18 de diciembre de 2022

Una historia de criptos, auditores, arbolitos y... riesgos colaterales.

 Todo comenzó con este tweet de Burry:


Uno de los inversores más famosos del mundo criticando a los auditores y diciendo que su trabajo no vale nada, ¿Tiene razón? Esto merece un análisis.

1 - Conceptos básicos (pasa al punto 2 si sabes lo que es la ‘proof-of-reserves” o el concepto de “Merkle Tree”)

Para entender la nota de prensa y la opinión de Burry hay que partir de una serie de conceptos y ver como están interrelacionados. Veamos cuales son:

Proof-of-reservesà Tomando la definición de Investopedia, la prueba de reservas toma una foto del balance de una compañía para demostrar que la deuda (liability) está cubierta con activos reales (las criptos en este caso) de tal forma que la compañía puede afrontar las responsabilidades con sus clientes disponiendo de la liquidez suficiente. En la industria financiera (de forma simplificada), cuando un cliente hace un depósito, este es un activo para el cliente y un pasivo del banco, que tiene la obligación de devolverlo. En la industria cripto cuando un Exchange te permite no solo operar en el mercado sino que realiza la custodia, esa criptomoneda se convierte en un pasivo en el balance de la compañía (si tienes curiosidad sobre como esto se visualiza en la hoja de contabilidad de una compañía mira el Anexo I).

¿Y cómo se toma la foto de “proof-of-reserves”? Pues para responder esta pregunta tenemos que conocer el siguiente concepto:

Merkle Treeà El árbol de Merkle es una cadena de hashes formada por bloques que se van anidando desde las ramas hasta que en su copa, como si fuese la estrella del árbol de Navidad, tenemos el “top hash” o el Merkle root que certifica todo lo que le compone. Para que sea más fácil de visualizar tomamos la imagen de Wikipedia:

¿Por qué certifica? Porque si se produce cualquier variación en uno de los nodos / ramas, desaparece, es modificado, etc. El Top Hash cambiará, ergo es una prueba de integridad (eso es bueno).

¿Y qué hacen los auditores? Pues como habitualmente ocurre, comparan dos cosas, una es la prueba de reserva, los activos que la componen y su firma, de otro lado los activos del banco, y si coincide “todo va bien”.

¿Y esto como se ve? Pues algunas casas permiten ver hasta la propia huella que el cliente tiene y como figura dentro del árbol de Merkle, pero mejor ver un ejemplo sacado de la propia web de Kraken:

No voy a entrar en si los algoritmos utilizados son seguros, crackeables, etc. Aunque es lo que igual más interesa a un Auditor IT, esa parte no es tan interesante hoy :)

2 – La confianza en la industria cripto.

¿Por qué dice Burry que los informes de auditoría de Mazars no aportan ninguna confianza? Por la analogía que hace con los CDS que se hicieron famosos en la burbuja inmobiliaria de 2007-2008, parece dejar claro que cree que los auditores no entienden las criptos, los riesgos derivados de su custodia, que el valor de la prueba de reserva es muy reducido o quizás todo lo anterior.

¿Tiene razones para sospechar?

Y no solo él, en líneas generales el mercado 'sospecha' de los gigantes criptos y los inversores llevan meses huyendo (obviamente por varios motivos, incluído que ganan menos dinero):

Si pensamos en qué es la “prueba de reserva”, el hecho de que algunas casas de criptos hagan esta auditoría cada tres meses, mensualmente o incluso a diario debería hacernos levantar la ceja con escepticismo. Si aporta fiabilidad sobre la integridad del balance contable, ¿por qué tanta frecuencia? Ni tan siquiera las empresas cotizadas son auditadas tantas veces en un año sobre un mismo concepto. Parece raro, ¿no? Solo la frecuencia de la auditoría ya podría dar motivos de sospecha, una verdadera auditoría ni se hace en un día ni en una semana. Si es altamente automatizable será más eficiente, pero no por ello más eficaz.

