Microsoft Word - 07_Ferry Jie_How Can Every Organization.doc Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 88 HOW CAN EVERY ORGANIZATION MANAGE THE OPERATIONAL RISK? Ferry Jie1; Hasan Akpolat2; Deepak Sharma3; James Irish4 ABSTRACT This article describe how every organization (generally) and Australian Organizations (specifically) can manage the operational risks. Recently, the operational risks are the significant issues in every organization because every organization will suffer from poor operational performance due to risks, failure, and problems such as a number of losses which are likely to be made worse. Basically, the operational risk management process has five steps, identification, analysis, treatment, controlling, and communication/consulting. Generally, many organizations (in particularly in Australia and New Zealand) have already used AS/NZS 4360-Risk Management System, AS/NZS 4801-Occupational Health and Safety Management System, ISO 14001: Effective Environmental Management System, ISO 9001: Quality Management System, AS/NZS 7799: Information Security Management, AS/NZS 3806: Compliance Management System for reducing/mitigating/managing the operational risks. Based on the SAI Certification Register, the number of Australian Organizations got the AS/NZS ISO 9000 series, AS/NZS 14000 series, AS/NZS 4801 and AS/NZS 7799.2:2000 Certifications are 3338, 30, 20 and 5 respectively. It can conclude that Australian Organizations prefer used AS/NZS ISO 9000 series rather than AS/NZS ISO 14000 series, AS/NZS 4801 and AS/NZS 7799.2:2000. Keywords: organizational, operational risk ABSTRAK Artikel membahas bagaimana setiap organisasi (pada umumnya) dan organisasi di Australia (khususnya) mengatur risiko operasional. Risiko operasional menjadi isu utama setiap organisasi akhir-akhir ini karena banyak organisasi mengalami kesulitan dalam operasionalnya seperti risiko, kegagalan, dan masalah lain. Masalah tersebut akan menimbulkan kerugian. Manajemen risiko operasional memiliki lima tahap, yaitu identifikasi, analisis, pemeliharaan, pemeriksaan, dan komunikasi/konsultasi. Banyak organisasi, terutama di Australia dan Selandia Baru, menggunakan AS/NZS 4360-Risk Management System, AS/NZS 4801-Occupational Health and Safety Management System, ISO 14001: Effective Environmental Management System, ISO 9001: Quality Management System, AS/NZS 7799: Information Security Management, AS/NZS 3806: Compliance Management System for reducing/mitigating/managing the operational risks. Dapat disimpulkan bahwa organisasi di Australia lebih banyak menggunakan AS/NZS ISO 9000 daripada AS/NZS ISO 14000, AS/NZS 4801, dan AS/NZS 7799.2:2000. Kata kunci: organisasi, risiko operasional 1 PhD Student at Faculty of Engineering, University of Technology Sydney and Lecturer at Bina Nusantara University, Jakarta-Indonesia 2 Principal Supervisor, Senior Lecturer at Faculty of Engineering, University of Technology Sydney, Australia 3 Co-Supervisor, A/Professor at Faculty of Engineering, University of Technology Sydney 4 Co-Supervisor, Senior Lecturer at Faculty of Engineering, University of Technology Sydney How Can Every organization Manage the Operational Risk? (Ferry Jie; et. al.) 89 INTRODUCTION Recently, the operational risks are the significant issues in every organization because every organization will suffer from poor operational performance due to risks, failure, and problems such as a number of losses which are likely to be made worse. These problems will make the companies met tremendous inefficiency or ineffectiveness, unpredictable profit margins, lost revenues/throughputs, and also business value lost. The reference operational risk sources/factors in business particularly in manufacturing consist of as follows. Table 1 Reference Operational Risk Sources/Factors in Business No Sources/Elements of operational risk Failure/Losses/Breakdown 1 Design • product design changes • insufficient product innovation and design 2 Quality (the risk of providing a nonconforming products and services to an end customer) • poor quality of incoming raw material, work in process (WIP) materials and finished products (rework, quality control, custom specification) 3 Money/Cost • currency rate always change • variable cost manufacturing increase • inflation risk • fund risk 4 Availability/Inventory • unavailability /shrinkage materials/components/parts • inventory of work in process material/finished products excess 5 Manufacturing Process • machine/equipment (include material handling equipment) down/failure or unreliable, poor technology and equipment (tooling and fixture), poor routing