29/04/2009The Knowledge Management Role
In Mitigating Operational Risk
Eduardo Conrado Ferrari Longo*
Abstract
The idea that information and knowledge have become critical for value creation processes of companies and nations is now widely recognized. However, we must broaden this perspective and consider not only the potential benefits offered by intangible assets, but also the risks created by the mismanagement of the same assets. Otherwise, it will be increasingly difficult to manage the growing number of risks that can affect the results of a company. This theoretical paper discusses specifically the linkage between Operational Risk and Knowledge Management, aiming to improve the understanding of this subtle connection. After establishing this linkage, it is discussed which perspective should be adopted by Operational Risk Managers regarding information and knowledge. In short, these professionals should evaluate both: firstly, how information and knowledge create the possibility of operational risk events and, secondly, how they could be used to avoid these undesirable events. From this point, it is possible to define the focuses that Information Management and Knowledge Management practices could adopt to contribute to the mitigation of Operational Risk. This integrated perspective has the potential to benefit both Knowledge Management and Operational Risk Management practitioners. A Risk Manager will profit from a broader and more accurate understanding of many operational risk events. Even more important, this manager will also be able to deal with some causes of these risk events. This will launch a foundation for a better risk mitigation strategy, though, of course, risks cannot be fully eliminated. At the same time, a Knowledge Manager will profit from a clear and direct business driver linking Knowledge Management and risk mitigation, something that could potentially boost the return on investment of Knowledge Management initiatives. The paper also presents some real operational risk cases, considered from the Knowledge Management – Operational Risk Management integrated point of view presented in this paper.
Introdução
It has been almost three decades that Alvin Toffler described the transition from one industrial society to a post-industrial society, which is based on knowledge. Since then, information and knowledge (represented as intangible assets) are recognized as crucial for the performance of companies and countries. Moreover, both represent an increasing part of the economic wealth created by companies and countries.
In this new environment, it is necessary to acknowledge not only the value that can be created through intangible assets, but also the risks represented by them. It is also necessary to develop tools and techniques to manage the exposure to these risks. Carvalho (2005) warns in his article that neglecting the management of intangible assets has the potential to destroy the value of tangible assets, in a process sometimes difficult to interrupt. He states that many operational risks to which a company is exposed are related to the mismanagement of intangible assets that could be administered by Knowledge Management practices.
This paper shows that many operational risks to which an organization is exposed are, in fact, the result of poor management of some intangible assets. Furthermore, this exposure could be reduced through adequate Knowledge Management practices. The paper initially defines Knowledge Management (KM) and Operational Risk (OR) and then establishes the linkage between these two themes. From this linkage, the paper discusses what should be done regarding Information and Knowledge Management (although an extensive discussion is beyond the scope of this work). Finally, it presents the benefits of this perspective, especially for the work of a Risk Manager of an organization. The paper is completed by the presentation of some cases that illustrate the importance and urgency of the perspective proposed.
Information and knowledge – where does KM fit?
It is possible to define knowledge simply as what we know. However, this simple definition implies all mental processes necessary to understand and learn from information captured by one of our senses, because only this way we can identify a significant meaning from these pieces of information. This process can involve interaction with other people, practical experimenting and identification of connections with previously known concepts. Furthermore, comprehension is related to the “life history” of each one, since everyone carries mental models and behavioural patterns that influence the whole process. It is also important to link knowledge with an action (or the possibility of an action) because it must enable someone to take positions and decide the best course of action.
A person can express the knowledge that she has only through a message – written, oral – and these messages are “only” information, not the knowledge per se. By the way, considering that knowledge depends fundamentally on the life history of each one, it is reasonable to expect that it will not be the same for any two individuals, no matter the quality of the communication process. The last important distinction is between information and data. As it is possible to infer, information is related to a relevant context, whilst data is related to any register that can be manipulated.
