Journal of Operational Risk Management - Operational Risks of Not Sharing Data
Journal of Operational Risk Management - Operational Risks of Not Sharing Data
Journal of Operational Risk Management - Operational Risks of Not Sharing Data
Poorly integrated information systems often lead to risks that are high in frequency and low in severity. However, many catastrophic failures and loss events can also be traced back to a lack of integration. No single software application, consulting engagement or silver bullet exists that can solve the problem either: doing so requires vision, discipline and an understanding of why many integration initiatives do not succeed.
1 INTRODUCTION
Sharing information across departments, software applications and other silos may pose the greatest existing systemic operational risk in any industry. The problem hinders decision making across nearly every organizational function. The Senior Supervisors Group, a group of senior managers from a large number of international nancial rms (see Senior Supervisors Group (2009)), concluded that one of the four primary causes of the nancial crisis was inadequate and often fragmented technological infrastructures that hindered effective risk identication and measurement. The lack of commitment to such risk control by management as well as lack of resources to develop the required information technology (IT) infrastructure were cited as ongoing obstacles to improvement. Poor integration of data across systems and departments is repeatedly mentioned throughout the document as an impediment to risk management. In no way are these problems specic to banking, or specic to managing credit risk or market risk. Consider the operational risks that the US intelligence community faces because of the same problem. The terrorist attack of September 11, 2001 and the attempted attack on December 25, 2009 could both have been prevented if data had been shared more effectively (National Commission on Terrorist Attacks (2004)). Operational risks should be considered in terms of their relevance to an organizations ability to perform its mission. There is perhaps no greater example of mission failure.
1
S. Francis
Salespeople lose customers, and service personnel often provide slow or ineffective service because key information that is needed to service customers is spread all over the organization. Sales, service and operations staff spend tremendous amounts of time entering nearly identical data into multiple systems, and it does not always get entered in the same way, causing process errors and mistakes later on. A study by Vanson Bourne (2009) showed the following: (1) 89% of respondents stated that they cannot get a single view of process performance because information on business processes is held in multiple operational systems; (2) 80% of respondents use middleware to try to bring data together in a way that is unsatisfactory to those in charge; and (3) 67% admitted that they hear about problems in service from customers before they identify the problems themselves. Why are rms so bad at this? Making a mental connection between integration infrastructure and customer attrition due to poor service can be a difcult leap. There are other fairly simple reasons, and thankfully there are also remedies. First we dene the problem with some examples and focus on what some of the solutions look like. We then look at some of the risks and difculties associated with implementing these solutions. The ability to serve customers faster, reduce processing errors and dramatically reduce cycle times of core business processes are direct benets of having integrated data. Event-processing infrastructure can enable real-time visibility into key performance metrics that would otherwise only be available weeks or months after the relevant point in time. This allows for rapid responses in a constantly changing business environment. If customer waiting times go up, we should know right away. If customer complaints increase, we should know right away. If orders decrease, we should know right away. If input costs increase, we should know right away. Each of these simple examples presents a measurable operational risk that, if not addressed promptly, can lead to substantial loss events. Information technology organizations already spend around 30% of their budgets on enterprise information integration (Gannon et al (2009)), yet most of these efforts are not conducted in a proactive or systematic fashion. Integrations are built and maintained in a reactive way with little thought for consistency, reusability or any kind of strategy.