Como auditoría, es una auditoría muy limitada que no da cuenta de los flujos de capital de esa compañía ni de qué se hace con las criptos. De hecho llamarlo auditoría puede ser el primer error aquí, porque una auditoría externa es otra cosa. Las auditorías SOX, de estados financieros, etc. Tienen un nivel de profundidad mayor y proporcionan confiabilidad sobre cómo tiene las cuentas una compañía. No son infalibles, pero su alcance y metodología de testeo dan un nivel de confiabilidad razonable.

Veamos como anunciaban el test de prueba de reserva en Mazars (página web que han quitado pero que sigue disponible aquí):

¡Claro! El auditor viene a traer confianza y transparencia en el sector de los activos digitales y además, ¡no se fía! Verifica.

Impecable... ¿Y cómo lo hace?

Pues utilizando el Silver Sixpence Merkle Tree vamos, ¡eso es infalible! Y por si tienes dudas, aquí tienes el código fuente (transparencia a tope):

https://github.com/silversixpence-crypto/merkletree-verify

Interesante... Esto no lo entiendo pero... Es tan complejo que tiene que ser bueno, ¿no?

NO.

Sin entrar en la tecnología (mordiéndome las uñas estoy, espero que se reconozca el esfuerzo). La complejidad no es prueba ni de confianza ni de transparencia, aunque tu supuesto código fuente esté en github.

Pero no nos demos por vencidos, rasquemos un poco más y veamos quien ha desarrollado ese código fuente:

https://github.com/silversixpence-crypto

Interesante, alguien de Suráfrica. Veamos quien es:

https://www.silversixpence.io/

Ah, una empresa que ofrece soluciones de trading de criptomonedas y ‘pruebas de reserva’ y que casualmente tiene los informes de auditoría de sus mejores clientes, como Mazars:

Nota: En las 24 horas que he tardado en producir este artículo ya han desactivado la web y quitado los informes (red flag!)

https://merkle.silversixpence.io/files/Binance%20POR%20Report%207%20December%202022.pdf

Veamos qué es lo que dicen esos informes:

Es interesante ese mensaje de “Additional transparency and reassurance”, el problema es que no es coherente con el que figura al final de la primera página:

Ah, pues no sabía que se podía proporcionar transparencia, confianza y “reassurance” pero no “assurance”.

¿Qué juego es este? ¿Me fío o no?

Dejemos la verborrea al lado de la tecnología, que cada uno saque sus conclusiones y volvamos al punto central del asunto, “In-Scope Assets are collateralized, exist on the blockchain(s) and are under the control”.

Ah, ahora hablamos de colaterales, esto ya huele más a riego financiero de toda la vida.

¿Y qué nos dice la prueba de reserva sobre los colaterales?

Pues como vimos anteriormente, solo nos dicen que existen en un momento concreto y que se ajustan los pasivos. En el informe de Mazars describen así las pruebas técnicas:

Pero no se quedan ahí, miran alguna cosilla más:


Contando filas y sumando cantidades verifican que lo que se ha indicado en el informe de ‘Customer Liability Repor’ es completo (...).

¿Qué nos dicen estas pruebas sobre la salud financiera de la compañía?

Muy poco, se reduce a informar de que los activos de los clientes siguen en el custodio y a verificar que aparecen en la hoja del balance de cuentas.

¿Qué no nos dicen estas pruebas?

Pues todo lo demás, entre ello todas las malas prácticas que podamos pensar: ¿Utilizan activos de los clientes como colateral para endeudarse ellos? ¿Para qué tipo de operaciones prestan esos activos? ¿Analizan el perfil de riesgo de clientes apalancados? ¿Van a ser capaces de afrontar sus obligaciones financieras? O las muchas que han hecho caer a FTX llevándose por delante miles de millones de sus clientes (noticia por aquí).

Poco o nada sabemos de todo esto solo con el informe de ‘Proof-of-reserves’. Aquí Burry, como buen analista financiero, sabe que si el colateral de un préstamo es un activo con las mismas características que aquél adquirido con el préstamo, cuando explota la burbuja (el activo se deprecia rápidamente) tienes a la pescadilla que se muerde la cola. Podemos deducir que Burry no se fía haciendo la analogía de los préstamos para comprar casas respaldadas con el valor de la casa con los préstamos para comprar criptos respaldados con criptos. Pongamos un ejemplo:

- Cliente A solicita €100M para comprar bitcoin al 10% anual (ejemplos de tarifas reales aquí https://www.binance.com/en/loan/data ).