Knowledge Management is an interdisciplinary field of study which origin can be traced back to the end of the 80’s and the beginning of the 90’s. Since then it has attracted the attention of researches, professionals and organizations, who are developing ways to leverage the use of these intangible assets of companies and countries.
Nevertheless, the huge expectation towards KM has many times been frustrated by different approaches regarding the KM itself, by the lack of distinction between information and knowledge and by the excessive focus on metrics and tools to deliver KM “solutions”, when, in fact, it cannot be actually “managed” as many assets. Too often the focus relies on capturing and disseminating “tacit knowledge” (which is incorrectly defined, since it is actually a piece of knowledge out of the conscious sphere of the knower) and it is possible to identify “waves” of proposed KM “solutions” with no solid foundation. Fortunately, there are proposals with new and sound approaches, and this will probably make viable for KM to deliver important and consistent results.
Operational risk – how to interpret it?
Risk can be defined as the effect of uncertain events over the goals of an organization. In the context of this paper, it is possible to adopt a stricter definition: the chance of a loss due to the uncertainty regarding the result of an event. It is easy to notice that risk is part of any business-related activity, since it is impossible to forecast with absolute certainty the outcome of this activity. It is also important to stress that the occurrence of a risk event may severely impact the achievement of a goal, even make it impossible to achieve. For these reasons the management of different risk types is receiving increasing attention from academia, companies and governments. The last is contributing heavily to the development of this field, especially because it is passing more severe and sophisticated laws to regulate the activities of different types of companies (the North-American Sarbanes-Oxley, the international recommendations from the Basel Committee and the Brazilian requirements for financial institutions are important examples of this trend).
The Bank for International Settlements (BIS) establishes in the Basel II Framework the capital requirements for financial institutions, according to three risk types: market, credit and operational. Market and credit risks are being focused for some time, and the requirement to allocate capital to deal with the operational risk increased the importance and necessity to manage this type of risk. It is also interesting to notice that, creating a linkage between risks and capital allocation, the BIS recognizes that these risks cannot be neither completely avoided nor transferred by financial institutions. However, they can be managed, and financial institutions must be ready to allocate more capital if they decide to accept more risks. A similar thinking could be applied to any other industry.
According to the British Bankers Association, operational risk is related to the chance of losses directly or indirectly associated with failures or inadequacies in processes, people and systems, or yet as the result of as external event. These failures or inadequacies occur in the regular operation of a company, and they have many causes. The impact of a risk event may be big enough to threaten the continuity of a company. The following is a useful categorization of operational risk events (the examples are only illustrative and do not cover all possible events):
- Internal fraud – steal of assets, tax evasion, corruption, accounting fraud;
- External fraud – steal of confidential information, hacker attack, falsification of documents;
- Employment practices and Security - segregation, harassment, illegal practices;
- Clients, Products and Business Practices – market manipulation, anti-competitive practices, breach of contract;
- Damages to physical assets – natural disaster, terrorism, vandalism;
- Business disruption and System failure – operation disruption, software and hardware failure;
- Processes execution and management – data entry error, accounting error, flawed legal reports, assets lost by negligence.
Frauds and anti-competitive practices in general attract much attention, but, in fact, employees of an organization can also impose severe losses due to errors that can be the result of incompetence, bad decisions or the lack of compliance to rules in the attempt to achieve a goal or better serve a client.
Obviously, operational risk is part of any business activity and cannot be fully mitigated. However, it is interesting to stress that the legislation related to financial institutions increased the awareness and importance of this topic. It is also important to stress that there is no single model universally accepted as the preferred standard to manage OR, and the solution to this issue depends on the nature of each organization.
Understanding the linkage between KM and OR
In order to understand the linkage between KM and OR it is necessary to evaluate some aspects related to OR from the point of view of information and knowledge. More specifically, how information and knowledge contribute to the occurrence of these risk events or how they could be used to avoid OR events.
