This fourth blog – the last in a four-part series – will explore how operational risk teams can create their own cost-benefit analysis relatively quickly and easily. This brings together approaches discussed in the first three blogs – on risk and control self-assessments (RCSAs), key risk indicators (KRIs) and loss event data.

Calculating costs quickly and easily

The first step in performing a cost-benefit analysis is to get a sense of the costs. For many firms, this can be perceived as a significant stumbling block, as some consultants will suggest that expensive and time-consuming activity-based accounting is the only way to acquire information about costs.

This is simply not the case. What is really needed for the cost of controls is not a precisely accurate number, but rather a ballpark figure. What organizations need to take decisions is not precise numbers, but relative ones. That is, they need to understand costs of controls relative to each other, rather than as a precise figure.

To achieve this, organizations can make use of easily available data such as:

• Total cost base of the firm (from published information)
• Total number of employees (from published information)
• How many employees to operate a control (from the control owner)

To compute, divide the total cost base of the firm by the number of employees, to find out the amount of cost base per employee. Next, multiply that number by the total number of employees that are required to operate a control.

This will provide a “good enough” number to understand the cost of the control. Operational risk executives then simply need to subtract this cost of the control from the monetary control benefit to arrive at a number that approximates the value of the control to the business.


Examining positive and negative value

Quite often this number will be positive – that is, the value will exceed the cost. However, sometimes this number will be negative, indicating that the cost is greater than the benefit. In those cases, senior management and the board could consider changing the control structure, looking more closely at the cost of the control, or other factors to turn this into a positive relationship. Sometimes – for example, if the control is one mandated by regulators – it is not possible to change the control at all. In this case, the control becomes a cost of doing business.

Once organizations have these kinds of calculations completed, they could potentially provide senior management and the board with rankings of the best and worst controls in the business. Such a ranking could enable the organization to think about how resources are allocated to controls. They could perhaps consider redistributing investment from areas that appear to be “over-controlled” to areas that could do with more investment in the control framework. This analysis is made much easier by using good operational risk management software to automate it – in this way, the op risk team could provide regular reports to key stakeholders.

In summary, creating a cost-benefit analysis of a firm’s control framework can help senior management, the board, and the business make more thoughtful decisions about investment in the control framework – optimizing the use of the firm’s resources.

RiskLogix hopes that these four blog posts on ways to better use the information on controls that the organization already has at its disposal have been informative. To learn more about how RiskLogix can help your firm make the most of the data it already has within its control framework, please contact us.

Related Posts

Risk Management and Business Survival – A case study
Following on from our earlier blog about the role of risk management and using operational risk software in business resilience and business survival, here Tony and John give a high profile example from their book Mastering Risk Management, and go on to outline how to prepare for responding to a critical event… It is often …

Risk Management and Business Survival – A case study Read More »

Business survival and the case for Risk Management
When viewed within the context of business resilience and business survival the case for a formalised risk management system, supported by designed-for-purpose operational risk software is compelling. Here in an exert from their book Mastering Risk Management, Tony Blunden and John Thirlwell put the case… At the business level, a robust and efficient risk system …

Business survival and the case for Risk Management Read More »

Effective business continuity & operational resilience are both outcomes of good risk management
There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM …

Effective business continuity & operational resilience are both outcomes of good risk management Read More »