- El Exchange verifica que es un cliente con activos en criptos por, digamos, €120M, y se lo concede.

- Han pasado un tres meses y las criptos han caído un 40%. Ups, el cliente A ya tiene un colateral de €72M, por lo que el Exchange puede estar en apuros si el cliente no le paga. Le llama para que aporte €8M (margin call) comprando más criptos, además el cliente tiene que pagar €2.5M de intereses y otros €25M del préstamo (de nuevo, simplificando mucho).

- Han pasado otros tres meses y ahora las criptos han caído otro 40%. Los €80M de colateral del cliente A ahora se han convertido en €48M. El Exchange vuelve a llamar al cliente diciéndole que aporte €7M (más los correspondientes intereses y parte de la deuda a amortizar), pero el cliente no puede afrontar esa deuda y le dice al Exchange ‘quédate con mis criptos, no quiero saber nada’. El Exchange trata de ver cuánto puede recuperar y, tras negociaciones aquí y allí se acaba anotando unas pérdidas de €40M de los 100 que prestó pero que, respaldadas por criptos que pone a la venta (o no), se reducen a €4M.

¿Es un gran problema?

Puede que sí, puede que no. Depende de tu tasa de morosidad.

Si un Exchange tiene €100.000M en obligaciones no quieres que esa tasa sea muy alta pero si las criptos están cayendo como una piedra de forma general (algunas un 99.999% este año, otras como el bitcoin ‘solo’ un 64,9% a día de hoy), estás en un serio problema. Y esto es lo que le preocupa a Burry (no entramos ya en todos los otros posibles fraudes que se pueden hacer).

3 – ¿Qué podemos aprender de toda esta historia?

Algunas reflexiones en voz alta:

-            - Podemos utilizar adjetivos grandilocuentes para vender un informe de auditoría, pero ello no nos dice nada sobre la confiabilidad que estos generan. La confiabilidad te la marca el alcance, la metodología de testeo y el conocimiento de los auditores. ¿Qué preguntas queremos responder? ¿Qué preguntas son relevantes?

           - Llamar ‘auditoría’ a una ‘prueba de integridad’ es denigrar la profesión y los verdaderos informes de auditoría. Aquí hace bien Burry en decir que estos informes de Mazars tienen valor ‘0’ para un inversor.

-                 - Si quieres ser frontrunner en una industria nueva de regulación escasa o inexistente vas a crecer en el mercado rápidamente, pero el impacto reputacional si te equivocas es altísimo, eso salpica a tu marca y al resto de productos de ‘auditoría’. Si no generas confianza, estás fuera. Mazars ha visto que sus informes no generan valor (confianza) en el mercado y ha rectificado retirando esos servicios.

-       La tecnología NO es un problema. Podríamos haber sacado punta a la ‘prueba de reservas’ técnicamente y comentado formas teóricas de ‘hacer trampas’, pero esa no es la cuestión relevante. Si la mayor parte de Exchange de criptos del mundo están en problemas financieros no es por la tecnología, es por la gestión del riesgo financiero, de contraparte y la falta de “temor” a un regulador que les haga ser prudentes en su gestión.

-           ¿Y qué hacen los reguladores? Pues ahí están, más de una década después del nacimiento de las criptos todavía discutiendo la aprobación de distintos framework de control como el MiCA de la ESMA / EBA (disponible aquí). La regulación llega tarde y miles de millones se habrán evaporado para entonces. Ahora bien, ¿será suficiente? El tiempo lo dirá.

Anexo I

Vemos como ejemplo la hoja de contabilidad de coinbase, una de los mayores Exchange de criptos:

No, no es que sus deudas se hayan multiplicado, es que sus depósitos han aumentado :) Esto es más claro viendo la contabilidad de un banco ya que lo menciona explícitamente (la verdad, desconozco si las normas GAAP se han adaptado a esta clase de activos e industria), veamos el caso de Bank of America:




10 de enero de 2022

The metarisk series (III), company risk profile and risk-functions resources allocation.

