Simple Risk Model
The Simple Risk Model grew out of my frustration with the way businesses currently approach operational risk. During my career I found myself all too frequently involved in mind numbing arguments with auditors, accountants, regulators, senior managers and fellow op risk managers as to the level of the company's risk exposure and what controls were necessary. As the conversations descended into measuring the level of inherent and residual risk in the business, it seemed like we were debating how many angels could dance on the head of a pin. All too often we (and I include myself) just did not know what we were talking about. Each one of us were responsible for managing risk, yet none of us could objectively identify what it was. There had to be a better way.
When I began my journey to discover a solution, I was surprised to find that the fundamental components of risk were already well established, but poorly understood in the op risk community. There had to be a way to take these fundamental principles and adapt them to such areas as information security, business continutiy and technology management.