Figure 1 shows the main OR vectors influenced by more proactive information and knowledge management perspectives, as well as some of the main focus that these practices should adopt. Thinking from a business perspective, it is natural that one factor could lead to more than one outcome. Therefore, it is not relevant to tie each factor to specific outcomes. For instance, Flaws in decision making may occur due to Bad data quality, to Loss of previous experiences or to the Dependence on one key person who is not available, or even to a combination of these and other factors.
Figure 1: OR vectors, related information and knowledge factors and business impact
Exploring Figure 1 allows us to achieve a better understanding of the profound connection between some of the most important OR vectors and the absence of adequate practices regarding the management of intangible assets such as information and knowledge.
Thus, it is clear that OR management can profit significantly from good KM practices. The probability of occurrence of some risk events could be reduced, since the root causes of these events would be eliminated or weakened. This would determine a direct value generation driver to the business, something that may be crucial to the decision of implementing these KM practices.
One point must be stressed: at the end of many situations depicted here one action or decision will have to be made. This only reinforces the linkage between OR and KM, since the last must adopt the role of supporting this decision or action. One example will make this point clearer: a real-time and absolutely trustable risk report will be useless if the management team does not act in accordance to the necessity of the situation. And this can happen because the most adequate actions are not known or because the design of this report makes its understanding harder. In both cases KM can play an important role, guaranteeing that the knowledge will be absorbed by those who need it or designing an information system that makes easier to understand the context, to evaluate events and to make decisions.
Information management role
From the point of view of this paper, information should be seen as an asset of an organization. However, it is a “special” kind of asset that has no intrinsic value but is part of operational processes, being essential for the value creation process. It is interesting to make an analogy with the valuation of a company (assessment of the fair value of the company), since the value of a company is calculated not only considering the market or accounting value of its assets, but mainly forecasting its cash flow capacity (of course, taking into account factors relevant to the business of this company).
This way, informational assets must have an adequate quality and be safe from events that can make them useless. Most of this work is already part of business continuity and information security programs. These programs also deal with the risk of losing information – no matter whether it was intentional or not – important to keep the competitive advantage of a company. It is worth to stress that in this situation losing the information per se is not important, since it does not represent any economic value lost (conversely, a stolen physical asset does represent loss of economic value), but the competitive advantage that a competitor could gain using an information to which it should not have access.
At the same time, it is also important to guarantee that these pieces of information will be adequately interpreted and used, and it is reasonable to expect higher investments in business intelligence and data mining systems during the next years. Another important action is identifying those pieces of information that are important but are not available for some reason. In this case, a mechanism to capture, treat and disseminate this information is necessary. We could use Johari’s Window as a model to understand this better: which pieces of information are available for the company and its competitors, which are available only for the company, which are available only for its competitors and which are not available by any company. This simple matrix can help a company to identify which pieces of information it really needs to keep confidential (because it generates competitive advantage and is known only by the company) and which the company should make an effort to obtain, either because its competitors have the information or because the information has the potential to put the company in the cutting edge. Therefore, a work initially focused on managing OR may has as a byproduct identifying leverage points for the business, through an information necessity that is discovered.
In short, all points discussed lead to the same direction: guarantee that information important for decision is correct, available and timely. Risk management must be based on the best available information, including the acknowledgment of limitations that this information may have.
Knowledge management role
KM role in managing OR can be grouped into three categories: loss of organizational knowledge, barriers to the creation of new knowledge and loss of relative competitive advantage.
Talking about loss of organizational knowledge, processes and IT systems poorly documented, especially about the rationality of business rules, are serious drains on organizational knowledge. Big companies frequently need to identify the reason that has led to past definitions, simply because there is no documentation of processes or systems neither updated nor complete. IT system development projects ignore documentation trying to achieve an expected shortening in the project length. However, this decision will charge its price in the future, as waste of resources in order to recover lost information and knowledge, as the risk of keeping out-of-date business rules in systems and processes or as the risk of an unanticipated impact when a new process or system is delivered.
