Preparing for the Assessment
Before you begin the process of assessing the risks within your business, you first need to take several steps to prepare:
These are the formal, objective steps that need to be followed for a successful risk assessment. But there is an additional, subjective element to this process - Operational Risk assessment is an imperfect science. You will be predicting the future and that prediction will be rest primarily on whether humans will act as expected. Donald Rumsfeld as the US Secretary of Defense stated, "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know." As the War in Iraq demonstrated there were aspects of the invasion of that country that involved crucial facts that "we don't know we don't know" and those facts lead, in part, to Rumsfeld's downfall. The same dilemma was presented in the recent financial crisis where several banking institutions failed to properly recognize the concentration and liquidity risks related to packaging sub-prime mortgages. It is important to note that these major blunders were not actually based on what "we don't know we don't know." In actuality, they were caused by the decision to ignore or underweight the known risks. There was an abundance of evidence before the invasion that Iraq would be thrown into sectarian violence without the presence of a repressive central government. Similarly, past financial bubbles provided ample evidence that markets will tumble and when they do minimizing concentration and liquidity risk is crucial to how well the financial institution will survive. But if the evidence is there, why do we choose to ignore it? Why did Chuck Prince, the CEO of Citigroup, state in July of 2007 (before the sub-prime crash), "When the music stops, in terms of liquidity, things will be complicated. But as long as the music is playing, you’ve got to get up and dance. We’re still dancing." The answer lies in the imperfection of humans. Not only is it difficult to predict how humans will act in the future, the prediction is made by an equally imperfect human. As part of the risk assessment you will likely be confronted with difficult, uncomfortable issues. You may discover a crucial flaw in the controls around a process that is central to a new business initiative, an initiative that the CEO of your company is pushing forward so forcefully that he or she will not listen to any negative comments. Similarly you may find a technology head who refuses to acknowledge a risk, not because the risk is insignificant, but because there is currently no viable solution available. While this site can not provide help in how to navigate this political minefield, you need to at least acknowledge that you are in a denial dilemma and find a means of avoiding the repression of the evidence of the control failure. And that is where the true art of risk assessments comes in. The challenge in predicting the future is not so much in using the crystal ball as in finding a way to tell your customer that the future may not look as rosy as they would like.
You can jump to the next section on the Risk Assessment Process or click "Next" below to go through more details on how to prepare for the Assessment.
©2009 ISRMC, LLC