Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Why Use the Simple Risk Model?

Take a look at the FFIEC's IT Handbook on Business Continuity Planning for financial institutions. It is an excellent, comprehensive document - an all encompassing cookbook for how to create a business continuity plan. It is also overwhelming in its scope. For example, it recommends that financial institutions perform a Business Impact Analysis (BIA) to assess and prioritize the organization's processes. The Handbook then states:

"Once business functions and processes have been assessed and prioritized, the BIA should identify the potential impact of uncontrolled, non-specific events on these business functions and processes. Non-specific events should be identified so that management can concentrate on the impact of various disruptions instead of specific threats that may never affect operations. At the same time, management should never ignore potential risks that are evident in the institution’s particular area. For example, financial institutions may be located in flood-prone areas, near fault lines, or by areas subject to tornados or hurricanes." (p. 8)

Imagine yourself explaining to senior management as part of a BIA that they must assess "non-specific" events while keeping in mind the impact of potential risks such as floods or earthquakes. Good luck. While the concept is correct, it is unlikely that it can easily be explained to management.

The Handbook then proceeds to list 14 critical questions that must be addressed for each business process as part of the performance of the BIA. However, no guidance is given as to how the answers should be factored into the BIA results. Nor does the Handbook provide clarification that the questions are primarily focused on control issues and not the importance or impact of the process.

What to do? If you are a US financial institution, you need a documented BIA process as part of your business continuity planning process or you can expect a series of pointed questions from the regulators as to why you do not have one. But the FFIEC Handbook only tells you what you need to do, not how to do it. In effect the regulators tell the banks they need a "wheel" or BIA, but don't tell them how to make it. So every bank must reinvent the wheel.

Just as every wheel has a standard set of properties, so does risk. If we can identify those common principles and simplify them down to a level that management can understand, we have identified the "how". The Simple Risk Model provides a method to assess any operational risk in a structured, logical process. It provides a means of organizing the requirements of sources such as the FFIEC Handbook and guiding management through the assessment process.

What we need is a methodology similar to the financial statement process. Accounting is an incredibly detailed and complex process, but the final result - the financial statement - can be understood by anyone with a minimal amount of training. At this point in the evolution of operational risk we are a long way from being able to adopt the equivalent of a financial statement to quantify and communicate risk. The Simple Risk Model is an attempt to move us closer to this goal.

financial statement