Risk from A to Z

How do you explain the concept of Risk from A to Z in a piece of blog? The word “risk” is handled in different ways. There are also different types of risks faced by the organizations. The most important risks are those related to the objectives of the organization, namely serving/selling directly or indirectly to the customer and thus the so-called operational risks that are more common in projects and processes in progress. Below, from a broader framework of risk, why Business Continuity Management (BCM) within the family of risk management sciences is important for risk-aware organizations. So risk from A to Z.In this contribution, I express my own opinion, not that of any organization. Inspired by the article “Operational Risk Management: a primer” by John Robinson, FBCI, UK
Author: Manu Steens

What is Operational Risk Management (ORM)?

Like most concepts related to risk management, many come from the banking and financial world. But the concept is very universally elastic across all types of organizations. One definition for operational risk is defined in the Basel II Accord as follows:

“The risk of loss resulting from inadequate or failing internal process, people and systems, or from external circumstances.” (Basel II Accord)

It is about the inherent property of processes, people and resources that can fail, resulting in undesirable effects.

Operational risk management

Operational Risk Management usually deals with the following issues:

  • Integrity and robustness of processes and procedures;
  • People, their talents and their formation;
  • Insurance and self-insurance;
  • Outsourcing and associated inheritance of risks and supply chain risks (i.e. suppliers and customers are important);
  • Infrastructure, systems, and telecommunications;
  • Physical security and information security. (see also ISO 27002 for this purpose)

Note that by this (non-exhaustive list) ICT security becomes a sub-area of ORM.

How to manage operational risk?

Managing risk lies in understanding and managing two concepts that define risk: loss and probability.

Loss can be defined as “…any financial or otherwise undesirable effect that adversely affects one or more interested parties, as a result of an operational failure.”

Note that this refers to a wide range of graspable and intangible things:

  • Fines due to untimely deliveries, or wrong deliveries;
  • Loss of reputation;
  • Loss of employees;
  • Loss of wages, compensation or benefits;
  • Excessive overtime;
  • Physical or psychological trauma, hospitalizations or deaths.

Probability and loss

Probability is defined in this context as “…the qualitative or quantitative assessment of probability of occurrence of a particular operational failure.”

Thus, probability is a statistic where no exact number can be pasted on the occurrence of rare operational failures. This brings room for subjectivity and estimation.

The fact that loss and probability cannot exist in isolation, and thus requires the concept of risk description, can be illustrated as follows with a risk description of the failure of a server :

A server has an average time between failures (mean time between failures) of 10000 hours and an average recovery time of 24 hours. Upon failure, a loss of €50000 is expected due to unperformed work and increased personnel costs for hiring temporary workers to clear backlogs.

Of course, there are threats other than server failure.

  • Theft of funds;
  • Sabotage;
  • Electricity blackout;

What is a threat

A threat can be defined as, “Any unpredictable event that may give rise to failure in processes, procedures, people, resources,… despite existing measures taken.”

A threat may give rise to different types of failures, and conversely, multiple threats may have a hand in the same type of failure. This reasoning gives rise to the concept of an organization’s “Risk Profile. This consists of three types of profiles:

  • The threat profile: how relevant is a threat to an organization?
  • The loss profile: how does the organization actually feel the loss (more or less like pain) after a disruption?
  • The gap profile: what measures have already been taken, what gaps still exist in the defense, how well has the “shell model” of resilience been worked out? And where does (unnecessary or necessary) overlap of measures exist?

In doing so, the following concepts, among others, are important:

  • Dependencies: for example, a UPS (Uninteruptable Power Supply) is a good system against a power outage, but the organization itself is thereby dependent on the (proper functioning of) its own emergency generators, on the teams of technicians who can make repairs at the electricity supplier, and possibly on smooth communication with fuel suppliers for the emergency generators.
  • Scenarios: the actual sequence of events triggered by the materialization of a threat. Given the rapid sequence of events and the extensive possibilities of the unforeseen, this scenario can quickly become complex.

Conclusion

Improving the risk profile with this model can then be done in three ways:

  • Prevent, reduce, share or avert threats;
  • ‘Gaps,’ security holes and vulnerabilities or weaknesses update with measures;
  • Introduce recovery measures so that for ‘worst case scenarios’ the duration time of failure of the critical processes remains minimal. (Thus developing a BCP, among other things)

This line of thinking about operational risk provides an insight into one of the reasons why BCM is important: BCM improves the risk profile of the organization.

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts