Assessing Operational Risks and Managing Incidentsoperational risk events, there should be a relation between the two. One would expect that a risk that is assessed and is happening frequently, would also result in demonstrable incidents. The interesting data results when you have the information, but you do not find the relation.
Now, two things might be the case:
Your risk assessment was high, but you don't see any incidents. Again two things:
- Business was too negative and the risks aren't actually that high. In this case, care should be taken that business hasn't over controlled everything at considerable cost and frustration. This is an opportunity for cost reduction.
- The incidents aren't captured, implying they might happen, and the business is losing many without even knowing it. This is a more serious situation and immediate action is required. This is an opportunity for risk reduction.
- Clearly, the business underestimated risks and business processes are under-controlled. Extra measures should be taken immediately and risks should be re-assessed. This is an opportunity for risk reduction and cost reduction too; preventing the incidents from happening.