is a formalized way of implementing some of the recommendations in this paper specically in the nancial-services industry. Because the stakes of data accuracy, integrity and timeliness are so high in nancial services, best practices for integration are formalized and broadly adopted. For these reasons, many nancial-services rms have become very adept at process automation and integration. A large manufacturing rm in the Pacic Northwest had a very difcult time obtaining a complete view of its committed costs. It did not know what had been spent in a given month or quarter. Only when the books were rolled up at the end of the period was the company able to see what was actually spent, and to compare this with budgeted numbers. This obviously made it difcult to control spending. Spending would frequently exceed what was budgeted and redundant stocks of spare parts were common. Hundreds of thousands or even millions of dollars were being wasted. The reason for these problems was that there were many remote ofces where spending took place. Some of the larger remote ofces had developed their own systems for tracking expenses and spending, while some of the small ofces just kept this data in spreadsheets. The remote ofces would reenter the data into the corporate nancial system, or send batch uploads of the data, on an infrequent and inconsistent basis. The company solved this problem by integrating the larger remote ofce systems into the corporate nancial system in real time, and by rolling out a webbased expense-tracking tool to the smaller ofces that directly updated the corporate nancial system. The result was greatly improved expense management, cash management, vendor management and inventory management. All of these benets arose from just a little integration. An oil and gas company that I worked with in Calgary several years ago was nding it difcult to decide where to invest tens of millions of dollars because they lacked visibility into which projects were paying off (or had the most potential to pay off) the best. Without an integrated view of how different projects were producing, related production costs, potential for future production and past and future maintenance costs, the organization had little condence that they were investing their capital optimally. To make matters worse, its economic situation changed daily due to uctuations in spot and future oil prices. Capital allocation was being performed based on monthly and quarterly data, in an environment where the economics were changing every day. One executive said that he felt like he was investing tens of millions of dollars with a blindfold on. To address this problem, the organization deployed technology to consolidate information into a reporting database. They standardized denitions of critical data across applications and delivered this information to users through personalized dashboards. These dashboards were updated throughout the day as data was delivered to the reporting database via events in real time. They also automated many core business processes to ensure that when data was updated in one application it stayed in sync with other applications. This solution gave the customer
Research Paper www.thejournalofoperationalrisk.com
S. Francis
vastly improved visibility of their business and the increased condence that they were making the right investments at the right time. In nancial services, sharing information across partners and departments is broadly known as straight-through processing (STP). Due to the high stakes of data quality in the nancial-services industry, many rms have become very good at this. Straightthrough processing represents a major shift from common T C 3 trading to same-day settlement. This is accomplished by sharing information more effectively between departments and between partners in a transaction. Straight-through processing helps to keep the front ofce and back ofce synchronized by integrating data and systems. This kind of integration can drive signicant operational costs out of a business. Rather than relying on operational staff to manually enter data from trading systems into back ofce systems, which is expensive and leads to errors, STP automates these activities. By implementing STP, rms increase the probability that a contract or an agreement is settled on time, thereby reducing settlement risk. The sharing of information between transaction partners is another important aspect of STP and is a great way for rms to nd a competitive advantage and to further reduce costs. In essence, however, STP is just a way to share information more effectively in order to improve transaction processes.
impact of such solutions may be far greater than the impact from more specic, or narrowly focused solutions. Lam (2003) identies three clear benets that should come from operational risk management endeavors. Data sharing initiatives satisfy all of these. (1) Rigorous operational risk management should both minimize day-to-day losses and reduce the potential for occurrences of more costly incidents. (2) Effective operational risk management improves a companys ability to achieve its business objectives. As such, management can focus its efforts on revenuegenerating activities, as opposed to managing one crisis after another. (3) Finally, accounting for operational risk strengthens the overall enterprise risk management system.
S. Francis
reliant on these spreadsheets or small databases to do their job, it becomes difcult to change the upstream application because this will prevent users from keeping their spreadsheets up to date. This limits IT exibility, which in turn limits the exibility of the whole enterprise. Such desktop databases are also a security risk: it is very easy for employees to e-mail databases or to store them on a personal drive. Another persistent problem often occurs in the way in which siloed applications are integrated. Applications are typically integrated manually, through duplicate data entry, or by creating all manner of different software connections between different applications. We have already covered the problems with manual integration and multiple entry. However, the problems created by excessive software connections, or interfaces, are also profound. These connections can severely inhibit the exibility of an entire organization. These connections are created using whatever technology the developer desires and they are usually not monitored or created in a consistent way. These connections also get duplicated frequently, as data from one application may need to integrate with several other applications. The maintenance of these connections consumes signicant resources and the connections themselves prevent organizations from upgrading or switching software applications due to the effort that would be required to rebuild these connections if a new application were installed. Benetting from new technology is very hard when an organization is tightly wired to a legacy technology infrastructure. The next section outlines several ways of addressing these visibility and operational efciency problems.
systems can help immensely with data visibility problems, they do little to address the operational efciency problems related to siloed information. In fact, the new connections that are created in order to push data into a warehouse mean that the problem is often made worse. In reality, as organizations grow, data warehouses often become a necessity. Without a consistent, consolidated and summarized source of information, reporting becomes increasingly difcult over time. Also, data-warehouse solutions t well with the project-oriented nature of many IT departments. Although data warehouses can be used for some predictive analysis, they are typically backward looking and intended for historical reporting.