and machine loading • poor maintenance and reliability • missed production scheduling • bottleneck, capacity constraint, misguided capacity plan, poor production line set up and cycle time/production time lengthen • poor transportation/shipment system • poor facility layout • poor labour skill/not motivated labour Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 90 Table 1 Reference Operational Risk Sources/Factors in Business (continued) 6 Demand/Marketing-Sales • poor customer satisfaction (doesn’t meet what the customers want)/poor customer service, consumer loss of confidence • poor marketing strategy • globalization / competitive market • shorter product and technology lifecycle • variability demand/fluctuation/”bullwhip” effect/uncertainty customer demand forecasting and lead time wrong/lengthen 7 Supplier/Vendor • supplier capacity constraints • delivery time raw material from supplier (lead time lengthen) • poor supplier contracts (long term supply contracts) • poor coordination and partnership • poor supplier selection • very far distance from suppliers to the manufacturing/industries • poor transportation / shipment system 8 Legal/Political • terrorism • poor political and legal situation • changes of local law • changes in government policy and improper estimation. 9 Health and Safety (the risk of injuring employees or other parties during operation, or providing an unsafe product) • poor safety and health (employee injuries on the job, non compliance with legal regulations/OSH policy/standard) • chemical, heat and mechanical hazards • maintenance and cleaning (electrical, equipment "entry", working at heights, enclosed space work, excavation, "hot work") • walking surfaces and stairs (slips, trips and falls) • hazardous materials • temporary equipment or arrangements (e.g. use of equipment for purpose other than original design) • dust and fumes from manufacturing processes • poor work station and task design leading to repetitive stress injury • lifting activities • noisy or vibrating equipment (vibrating conveyors, motors, high pressure pipes, How Can Every organization Manage the Operational Risk? (Ferry Jie; et. al.) 91 high pressure venting, etc) resulting in deafness or "white finger" injuries. • lack of effective communication on health and safety matters 10 Environmental (“the risk of damaging the environment during manufacturing process or supplying an environmentally unfriendly product”), • growth environmental pressure • poor environment • poor recycling system / there is no recycling system 11 Information Technology • loss of IT function (such as loss of index to data) • distorted information flow (mismanagement, hardware system cannot support the information flow) • no backup when needed • information security • backup data corrupt 12 Natural Risk • fire, flood, hurricane, earthquake, etc In order to solve these problems, every organization should have the system or strategy how to manage or mitigate the operational risks. This article will describe about how every organization (generally) and Australian Organizations (specifically) can manage the operational risks. This article limits the study to the reference operational risk sources/factors only such as health and safety, quality, environment, general risk without discussing the natural risk, legal and political risk, and financial risk. DISCUSSION Definition of Risk According to Lowrance, risk is the measure of probability and severity of adverse effects (Lowrance, 1976). In addition, Chapman defined the risk as an exposure to the possibility of economic of financial loss or gains, physical damage, injury, or delay as a consequence of the uncertainty associated with pursuing a course of action (Chapman and Cooper, 1983). Australian Standard/NZS 4360:1999 defined risk as the chance of something happening that will have an impact upon objectives. It is measured in terms of consequences and likelihood. Definition of Risk Management According to AS/NZS 3931:1998, risk management is a systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, and controlling risk. Furthermore, AS/NZS 4360:1999 described that risk management is the systematic application of management policies, procedures, and practices to the tasks of identifying, analyzing, evaluating, treating, and monitoring risk. Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 92 Lam and Kawamoto added the definition of risk management as a scientific method to the problem of dealing with the pure risks which are faced by individuals or businesses (Lam and Kawamoto, 1997:30-35). According to PMBOK, risk Management is the systematic process of identifying, analyzing, and responding to potential project risk. It includes maximizing the probability and impact of positive events and minimizing the probability and consequences of events adverse to project objectives. Definition of Operational Risk Management Operational risk is the risk related with business processes. Another definition is the risk that comes up during performance of work in industry (manufacturing or service). Operational risk can be divided into four areas as follows. 1. Quality, the risk of supplying a nonconforming product or service, to a customer. 2. Safety, the risk of supplying an unsafe product or service to a customer, and/or injuring workers during production. 3. Environment, the risk of supplying an environmentally damaging product to a customer or damaging the environment during production or provision of a service. 4. Security, the risk of being subjected to criminal activity during provision of a product or service. Another definition of Operational Risk Management (ORM) is a continuous, systematic process of identifying, and controlling risks in all activities according to a set of pre-conceived parameters by applying appropriate management policies and procedures. This process includes detecting hazards, assessing risks, and implementing and monitoring risk controls to support effective, risk based decision making (US Department of Transportation, 1999). How Every Organization Manage the Operational Risks In order to mitigate or manage the operational risks, this article will recommend some alternative strategies or methods for every organization based on extracting literature review and the expert judgement. Generally most Australian Organizations have already used AS/NZS 4360- Risk Management System, AS/NZS 4801-Occupational Health and Safety Management System, ISO 14001: Effective Environmental Management System, ISO 9001: Quality Management System, AS/NZS 7799: Information Security Management, AS/NZS 3806: Compliance Management System for reducing/mitigating/managing the operational risks. There are eleven recommendation alternative strategies or systems for every organization to reduce or manage the operational risks as follows. First Alternative of Operational Risk Management (ORM) Method/Strategy (Five Elements of ORM) There are five elements of operational risk management process as follows. 1. To identify the most important concern of operational risks in every industry in recent years and propose the appropriate tool for identifying the operational risk in every organization. How Can Every organization Manage the Operational Risk? (Ferry Jie; et. al.) 93 2. To analyze, measure, assess, and evaluate the operational risks in order to quantify, rank, and prioritize for focusing operational risk management effort on the higher/highest risk. Also to recommend the suitable technique for analyzing, measuring, assessing, and evaluating the operational risks. 3. A lot of kind of ways that most companies or industries have already used to treat/act (prevention and remedial action) the risks such as transfer, control, avoidance, reduction, retention, and acceptance. 4. To monitor and review 5. To communicate and consult. Second Alternative of ORM Strategy (Four Components of ORM) Based on the extracting literature review, there are four components of operational risk management models as follows. 1. Risk identification 2. Risk analyzise 3. Risk reducing measures 4. Risk monitoring Third Alternative of ORM Method (A Comprehensive and Systematic Operational Risk Management) Tummala and Leung (1999) have proposed the third alternative of operational risk management strategy which is a comprehensive and systematic risk management approach consisting of five core elements of risk management process. 1. Risk Identification 2. Risk Measurement 3. Risk Assessment 4. Risk Controlling 5. Risk Monitoring PMBOK Strategy (Six Elements of Project Risk Management) According to A Guide to the Project Management Body of Knowledge (PMBOK), there are six elements of project risk management. They are risk management planning, identification, assessment, quantification, response planning, and risk monitoring and control. Whereas, Chapman and Ward (1997) proposed nine steps of risk management namely define, focus, identify, structure, ownership, estimate, evaluate, plan, and manage. CAN/CSA Q850-97- Risk Management Model There are seven element of risk management process according to CAN/CSA Q850-97, Risk Management: Guideline for Decision Makers such as Initiation, preliminary analysis, estimation, evaluation, control, action, and monitoring. Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 94 AS/NZS 4360: 1999, Risk Management Model AS/NZS 4360: 1999, risk Management has seven elements of risk management process (see Figure 1) as follows. 1. To establish the organizational, strategic and risk management context, develop risk evaluation criteria, and define the structure. 2. To identify comprehensively risks/hazards using a well structured systematic process such as what can happen, how and why things may arise as the basis for further analysis or to be managed and tools or techniques. 3. To analyze risks/hazards. 4. To evaluate risks. 5. To treat risks 6. To monitor and review the performance of the risk management system and all changes which probably can influence it. 7. To communicate and consult with internal or external stakeholders at the earliest each stage of the risk management process and to concern the process as a whole Figure 1 Risk Management System Process How Can Every organization Manage the Operational Risk? (Ferry Jie; et. al.) 95 AS/NZS 4801: Occupational Health and Safety Management System AS/NZS 4801: Occupational Health and Safety Management System-General Guidelines on principles, systems and supporting techniques is the part of the overall management system which includes organisational structure, planning activities, responsibilities, practices, procedures and resources for developing, implementing, achieving, reviewing, and maintaining the OHS policy and so managing the risks associated with the business of the organisation. This standard is working in concurrence with AS/NZS 4804. Infact, AS/NZS 4804 is a guideline to support for implementing and improving the Occupational Health and Safety Management System. AS/NZS 4801:2001, OHS Management System Model can be seen at Figure 2. AS/NZS 4801 covers the comprehensive range of the requirements for effective occupational health and safety practice such as setting the policy, planning (identification of hazards, assessment and control the operational risks), setting training and competence, monitoring, measuring and recording management, auditing procedures and requirements and reviewing management. Figure 2 AS/NZS 4801:2001, OHS Management System Model According to SAI Global Certification Register, there are only 20 Australian Organizations got the certification of AS/NZS 4801: Occupational Health and Safety (see the table 2 and figure 3). Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 96 Table 2 The Number of Australian Organizations Got AS/NZS 4801 Certification No Type of Organization Frequency Fr(%) 1 Mining 0 - 2 Manufacturing 10 50 3 Electricity, Gas and Water Supply 2 10 4 Construction 8 40 5 Retail Trade 0 - 6 Transport 0 - 7 Government Administration and Defence 0 - 8 Health and Community Services 0 - Total 20 100 0 5 10 15 20 25 30 35 40 45 50 M in in g M an uf ac tu rin g El ec tri ci ty , G as an d W at er Su pp ly C on st ru ct io n R et ai l T ra de Tr an sp or t G ov er nm en t A dm in is tra tio n an d D ef en ce H ea lth a nd C om m un ity Se rv ic es 1 2 3 4 5 6 7 8 Frequency Fr(%) Figure 3 Chart of the Number of Australian Organizations got AS/NZS 4801 Certification AS/NZS ISO 9001: Quality Management Systems AS/NZS ISO 9001: Quality Management Systems-Requirements was published by Standards Australia and Standards New Zealand, in 2000. The aim of this standard is the effectiveness of the quality management system in meeting customer requirements. AS/NZS ISO 9001:2000, Quality Management System model chart can be seen at Figure 4. How Can Every organization Manage the Operational Risk? (Ferry Jie; et. al.) 97 Figure 4 AS/NZS ISO 9001: Quality Management System Model SAI Certification Register noted that there are around 3500 Australian Organizations got the certification of AS/NZS ISO 9000 series (see the table 3 and figure 5). Table 3 The Number of Australian Organizations Got AS/NZS ISO 9000 series Certification No Type of Organization Frequency Fr (%) 1 Mining 53 2 2 Manufacturing 2174 65 3 Electricity, Gas and Water Supply 32 1 4 Construction 441 13 5 Retail Trade 365 11 6 Transport 169 5 7 Government Administration and Defence 33 1 8 Health and Community Services 71 2 Total 3338 100 Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 98 0 500 1000 1500 2000 2500 M in in g M an uf ac tu ri ng E le ct ri ci ty , G as an d W at er C on st ru ct io n R et ai l T ra de T ra ns po rt G ov er nm en t A dm in is tr at io n H ea lt h an d C om m un it y 1 2 3 4 5 6 7 8 The Number of Australian Organizations Used AS/NZS ISO 9000 Series Frequency Figure 5 Chart of the Number of Australian Organizations got AS/NZS ISO 9000 Series Certification AS/NZS ISO 14001: Environmental Management Systems AS/NZS ISO 14001: Environmental Management Systems-Specification with guidance for use was prepared by the Standards Australia and Standards New Zealand QR/11 in 1996. It is the same as the International Standard ISO 14001: Environmental Management Systems- Specification with guidance for use. The key elements of an AS/NZS ISO 14001 are environmental policy, planning, implementation and operation, checking and corrective action, management review and continual improvement. AS/NZS ISO 14001, Environmental Management Systems Model chart can be seen at Figure 6. How Can Every organization Manage the Operational Risk? (Ferry Jie; et. al.) 99 Figure 6 AS/NZS ISO 14001: Environmental Management System Model Based on the SAI Certification Register, there are around 30 Australian Organizations got the AS/NZS ISO 14000 Series (see the table 4 and figure 7). Table 4 The Number of Australian Organizations got the AS/NZS ISO 14000 Series Certification No Type of Organization Frequency Fr(%) 1 Mining 2 7 2 Manufacturing 16 53 3 Electricity, Gas and Water Supply 3 10 4 Construction 5 17 5 Retail Trade 3 10 6 Transport 1 3 7 Government Administration and Defence 0 - 8 Health and Community Services 0 - Total 30 100 Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 100 0 5 10 15 20 25 30 35 40 45 50 M in in g M an uf ac tu rin g El ec tri ci ty , G as an d W at er Su pp ly C on st ru ct io n R et ai l T ra de Tr an sp or t G ov er nm en t A dm in is tra tio n an d D ef en ce H ea lth a nd C om m un ity Se rv ic es 1 2 3 4 5 6 7 8 Frequency Fr(%) Figure 7 Chart of the Number of Australian Organizations got the AS/NZS ISO 14000 Series Certification AS/NZS 7799: Information Security Management AS/NZS 7799:Information Security Management gives a lot of description about the security mechanism and framework, protecting the confidentiality, integrity and availability of information. In addition, this standard covers all dimensions of information security management such as security policy, security organization, asset classification and control, personnel security, physical and environmental security, communications and operational management, access control, system development and maintenance, business continuity management and compliance. In contrast, this lacks the examples and the implementation / actions suggestion. AS/NZS 7799 is divided into two sections, the first section is about a code of practice for information security management and the second section is about the specification a risk management based information security management system. How Can Every organization Manage the Operational Risk? (Ferry Jie; et. al.) 101 According to SAI Global, there are only five Australian Organizations got AS/NZS 7799.2:2000, Information Security Management System Certification (see the table 5). Table 5 Listing of Australian Organizations got AS/NZS 7799.2:2000 Certification No Name of Organization Type of Industry 1 ICAC Business Management Services and State Government Administration 2 ANZ Banking Group Banking and Computer Consultancy Services 3 Bridge Point Communication Pty Ltd Telecommunication Services 4 Independent Pricing and Regulatory Business Management Services and State Government Administration 5 Tribuna and Office of the Ombudsman State Government Administration AS/NZS 3806: Compliance Management System AS/NZS 3806: Compliance Management System gives the principles or essential elements for the development, implementation, maintenance and management of effective compliance programs within both public and private organizations. This standard gives the structure for an effective compliance program to prevent, identify and respond to, breaches of laws, regulations, codes or organizational standards occurring in the organisation. In addition, this standard promotes a culture of compliance within the organization and assists the organization in remaining or becoming a good corporate citizen. This standard has three core elements as follows. 1. Structural Elements (commitment, compliance policy, management responsibility, resources, continuous improvement). 2. Operational Elements (identification of compliance issues, operating procedures for compliance, implementation, complaints handling system, record keeping, identification and rectification, systemic and recurring problems, reporting, management supervision). 