 Now imagine that we are going to provide an opinion about risk about anything in your company. The approach would be slightly different depending on the department, as per the IIA the different risk functions and reporting lines are the following:

Source, IIA UK

The principal is that, the further you are from the fire, the more independent you are. It’s not exactly a skin in the game efficient approach, but it’s the common and current best practice (I’m not going to challenge it in this post). Big companies (> 5K employees), specially if they trade on public stock markets, usually have this structure with little variance. We may enrich the previous picture with a fourth line of defense including external auditors or QA IA departments, but it’s ok. These big companies usually public annual reports including many risks that shareholders shall consider. For instance in the USA they are the famous 10K required by the SEC. Let’s check for example the one from Microsoft available here:

It is absolutely clear that this report should talk us about what the company did in the last year and what it is going to do in the future, so current and potential shareholders know about what do they have. However, if we check the content, we can see that most of the information is about risks. The (regulated) structure of this report is more or less the same for companies trading in the USA stock markets. You can compare Microsoft with BOFA, even wonder about the differences:

-          What company describes more risks?

-          What company is more impacted by COVID?

-          What company has more risk categories?

You can check the answers at the end of this post.

Managing a business in big companies is a complex activity with millions of activities and interactions, dependencies, etc.. We can imagine that the organization chart of Microsoft or the Bank of America has hundreds of pages, while the number of processes shall be (if they aim to be an efficient, platforms based, business) much shorter. No matter if your company is any of these, all of them have risks, people organised in different ways, assets and processes, many processes. Risks are an intrinsic component of any business , long history short: What you sell today to your customers may have 0 value tomorrow. So you are out of business.

Resource allocation for an effective (and efficient) risk assessment 

What does the theory says? If we are internal auditors and we tick to the standards, this is that the IIA says:

1220.A3 –Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

2010.A1 – “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process”.

2010 – To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls”.

That’s generic enough to allow to do many things, also the wrong ones, like the following:

Error 1 à The organization chart focus.


Microsoft or your favourite company may have a completely different organization, let’s see some examples with the help of Forbes and Mckensey:


Which one is yours? No one? The creativity of HHRR and advisory services of the BIG4 may be quite high 😊 Saying this, risk functions sometimes may pay excessive attention to the organisation and forget about the process. Actually, changes in the management team or the way people are organised are attention points, red flags, that usually auditors or others consider as potential sources of risk. That could be right, if there is change there is risk. However, the opposite is also true. Lack of leadership may come in the form of ‘new’ Managers that are ‘landing’ or ‘old’ Managers that look at changes with resistance. An organization change is a weak argument to trigger an audit, that is to allocate your risk resources, unless we focus on the processes.

Excessive attention to the organization (resources) may reduce value of the engagement If it’s not correlated with the operation. Business objectives are achieved through the Operations and the operations are (or shall be) organized in processes. Therefore, process oriented audits will more likely address the significant risks of the organization.

Error 2 à The tech focus.

Sometimes new technologies are coming to make our lives easier and that is a red flag in the mind of IT Security functions, internal control or audit departments. If there is a new technology usually there is a new risk, for this reason sometimes we see audits, pentests or internal control sampling related with “Red Hat” systems, “Mainframe upgrade” or “CISCO networking”. This ‘technology-focused’ approach usually arrives to conclusions such as:

-          Lack of hardening / default configuration / lack of patches.

-          Excessive permissions granted and/or developers with access to production.

-          Non-functional requirements missing.

-          Project cost overruns and/or delays.

-          Etc.

Which are not technology related problems but project / change management issues so, technology audits also have process related issues.

The process approach

Spoiler: Yes, this is the most efficient approach. The one that raises more risk for the organization per hour of auditor / tester. Since I’m specialised in IT I will explain that using IT processes:

First column describes some of the usual processes that IT departments (so, under the CIO) have to run in order to deliver service. Names shall ring a bell (not exhaustive list) to you since they are common in ITIL / COBIT processes and other standards & best practices of reference. When the CIO looks to his people it looks to the organization chart, to the portfolio of services, to the IT KPIs, etc. When an auditor looks to the CIO he shall look to all of that, but also to the list of processes that the CIO has or should have. If there aren’t processes there is no structure, where there is no structure the maturity of the organization is low and therefore people improvise or follows ‘professional judgment’ to keep the business running

Note: ‘Professional judgment’ is the worst enemy of risk functions.