S. Francis
Organizations have always been driven by business events, so why is this not the case for IT departments? Chandy and Schulte (2007) cite three reasons for the increased importance of event-based integration: (1) increased business competitiveness; (2) an increased level of responsiveness and real-time interaction due to broad adoption of internet technologies; (3) increased power and capability of hardware and software, accompanied by dramatic increase in technical capabilities.
nancial analysis, scoring, credit decision or document preparation, business-process tools can automate much of this process by exposing and reusing functions in the existing systems, then connecting these exiting functions in new ways. Process tools typically enable complex rule denition as well. For example, if a customer is going to be denied a loan, the deny step of the process can automatically check to see whether the customer qualies for a credit card, which may be another path to prot, and a way to help a customer rebuild damaged credit. This same rule could be reused in another process as well, such as a process for a customer that is opening a new checking account. Process automation tools may be implemented with or without an event-based and service-based integration infrastructure. However, the value that process automation tools provide is often greater if an event and services infrastructure is already in place. Event-based and service-based integration infrastructure increases the usefulness of this technology for two reasons. First, it cuts down on the number of hard-wired connections, which are very damaging to organizational exibility. Event technology enables business processes to tell the messaging technology about an important event that needs to be shared across applications, or, vice versa, enables the messaging technology to tell a process about an important event that needs to be shared across applications. This contrasts with hard-wired connections between applications, which involve massive duplication and do not allow for reuse. Let us now consider an example that includes business-process automation as well as event-based integration. Consider what a part of a loan application process might look like if systems are not integrated. First, a loan ofcer has to manually enter data into a loan processing system, a credit management system and a document preparation system. Next, they walk to (or call) the credit department to nd a credit analyst to tell them to hurry up with the credit processing. The credit analyst has some difculty locating the credit request because the identication in the credit system is different from that of the loan processing system. After locating the record, the credit analyst informs the loan ofcer that the request has not yet been completed, or even begun, because the loan ofcer had entered some of the customers information incorrectly and the customers identication could not be validated. This is just the beginning of the process. As an alternative, imagine that when the loan ofcer entered information into the loan processing application it automatically created a loan request event. Other applications, such as the credit management and document preparation applications, might be interested in this event and have a subscription to it. This event might also be subscribed to by a business process called loan application. This process can tie together the activities of the loan application across all of the different applications that it touches and it can also assign tasks to people that are required to advance the loan application process. The loan request event has all of the loan application data
Research Paper www.thejournalofoperationalrisk.com
10
S. Francis
attached to it, and the subscribing process and systems are automatically updated with this information. As soon as the loan request event is received by these other systems, credit analysis and document preparation will begin. When the credit analyst completes his credit analysis task and submits his feedback, this would re an event called credit feedback, which the loan application process would subscribe to, causing the process to wake up from a state where it was waiting for feedback. Then the processing of the loan application would resume. All system interaction and human interaction are orchestrated by the loan application process, and each event and activity in the process is recorded and fully auditable. There are countless examples of other improvements that are possible in almost any kind of business.
Operational risk: lack of effective information sharing FIGURE 1 Policy resistance to integration standards.
11
Data quality
+ Standardized
integration initiatives
Burden for
+ project/developers + + +
Benefit to organization
+ +
Haphazard integration
+ +
New project or software application
Data visibility
(4) Lack of standard denitions for data can slow things down. It is easy to get stuck in the weeds discussing what data constitutes a customer or an order. This is further complicated by differences in semantic representations of data in different applications. For example, height can be measured in feet, inches, centimeters, etc. Weight and distances often have different measurements as well (Gannon et al (2009)). Such issues complicate the construction of standard denitions and, for those who have not dealt with such issues, the task can seem quite daunting. Figure 1 depicts a causal loop diagram showing how standardized integration initiatives can be thwarted by some of the forces described above. The diagram is easiest to read by starting on the right-hand side, at project schedule compression, and following the arrows.