Barriers to the creation of new knowledge appear from the absence of important information for this to occur, something related to the previous discussion. It is also important to notice that the knowledge creation process can be harder if the company does not make any effort to foster it, such as adopting access rules too restrictive or adopting aggressive policies to protect its intellectual property. This point is extremely important, since the continuous creation of new knowledge is able to make the company moves forward, differentiating itself from competitors through the development of new products, services and markets. The line that separates and adequate control of information to manage OR and excessive practices that will hinder a crucial process for the future of a company is very thin.
Lastly, loss of relative competitive advantage can be the result of confidential information stolen by another company, one that has the ability to profit from it. However, it can also be the result of an employee leaving the company, especially if this employee is the only person who has a knowledge important for the company. This situation is even more dramatic when the employee is hired by a competitor of his/her former employer, because the company will lose a key person and, at the same time, see this person applying all his/her knowledge to benefit a competitor. This is the case even when the employee neither carries with himself/herself any information of his/her former employer nor acts dishonestly.
Noticing that different professional groups use specific language is also interesting, because, if a company wants to manage well its OR, all employees must understand OR nature, importance, processes and goals. This can be another decisive contribution of KM: make the adoption of this culture easier, guarantee organizational learning in OR and create favourable conditions to the evolution of OR management inside an organization.
Benefits that this approach will generate
Despite not being extensive, this work demonstrates clearly many sources of OR that will be adequately managed only through the adoption of a Knowledge and Information Management perspective. Obviously, organizations are dealing with OR, but in the absence of this KM perspective the efforts may not have the necessary reach or even be ineffective to mitigate OR. Information security programs are a good example: defining clear access profiles will reduce the possibility of frauds, but hardly will deal with data quality or with the creation of informational tools to identify other types of fraud. Similarly, business continuity plans will certainly deal with loss of data, but without a broader perspective they can even increase the risk of information being stolen, since it will be available in more than one place (physical or virtual).
For those responsible for OR management the suggested approach has a clear benefit: it provides a generic framework that any organization can adopt. More important than this is the possibility to identify multiple causes for a certain kind of risk event and act in order to reduce the probability of each cause. For instance, fraud risk can be mitigated integrating good information security policies, processes that guarantee data availability and integrity, warning tools that identify signs of fraud (such as behavior patterns divergent from an usual pattern) and programs that aim to improve awareness against social engineering.
The benefit of this approach is relevant not only because it will mitigate OR reducing the likelihood of its occurrence, but also because it will make a company integrate many efforts that are often concurrently developed with no coordination, leading to a waste of time and resources. Another relevant aspect is the consistency that managing OR will have, since decisions regarding each risk (accepting, mitigating, transferring) will be made consistently. For this, it is necessary not only clear decision criteria, it is also necessary to follow the result of previous decisions and learn from these, feeding a continuous organizational learning process.
The benefits are equally important for those in charge of KM: supporting OR mitigation will contribute directly to a business driver, not to mention the possibility of using this effort to leverage other results. It is very likely that an effort to document properly business rules will find out opportunities to revise and streamline them, something that would increase operational efficiency. Something similar could happen to a program that registered adequately the main lessons learned in projects – it would not only reduce the risk of human fault (repeat a wrong decision) but would also make the development of new projects faster and less risky.
In short: the suggested approach has the potential to generate important results for those in charge of Risk Management and Knowledge Management and also for the whole company.
Some cases
The study of real cases is worth to validate the approach proposed. We will discuss the cases of a high executive who has been hired by a competitor of his former employer, of banks that have lost personal information of their customers, of an energy company that has had some computers stolen and of a financial institution that has supposedly delivered false information to its investors.