3. Maintenance Elements (education and training, visibility and communication, monitoring and assessment, review, liaison and accountability). CONCLUSION Generally, every organizations may use five steps of operational risk management processes for mitigating or managing the operational risk such as identification, evaluation/analysis, risk treatment, risk controlling and risk communication/consulting. Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 102 Most Australian Organizations used the operational risk management models to mitigate or manage the operational risks (environment, health and safety issue, quality, information and general risks) such as AS/NZS 4360-Risk Management System, AS/NZS 4801-Occupational Health and Safety Management System, ISO 14001: Effective Environmental Management System, ISO 9001: Quality Management System, AS/NZS 7799: Information Security Management, AS/NZS 3806: Compliance Management System. Based on the SAI Certification Register, the number of Australian Organizations got the AS/NZS ISO 9000 series, AS/NZS 14000 series, AS/NZS 4801 and AS/NZS 7799.2:2000 Certification are 3338, 30, 20 and 5 respectively. In other words, we can conclude that Australian Organizations prefer used AS/NZS ISO 9000 series rather than AS/NZS ISO 14000 series, AS/NZS 4801 and AS/NZS 7799.2:2000. FURTHER RECOMMENDATION 1. This article will give the expectation of outcome such as strengthening management practices and decision making in operational level, reducing the operational downtime, reducing the material and property damage and serious injuries and fatalities and increasing the quality decision. 2. This article will give a good contribution for the researcher to explore and analyze the performance of current models of operational risk management in every organizations. 3. This article will provide a good direction to propose a new model of operational risk management model, for instance, integrating operational risk management system. REFERENCES Acotrel Risk Management Pty Ltd. 2000. Management System. Anonim. 2000. A Guide to the Project Management Body of Knowledge. Project Management Institute, ed. P. Chapter 11. USA: Standards Committee. Canadian Standards Association. 1997. Risk Management: Guideline for Decision Makers. CAN/CSA Q850-97. Chapman, C.B. and D.F. Cooper. 1983. “Risk Analysis: Testing Some Prejudices.” European Journal of Operational Research. ___________. and S. Ward. Project Risk Management: Processes, Techniques, and Insights. 1997. Chichester, New York: Wiley. Eloff, J.H.P., L.Labuschagne, and K.P. Badenhorst. 1993. A Comparative Framework for Risk Analysis Methods. Computers & Security. How Can Every organization Manage the Operational Risk? (Ferry Jie; et. al.) 103 Epich, R. and J. Persson. 1994. “A fire Drill for Business.” Information Strategy: The Executive's Journal. Lam, J. and B. Kawamoto.1997. Emergence of the chief risk officer. Risk Management. Lightle, S. and H. Sprohge. 1992. Strategic Information System Risk. Internal Auditing. Loch, K.D., H.H. Carr, and M.E Warkentin. 1992. Threats to Information Systems: Today's Reality, Yesterday's Understanding. MIS Quarterly. Lowrance W. W. Acceptable Risk. 1976. Los Altos, CA: William Kaufmann, Inc. PMI Project Management Standards Program. 2000. A guide to the Project Management Body of Knowledge. Newtown Square, PA, USA: Project Management Institute. Rainer, R.K., C.A. Snyder, and H.H Carr. 1991. “Risk Analysis for Information Technology.” Journal of Management Information Systems. Standards Australia International and Standards New Zealand. Risk Management. AS/NZS 4360:1999. ________________________________. Quality Management Systems-Requirements. AS/NZS ISO 9001:2000. ________________________________. 1998. Compliance Programs. AS/NZS 3806. ________________________________. Environmental Management Systems-Specification with Guidance for Use. AS/NZS ISO 14001:1996. ________________________________. Occupational Health and Safety Management Systems- Specification with guidance for use. AS/NZS 4801:2001. _____________________________. Risk Analysis of Technological Systems-Application Guide. AS/NZS 3931:1998. SAI Global Certification Register. 2003. Search For Certification Register. May 2003. SAI Global Assurance Services. 2001. Manage Your Risks, Assets, and Reputation-Occupational Health and Safety Management. Tummala, V.M.R. and Y.H Leung. 1999. Applying a Risk Management Process (RMP) to Manage Cost Risk for an EHV Transmission Line Project. International Journal of Project Management. US Department of Transportation. 1999. Operational Risk Management. COMDTINST 3500. Washington DC. Vitale, M.R. 1986. MIS Quarterly. Journal The WINNERS, Vol. 3 No. 1, Maret 2002: 88-103 104