But I will explain that another day.

So, if I am the head of an internal audit department and I plan considering:

-          Organizational changes.

-          Technology changes.

Chances are high that I don’t have the right focus or that I am missing ‘strategic’ or ‘key controls’ in my assessments. But these are not all the errors in this phase, others that we may see are the following:

- Input Senior Management à Don’t get me wrong, this input is important to plan, schedule, align, understand business priorities, etc. But if this is the key reason that is not a risk-based decision, actually can be a bias in the decision-making process.

- Audit cycle à Doing an audit just because times flies and we don’t pay a visit to some people since three or five years ago is also a very weak argument. We need other red flags.

- Team / peer proposals à Sometimes we receive these ideas and they are absolutely necessary, some times quite good, but we need to be sure that are risk&data driven and not hunch-driven, also if they fit within our Audit Universe or they would be one-off and why that matters.

- Etc.

So, how do we decide? How do we plan?

To take a risk-based decision in order to plan your engagements is a complex decision, which means that you need to have the right information (key factors) in order to maximize the risk reported where and when it matters. Here you may say, wait a minute! We already have that information in the 10K report of any publicly trading company, those are the priorities!

That would be a good point and if you ask to the army of risk-functions managers (starting from the CISO, Head of IRM/ORM/ERM / Compliance / Internal Audit, etc.) they will be able to map 99% of their plans, projects and testing with the strategy and key risks. The reason is that those risks are usually so generic and vague that almost ‘anything’ can fit inside (we may have some fun challenging the risk categories and the list of risks). So I am afraid that there is no easy answer, however I will try to help you with some suggestions of relevant inputs from the most relevant to the less relevant for your resource allocation:








Note: Most of the icons have been downloaded from flaticon, rights are from the icon creators (like Chattapatk).

One last comment here. It is important that when you define what are you going to audit, test, check, whatever, defines what you are not going to talk about. So, if a risk materialises with a high impact in the next sprint, quarter, year, etc. And it was not in your radar, could be that you didn’t have the right priorities. For example, business continuity audits / projects after March 2020.

And that’s all about high-level risks and risk-functions resources allocation. This topic is long to explain but I tried to summarise the key concepts with the example of audit plans. In the next post of this series we will go deeper into the fieldwork and check how do we analyse, test and the many bias that we face in that process.

Microsoft vs BofA risk profile

* 10K reports are always interesting to read, even if you are not an investor, they contain a lot of business and risk information that allows to know many details. I recommend always to read this report of your current employer (if that is possible). To the questions described before, here the answers according to the information that these companies publish:

- What company describes more risks? Microsoft wins with 32, while the Bank of America has 31.

- What company is more impacted by COVID? This is the risk nº1 for BofA while it is part of another risk within the category of ‘general risks’ of Microsoft. Almost at the end of the list.

- What company has more risk categories? Here the winner is BofA with 9 risk domains, while Microsoft has 7.

You can see the risk categories and risk titles (each one has a very long description) in the following table:

It is interesting to see that the weight of IT risk is ‘quite low’ for a bank who holds all his money in IT systems (…), while for Microsoft having liquidity does not look a big deal even though their cash is more or less the same than their current debt (they are confident that BofA will lend them 😊 ). Also Microsoft does not report here the vulnerabilities of any of its products even though the trend is to have more every year:

I guess that something big-happened between 2013 and 2015. You can place your bet (new CEO, new software products, Iaas / PaaS, SaaS, digitalization, the migration from waterfall to agile methodology or probably all of them), but as per the stock performance, it seems that no shareholder is concerned about that.

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-i-can-we-agree-on.html

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-ii-risk-bad.html

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-iii-company-risk.html

7 de enero de 2022

The metarisk series (II), risk (bad) behaviour

 

Now that we agree on what is a more accurate risk definition, so behind the name there is a meaning, let’s try to deep dive on risks features. We know that in a very simplistic way all the risks a combination of likelihood and impact, you can apply that to a security breach, a compliance risk with the last regulation or to the risk of running out of battery in your smartphone before coming back home. Probably we all agree that there are many kind of risks, for instance many risk managers split between financial and non-financial ones, which may make us wonder what is the impact for a business if there is no financial impact, but let’s assume that it’s a way to separate different risks and activities. In the same way than operational risk and information risk are different branches of the same thing, it is just a way of specialization, so we deal with the complexity of each category in a better way.