In March 15th, 1993, the Spanish executive José Ignacio López de Arriortúa left his position as a senior executive at General Motors (GM) in favour of a similar position at Volkswagen (VW). GM accused him of misappropriating trade secrets. After four years of confrontation, in January 1997 GM and VW agreed to sign an agreement in which VW committed itself to pay US$ 100 million to GM and buy at least US$ 1 billion in components from the North-American company along a seven-year period (this was not an additional expense, since VW usually bought about US$ 300 million per year from GM). Despite the agreement, VW did not acknowledge any illegal act, but recognized the possibility of illegal activity performed by its executives. López had resigned from his position at VW two months before this agreement. The Spanish court refused to extradite López, considering that the charges were not serious enough to justify this. Considering the focus of this paper, besides the alleged industrial espionage, the negative effects of this confrontation for both companies and the loss of knowledge and experience that GM suffered anyway, it is interesting to notice that López had reportedly asked for access to a huge number of classified documents four months before leaving GM. According to the approach suggested here, a monitoring system could have identified an unusual access pattern to classified material, a warning that could draw attention to the possibility of an OR event. GM would hardly avoid the change of López and other executives, but maybe could have adopted pro-actively some actions to avoid or minimize any negative effect of this change.
In February and again in April 2008 data storage tapes with the backup of personal data of customers of the Bank of New York Mellon Corp. (BNY Mellon) were lost. In the first incident, the tapes had information of about 4 million customers, whilst in the second the tapes had information of 47 institutional customers and of an unspecified number of individual customers. In both cases the tapes were lost while transported by BNY Mellon contractors. Although the bank stated that there was no evidence that the lost data had been neither used nor accessed, it decided to offer free of charge for the period of two years a monitoring service and insurance worth US$ 25,000 for those customers affected by identity theft. As serious as this event can seem, maybe it is not so rare. In March 2008 HSBC also lost a data disc with personal data of 370,000 insurance customers, in an incident very similar to that of BNY Mellon. Despite the fact that the data was protected just by a password, not by any cryptography method, HSBC stated that the risk faced by its customers was limited because there was no information regarding addresses or accounts in the disc. What is the impact of this data loss? It can be certainly much higher than the amount spent to indemnify customers, inform the general public, explain itself to regulators and reduce the negative effect of these events over the bank’s credibility. For companies that depend intrinsically on trust to do business – as is the case of a financial institution – this kind of event may doom the organization to closure. The reaction to this sort of event seems to become stronger and one can expect that companies that treat carelessly personal information of its customers will be increasingly scrutinize by public and government.
In January 2008 Petrobras, the leading Brazilian energy company, informed the Police that two laptops with classified information about oil and gas fields recently discovered and of great economic value had been stolen. A Federal Police investigation has found out that four port guards were responsible for the theft and has eliminated the industrial espionage hypothesis, since they “had no idea” of how important the information in those laptops was. Even refusing the hypothesis of espionage, what would be the cost of a company in a similar situation if the laptops were not recovered? Employees of a Petrobras’ contractor were using those computers, and in the absence of backup tools and policies, they could well be the only source of that critical information (this aspect was not covered by the press). In this situation and supposing that the laptops were not recovered, all that work should be done again, doubling the cost and maybe increasing the risk of losing a market opportunity due to the time necessary to rework what had been done before.
The last case is related to Bear Stearns Asset Management. In June 2008, the Securities and Exchange Commission (SEC, the organization in charge of monitoring the North-American financial market) fined two former investment portfolio managers, who were then directors, for supposedly delivering false information to investors of two funds managed by the company. The information had minimized increasing problems faced by the funds in the beginning of 2007 due to investments in the subprime market (which is related to mortgages of high credit risk profile). The false information had allegedly misled with the goal of avoiding the customers to withdraw resources or even of making them increase their investment. Ultimately both funds collapsed, generating a loss of about US$ 1.8 billion to its investors. It is interesting to notice that in this case the false information did not affected the company responsible for this, but its customers, whose decision making process was supposedly compromised by the false information. No matter what is the truth behind this case, it makes clear that the impact of this kind of event can be disastrous to the reputation of a company.
