Introduction

This article outlines the need for advanced risk management approaches, for operational managers, risk managers, practitioners in business process design and Six Sigma black belts. The distributed process or complex process organization have become a reality with the availability of Internet, outstanding models, region specific specialization in goods and services.

Assessing Risks in Complex Environments

As the global business environment continues to grow, it has become the practice of management to share the mark process among multiple groups. The permanent enterprise is being replaced by the virtual enterprise, the dominant force being the mission being pursued. In the virtual environment managers have to deal with inter relationships and dependencies amongst technologies, data, tasks, activities, processes, and people. In this changing scenario risk analysis techniques also have to be reviewed with innovative approaches. The virtual enterprise also results in managers finding themselves responsible for the completion of a mission while not directly controlling all the resources needed to accomplish it. The managers must not only concentrate on the risks arising from the tasks they oversee, but also identify and address risks inherited from upstream activities and minimize the risks imposed on the downstream activities.

Risk assessment
Risk assessments are required when evaluating performance because they indicate potential operational failures. Traditionally, there are two schools of thought on risk management. The first school had a negative connotation of the word risk and discouraged employees from openly specifying the probability of a risk arising, thereby eliminating all possibilities of mitigation measures being adopted. However, the members of the second school issued risk management as a means of avoiding failure, thereby accepting risk mitigation measures. Currently, a third school of thought is emerging, where the managers neither ignore the risk altogether nor do they view it as a means to avoiding failure. Instead they view risk management as a way to position themselves for success by taking a holistic view of risk and finding the means to integrate information on the various types of risks such as process, security and inter operability risks. They

require a single risk profile that provides an insight into a broad range of risk factors.

Tools and techniques

The distributed work process (synonymous to business process, workflow and process for this article) is the flow of work as it crosses organizational boundaries, connecting several smaller processes into a larger more complex process, and includes all tasks, procedures, organizations, people, technologies, tools, data, inputs and outputs required to achieve desired objectives. In this scenario, the hierarchy of missions can be visualized in the diagram below:

Organisations mission

Group of departments mission

Specific department mission

Work process mission (Hierarchy of missions) Since outsourcing and collaboration one widely accepted business models, the hierarchy of missions can include multiple organizations. Though many risks affect business (speculation, business etc.) it the operational risks that affect mission failures the most, as far as managers are concerned. A definition of operational risk borrowed and modified from the Basel Committee on Banking Supervision could read as operational risk is the potential failure to achieve mission objectives. The definition included both uncertainty (potential failure) as well as loss (inability to achieve the mission goals).

Challenges in operational risk

Personal who work closely with a work process will have the exact knowledge of how operational risks adversely affect the process, but they cannot manage the risks as they do not have the authority allocate mitigation resources. In many cases the risks are not escalated due to the fear of reprisal or they simply do not know to whom the issues have to be addressed. A second reason why operational risk is difficult to control is because the people understand enough to complete their work tasks in the process, but do not understand how their tasks and activities relate to other stakeholders in the complex environment. An important factor to be considered in mitigating operational risk is to address or many issues as possible when designing and developing process instead of resolving problems that occur during operations. A second important factor is not put to identify what causing the concern, but also why the person should be concerned (i.e., the impact + large & short term). As of now, operational threat can be categorized into mission, design, activity, environment and event risks. An important factor to be remembered when working with these threats is to consider all the categories and not leave any gaps.

Operational risk in distributed process

A work process is a collection of interrelated work tasks which take inputs and convert them into outputs to achieve a specific result. Work processes can be represented by workflow diagrams as below:

A2 A1 A3 A4

In the diagram above there are four activities (A1.A4). Activity A1 kicks off the process, its output feeds activities A2 and A3 which are performed in parallel and their combined outputs are sent to activity A4, which is the final activity A4, which is the final activity in the process. If all activities are performed correctly, the mission is accomplished.

In the next diagram below the process consisting of activities A1 to A4 become a part of a larger process that consists of four district sub-processes.

In the diagram above four organizations have pooled their resources to complete the mission, thereby creating a distributed business process. Contractual relationships define the relationships among all the participating organizations. No single management has the authority over the end-to-end workflow; instead each organisations management controls its piece of the overall process. Most contracts do not mandate a common approach for managing, risk, resulting in a lack of uniform operational risk tolerance in most distributed processes. The operational risk affecting an activity in a distributed process influences the risk affecting all subsequent activities. Therefore, it is necessary for

managers to be aware of the risk they inherit from upstream activities and, in turn, impose on downstream activities. In the diagram n organization Cs management does not have a detailed knowledge of the inner workings of the processes and practices of its partners. Organization Cs largest risk will be the amount of organizational risk it inherits from organization A and organization C cannot establish an accurate risk profile without knowing the extent of the risk they are inheriting. Similarly organization C imposes a degree of operational risk on all its downstream activities, which is a combination of the risk inherited from the upstream activities and the amount of the risk generated locally. This high lights the fact that operational risk is a dynamic property of any work process because it changes as it flows from one activity to the next. A threat to an activity triggers a risk to the work process mission. However, this linear relationship does not track inherited and imposed risk, which makes it unsuitable to analyse complex work processes. Instead the risks can be visualized as shown below. T1 T2 T3 C1 C2 Threats and Controls

R1
Risk

In considering the threats the controls that affect the threat also have to be considered [Controls (as derived from COBIT) include policies, procedures, practices, conditions and organizational structures designed to provide reasonable assurance that a mission will be achieved and undesired events will be prevented, detected and corrected] Extending this visualization to an end-to-end process

Controls can also include experience of the staff (which reduces the threat from lack of documentation) or all the personnel in the organization understanding the mission (which reduces the threat from inherited risks).

Limitations of the current approaches

The majority of the risk analysis techniques in use today lack the ability to gauge mission assurance in distributed processes. These techniques do not 1. Track inherited and imposed risk 2. Characterize risk from inter relationships and dependences among threats and controls. 3. Incorporate operational risks arising from emergent properties of distributed controls 4. Estimate

REFERENCES
Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments - Christopher J. Alberts and Audrey J. Dorofee 2. Risk and opportunity management hettp://www.sei.cmu.edu/risk 3. Sei/cmu/edu/library/assets/presentations/Re thinking Risk Management Tutorial.pdf 4. http://www.frnglobal.com/pdfs/Chain Supply.pdf 5. contentdm.bb.byu.edu/ETD/image/etd1770.pdf Some recent cases in India would bear evidence to this phenomenon. Hondas India Unit will halve production because of a shortage of components following the March (2011) Tsunami in Japan, while Toyota Motor Corp. is cutting production by 70% The much awaited Honda Bro which was to be show cased on March 17 (2011) has been delayed indefinitely by Honda Siel India. Toyotas second plant inauguration in Bidadi, Bangalore postphoned. (Investment 3,200 crores) 1.

Losses due to the Teleguna strikes.

1. 2. 3. 4. 5.

APRTC - 200 crores Singarani Collieries - 600 crores + 120 crores wages during strike period Power purchase from other states 250 crores Active pharmaceutical ingredients 500 crores Industry and Trade Loss 2500 crores