12
S. Francis
4.1 Measurement
By creating a database of loss events, the measurement and analysis of these risks becomes far easier. Whether it is customer attrition, a work stoppage event or something more serious, the objective reporting of such events into a single repository will increase visibility and awareness. The reporting of such events needs to be independent, however. A salesperson or serviceperson may be reluctant to disclose a loss, or may attribute a loss incorrectly in order to manage his/her performance metrics. For this reason, reporting of loss events should be reviewed in a short process or workow before being entered into a database. Even when there is a high level of independence in the reporting process, attribution is still difcult. However, as long as the reporting process is fairly independent, this can be addressed later. Such measurement efforts make it much easier to achieve strategic management support and sponsorship, which is obviously critical. It is also important to measure benets as well as losses. There is some art here and some science, but data sharing undoubtedly creates some direct and measurable benets. Many business processes can be optimized and shortened, driving costs out of the business. The total amount of integration code that needs to be created and maintained is reduced. Troubleshooting becomes less costly because process audit trails are maintained and can be easily reported. Such improved exibility can actually become a competitive advantage that attracts new customers, although attribution of such effects is difcult.
4.2 Recognition
Effective incentives and controls are also essential. Communicating standards of how integration should be performed within IT, and publishing these standards, is a good start. Recognition is a powerful motivator too, and by publicly and positively acknowledging compliance with such standards, successful adoption is much more likely.
13
4.5 Timing
There are good times and bad times to roll out integration infrastructure. It is unrealistic to imagine that any organization would throw away years worth of hard-wired software connections and just replace them overnight. This would be a large and risky project, with little immediate or obvious benet to a business. However, upgrading or replacing large systems creates a great opportunity. Large systems have many software connections or interfaces. When these systems are replaced, many software connections must also be replaced. This is the ideal time to start doing things the right way.
5 CONCLUSION
Data, along with customers and employees, is increasingly identied as one of an organizations most valuable assets (Pitney Bowes Business Insight (2009)). Organizations must take care to maintain these assets just as they take care of their other key assets, such as employees and customers. However, efforts to improve data quality, visibility and integration take a great deal of patience and commitment. There are many places where such efforts can be compromised. Although it may be difcult to track and measure, loss events resulting from poor quality data are rampant. Some of the examples provided in this paper provide a good starting point for beginning to
Research Paper www.thejournalofoperationalrisk.com
14
S. Francis
recognize data problems and attributing loss events to them. Progress will be gradual and iterative but, over time, data-quality improvements can profoundly change an organization and make it more adaptable and exible. Gradually, it will improve the quality of work from any employee that uses software to do his/her job. Process errors and breakdowns will diminish and customers will be served faster and more effectively.
REFERENCES
Chandy, K. M., and Schulte, W. R. (2007). What is event driven architecture (EDA) and why does it matter? Discussion Paper (July). Chandy, K. M., and Schulte, W. R. (2009). Event Processing: Designing IT Systems for Agile Companies. McGraw-Hill, New York. De Fontnouvelle, P., DeJesus-Rueff, V., Jordan, J., and Rosengren, E. (2003). Using loss data to quantify operational risk. Working Paper, Federal Reserve Bank of Boston. Gannon, T., Madnick, S., Moulton, A., Sabbouh, M., Siegel, M., and Zhu, H. (2009). Framework for the analysis of the adaptability, extensibility, and scalability of semantic information integration and the context mediation approach. In Proceedings of the 42nd Hawaii International Conference on System Sciences, January 58, Big Island, HI. Institute of Electrical and Electronics Engineers, New York. Gustafsson, J. Nielsen, J. P., Pritchard, P., and Roberts, D. (2006). Quantifying operational risk guided by kernel smoothing and continuous credibility: a practitioners view. The Journal of Operational Risk 1(1), 4355. Lam, J. (2003). Enterprise Risk Management: From Incentives to Controls. John Wiley & Sons. Michelson, B. M. (2006). Event-Driven Architecture Overview: Event-Driven SOA Is Just Part of the EDA Story. Report, Patricia Seybold Group (February). National Commission on Terrorist Attacks (2004). 9/11 Commission Report. Executive Summary (July). Pitney Bowes Business Insight (2009). Managing your data assets. White Paper, IDC Government Insights. Senior Supervisors Group (2009). Risk management lessons from the global banking crisis of 2008. Report, Senior Supervisors Group (October). Vanson Bourne (2009). Overtaken by events? The quest for operational responsiveness. Study commissioned by Progress Software (September).