All these cases have in common a poorly managed intangible asset and the occurrence of a serious or potentially serious operational risk event. All of them reinforce the approach suggested by this paper to integrate Knowledge Management and Operational Risk Management perspectives.
Conclusion
This paper has demonstrated the coherence, validity and necessity to integrate Knowledge Management and Operational Risk Management perspectives, in order to benefit those professional involved in both areas and also those companies that decide to adopt this approach.
Naturally, it is only the first step towards the development of an integration model that could be adequately adopted by any company. It is reasonable to expect that this effort will generate a revision in practices usually adopted by both disciplines, in order to guarantee perfect synergy and the achievement of significant results. Companies must also be committed to start this effort, something that is likely to be pushed by the necessity of improving OR management practices imposed by governments and regulators.
References
Bradsher, K. (2000) “Former G.M. Executive Indicted On Charges of Taking Secrets”, [online], The New York Times,
http://query.nytimes.com/gst/fullpage.html?res=980DE6D91F3AF930A15756C0A9669C8B63&sec=&spon=&pagewanted=all .
Bank for International Settlements (2006) “International Convergence of Capital Measurement and Capital Standards”, [online], Basle Committee on Banking Supervision, www.bis.org.
Bank for International Settlements (1998) “Operational Risk Management. Working Paper nº 42”,[online], Basle Committee on Banking Supervision, www.bis.org.
Bryan, L. L. (2004) “Making a market in knowledge”, The McKinsey Quarterly, No. 3.
Carvalho, E. J. L. (2005) “Negligência com a Gestão do Conhecimento destrói valor na empresa – as exposições que desafiam os gestores de Risco Operacional”, [online], Lista de Riscos, www.listaderiscos.com.br.
Dale, E. (2001) “Spain Court Refuses to Extradite Man G.M. Says Took Its Secrets”, [online], The New York Times, http://query.nytimes.com/gst/fullpage.html?res=9D05EFD91131F933A15755C0A9679C8B63.
Hauschild, S., Licht, T. and Stein, W. (2001), “Creating a knowledge culture”, The McKinsey Quarterly, No. 1.
Krogh, G., Ichijo, K. and Nonaka, I. (2000) Enabling Knowledge Creation: How to Unlock the Mystery of Tacit Knowledge and Release the Power of Innovation, Oxford University Press, New York.
Longo, E. C. F. (2001) “A Economia do Conhecimento”, InformationWeek Brasil, Business Innovation Edition
Meredith, R. (1997) “VW agrees to pay G.M. $100 million on espionage suit”, [online], The New York Times, http://query.nytimes.com/gst/fullpage.html?res=9C02E0D61638F933A25752C0A961958260.
Pamplona, N. and Auler, M. (2008) “PF prende 4 vigias que levaram dados da Petrobrás e diz que é furto comum”, [online], O Estado de São Paulo, http://www.estadao.com.br/estadaodehoje/20080229/not_imp132576,0.php.
Saito, A. (2007) Educating Knowledge Managers: A Competence-Based Approach, Japan Advanced Institute of Science and Technology, School of Knowledge Science.
Toffler, A. (1984) The Third Wave, Bantam.
Wilson, T. D. (2002) “The nonsense of 'knowledge management'”, [online], Information Research, Vol. 8, No. 1, http://informationr.net/ir/8-1/paper144.html.
(2008) “HSBC loses customers' data disc”, [online], BBC News, http://news.bbc.co.uk/go/pr/fr/-/2/hi/business/7334249.stm.
(2008) “BNY Mellon's data tape 'lost in transit'”, [online], Pittsburgh Tribune-Review, http://www.pittsburghlive.com/x/pittsburghtrib/s_570347.html.
(2008) “SEC Charges Two Former Bear Stearns Hedge Fund Managers With Fraud”, [online], RiskCenter.com, http://www.garp.com/resources/newsfeed.aspx?Category=6&MyFile=2008-06-20-16659.html.