So looking at the risk categories we may argue for eons about how many are there and each department should use to keep his activities under control. Risk categories are not that interesting to me so I will assume that we have the right list and no elephant is missing in your assessment. Let’s talk instead about risk behaviour, to understand this attribute we need to think twice about the impact  that this risk is creating to me. Let’s see some examples:

Case 1: Customer calls lost per minute waiting in the call centre:


This seems quite linear… so the more minutes, the more customer calls lost. Ok, no rocket-science.

Case 2: Financial penalties per low, medium and high deviations with a regulation (you name it).


Well now the picture is changing… is this a ladder? Do we have thresholds?

Case 3: Nº of servers unavailable until service lost… or Russian roulette:


This is kind of binary risk. I guess that Taleb put the example of the turkey in a Thanksgiving day. 0 risk for 364 days, happy life, all is sweet until we reach the ‘breaking’ point…

Case 4: Earthquakes:

Frequency (earthquakes x year) Vs Intensity (Ritcher scale), just in case that my drawing is not clear, this is logarithmic.

Case 5: Millions (€) lost per day with payment services down or…  Impact of an undetected security breach in a core banking systems per day or… The the wheat and chessboard problem (or how a King lost his kingdom).


This is an interesting one and is based on a geometric progression. Red line represents the bankrupt point. By the way, if you don’t remember the wheat fable just a picture to visualise it:


Case 6: Impact of personal data breach (millions of records x millions of €, 62% variance).


In the real world there is a myriad of scenarios, probabilities and potential outcomes so this risk behaviour seems quite ‘natural’, it’s a geometric dispersion. What does it mean exactly? It’s just that there is an infinite number of scenarios that may happen, in many of them we are out of business or death or we just fail in achieve whatever we want. It depends on the risk, the important thing is to know the limits and to recognise this pattern in whatever we are measuring / analysing / giving a professional judgement.

Case 7: Risk correlation


Risk C (yellow) as exponential combination of Risk A and B. Increase in inflation > 3%, increase in unemployment and poverty rate.

Ahhh, this is easy, you may think. It’s clear that there are interdependencies in some cases, we live in a complex world after all.

Citrigroup CEO (January 2008):

Our financial results this quarter are clearly unacceptable. Our poor performance was driven primarily by two factors significant write-downs and losses on our sub-prime direct exposures in fixed income markets, and a large increase in credit costs in our U.S. consumer loan portfolio”.

The sub-prime crisis is a great example of how correlations may be missing (or hidden by greed) sometimes.

Case 830 years mortgage earnings or expected loss in case of customer bankruptcy in the first 5 years (risk upside):


Yes, i know that this should not be here, but there are many risk managers that like to see to the ‘upside’ or the benefits of certain risks, this happens specially in the portfolio management or taking some investing decisions. Investors & traders should look usually at the risk asymmetry, so there is much more upside than downside in whatever they invest on (commodities, securities, etc.). Potentially, any company or country may go bankrupt, actually the lifespan of SP500 companies is getting smaller. 

I don’t agree that we should talk about ‘positive’ risk within ‘risk management’ functions, these functions are designed to deal and prevent risks, impacts, anything that may jeopardise the business. But business or intelligence departments may put the opportunities next to the impacts of business decisions, knowing that they have to look at them to keep the risk under control. Risks and opportunities (benefits) are everyday occurrences of laypeople, as discussed in the previous post there is a potential risk and benefit in almost any activity and we are wired to deal with it. However, it's of the uttermost importance to remember that the asymmetry between the risk and benefit shall be considered and measured (the more important the decision, the more accurate the assessment).

Risk properties summary:

Know that we know a little bit more about risks lets recap:

·      Events with one or more occurrences, with several causes and several consequences.

·       Risks are events with a likelihood.

·       They happen in the future, not in the past.

