About BWise


Assessing the unknown risks

July 4, 2011 by
Filed under: Governance, Risk and Compliance, Risk Management

The biggest risk is the risk you don't know. A very common statement, somewhat overstated, because you're probably well aware of some pretty dangerous stuff. So in reality this might not be entirely true, fact is that the risks you don't know are inherently more risky than others, because you're not prepared.
In risk management, you will all be familiar with the Black Swan concept. Everybody expects the white swans, and all of a sudden there is this black swan. So how do you incorporate the black swan into your risk management framework, and how do you assess it, and how do you prepare yourself? Clearly, you don't know the black swan, so you cannot be specific in your risk framework, and you also cannot be specific in the precise actions to be taken when it would occur. It could be orange, for all you know. Or worse, it might not even be such a nice swan.

So, it will be impossible to incorporate it into standard risk frameworks. But that would leave you with a serious gap. Something quite comparable to searching for the keys under the lamppost; you will only look for the risks you know, where there is light. Clearly, not the way to go. So what can you do?

One thought is that you include 'black swan events' for all key processes in your business, and run a risk assessment. You ask yourself the question what would be the worst possible impact for that business process, for that entity. Typically, on the financial dimension, this would be the money involved in any given period, but also the reputational, legal and safety dimension should be addressed.

And then secondly, rather than assessing the likelihood (how could you?), you assess your risk preparedness. How prepared are you for 'something' that effectively destroys that particular line of business, that process. Not easy to assess, but it is related to how quickly you will find disastrous events, and what your standard business continuity and recovery plans look like. Of course, you still don't know what will hit you, and when. But you do know (better: have an idea) where your business continuity plans should be focusing. Based on that first analysis, you may run more traditional risk assessments to find out per business process (business line, area of business) in which risk areas you're most vulnerable; whether you're most vulnerable in fraud, in external risks like competitive pressure, security risks, and operational risks and so on.

Now, this still doesn't prepare you what to do exactly when it happens. It might help you to look in the right direction. If you were honest, especially in the preparedness assessment.

Tags: Risk, Risk Management, GRC

More Information

Nasdaq Offices

What is GRC?

Read the definition of Governance, Risk and Compliance

Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2016. 

Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.

Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up