Assessing Operational Risks and Managing Incidents
December 22, 2011 by
Filed under: Governance, Risk and Compliance
I'd like to write about some basic things, nothing groundbreaking, simply using existing information you might probably have. Many organizations have a lot of information on their risks, but do not find ways to properly use it or do not find ways to garner business intelligence from it. Organizations may regularly perform risk assessments, some in a very structured way, many others in less structured ways. Many organization already collect incidents, sometimes just for compliance purposes with no particular business reasoning. Few use the combined intelligence; could it be valuable to compare risk assessment results with incident data? Certainly for operational risk
events, there should be a relation between the two. One would expect that a risk that is assessed
and is happening frequently, would also result in demonstrable incidents. The interesting data results when you have the information, but you do not find the relation.
Now, two things might be the case:Your risk assessment was high, but you don't see any incidents. Again two things:
Your risk assessment was low, and incidents are happening more than anticipated.
- Business was too negative and the risks aren't actually that high. In this case, care should be taken that business hasn't over controlled everything at considerable cost and frustration. This is an opportunity for cost reduction.
- The incidents aren't captured, implying they might happen, and the business is losing many without even knowing it. This is a more serious situation and immediate action is required. This is an opportunity for risk reduction.
- Clearly, the business underestimated risks and business processes are under-controlled. Extra measures should be taken immediately and risks should be re-assessed. This is an opportunity for risk reduction and cost reduction too; preventing the incidents from happening.
All situations are triggers to increase risk awareness and risk responsiveness. Such an integrated view on risk assessments and incidents is only possible when you have an integrated system.
Tags: Risk Management, GRC, Incident Management