Posts - Integrating the
Model in the Real
1/13/09: Audit & Risk - Seeing the Forest from the Trees
9/4/08: Security ROI
6/28/08: Boise: A
5/10/01: FFIEC Business
4/3/08: SOX 404 Audits
Weaknesses in Current Approaches to Op Risk
- Lack of historical data
Technology and business practices constantly change
- The operational risk community, for the most part, lacks a sufficient amount of reliable historical data on losses that could be used to make predictions as to future losses. By means of comparison - the insurance industry has an abundance of historical information that it uses to price premiums. Your car insurance company, for example, has enough data to make a relatively accurate prediction as to the number of cars that will be stolen annually in any given zip code. But an information security specialist has no comparable method of predicting the probability of whether their business' primary computer system will suffer a major computer breach in the next year. This leaves the IS specialist to resort to "gut feel" and their personal experiences as the foundation for their risk assessment decisions.
No common methodology
- Part of the reason that there has been little success in building a reliable database of op risk losses is that the value of any such database would be undermined by the constantly evolving nature of technology and business processes. Simply, what was true in op risk yesterday, would be questionable tomorrow.
Everyone is an expert
- It is as if we are all lost in a Tower of Babel. There are thousands of op risk assessment tools and methodologies available in the community, but none that is commonly accepted. In addition, those tools which have staked out some level of prominence are a). so resource intensive that they are unusable in the workplace and b). focus on only a limited portion of the components in risk the risk equation. More importantly, these tools tend to treat such areas as information security and business continuity planning as completely independent risk methodologies and, as a result, these tools fail to leverage the overarching elements of operational risk. There just is not a tool you can go to that will cover all the bases of risk and give you a result that is understood and accepted within the community.
- It should be noted that there are several robust, formal risk assessment methodologies available, such as OCTAVE, ISO/IEC 27001, and COSO. Any business in the process of creating or overhauling their operational risk program should consider such methodologies as the foundation for their program. However, care should be taken to minimize the possibility that the implementation of the methodology degrades into a checkbox exercise. These methodologies are resource intensive and require significant training and experience in risk to manage effectively. Without such training and experience, risk managers in the field will likely resort to blindly filling in the forms, instead of considering the risks. That is, in part, why I created the Simple Risk Model. The Model does not replace these methodologies, but it does try to simplify the learning and communication process so that management can better understand the underlying concepts of the methodologies and better weigh the results.
- This is probably the most insidious challenge to operational risk. Everyone of us considers ourselves to be a risk expert. Our survival at the end of each day is a testament to our ability to handle the risks that life has thrown at us. And, if we are expert at managing the risks in our daily lives, why should we waste our time developing a disciplined and objective understanding of operational risk? We would rather deal with risk in a haphazard, experiential manner guided by our unique individual experiences, prejudices and emotions. We are guided by "gut feel" when we respond to risk in the work place, not logic. It is this reliance on subjective reasoning that is the greatest barrier to moving the operational risk community towards a more structured and objective approach to risk.