·       Depending on the behaviour of the risk, the events have an Impact:

o   Linear.

o   Binary.

o   Ladder scale.

o   Logarithmic.

o   Geometric progression.

o   Geometric dispersion.

o   Etc.

·       Risks are independent or correlated.

·     Risk and benefits are asymmetric and we need to analyse that (if they are symmetric, where is the business?

And yes, they may be grouped in categories as a way to specialise and deal with them within public or private organizations.

Now that we settled the foundations of what risk is and what do we mean when we talk about likelihood, impact or behaviour, we can start to talk about the metarisk, so the risk of risk functions getting this wrong.

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-i-can-we-agree-on.html

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-ii-risk-bad.html


4 de enero de 2022

The metarisk series (I), can we agree on what is risk?


This is the first of a series of articles about “metarisk” and probably it would help to start with a small definition of what this thing is about. No, this is not related with social networks and if you arrived here looking for that you can continue your search (maybe another day we can talk about that). At least in the IT Security community the buzzword ‘meta’ is well-known since many years ago, we use it to describe the data within Office documents and we find this ‘metadata’ with the glorious FOCA, the queen of metadata (congrats to those developers!). Then we have a little piece of software called Metasploit, probably it rings a bell to you too. This list may continue for a while...

Saying this, what is the Metarisk? If we follow the structure of thinking of other definitions, it’s the data about risk, just it. But this and next posts we are going to look at that from a slightly different angle, let’s talk about the risk of not reading / understanding the data about risk that we have. That’s a risk that face not business processes but, in particular, risk management departments such as those present from the 1st to the 3rd line of defence of the existing industries. Of course, external auditors or regulators are special guests in this journey.

As years go by and experience starts to flourish, there are certain patterns, errors, pitfalls or whatever you prefer to call them that repeat everywhere. In this series I try to present them and give some light on the many mistakes we all can make in our everyday job within risk departments. For the sake of the discussion I will provide the example of an internal audit department (so 3rd line), but you can replicate / adjust the patterns in your favourite risk management department.


The first principle is that you must not fool yourself, and you are the easiest person to fool”.

Richard P. Feynman

 The basics

The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact”.

IIA – 2100 (Nature of work)

So, let’s start from the very beginning… What are we talking about when we talk about risk? Well, as apprentices in the matter let’s check what the experts have to say:

Institute of Internal Auditors

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood”.

ISO 31000: Risk Management

The effect of uncertainty on objectives.

Project Management Institute

An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives

WordReference

  1. dangerous chance.
  2. the chance of loss.
  1. to put or place someone or oneself near the chance of injury or danger.
  2. to take the chance of;

      to hazard.

Crystal clear, isn’t it? As per the different definitions, risks share these attributes:

-      Risks happen in the future.

-      Risks produce damage (destruction that reduces value) or opportunity (¿?).

-      Risks are random (they happen, but we don’t know when and where). There is uncertainty around risks.

Here the challenge to the PMI folks (and whoever agrees with their definition) would be the following: There is nothing such a good outcome from risks, otherwise they would not be risks. It’s when the risk does not materalise or it has such a low impact that it’s meaningless when the good outcome arrives. So just in case that there were doubts, ‘risk departments’ are there to prevent risks mainly (that may feed other opportunities and value gains, but that’s not the focus of this post).

The associated formula for calculating risk is:

 R = (probability of the accident occurring) x (expected loss in case of the accident)

But we know that there is no 1 to 1 relation between risks and activities, so what we are actually talking about is the following:

So that is our starting point. To put it in simple-plain words:

 


We just may just have an idea of the how …But we don’t know when.

And considering the Risk definition… How do human beings deal with things that are random, happen in the future and produce damage?

Let’s think about it…

While playing…

Ok, enough sarcasm. I don’t wanna be pesimistic, we are wired to deal with risks, aren’t we?

Then, why all the fuss? Well, even if we are well wired & prepared to deal with risk, that doesn’t mean that our history with risk is a complete success. Understanding, preventing and dealing with risk is a continuous process that may waste a lot of our brainpower because there is no single risk-free decision that human beings can take:

       If you drink coffee or water.

       If you buy another t-shirt or save the money.

       If you call your mother / father once per day, once per month or never.

       If you take the bike or the bus, even better, if you work from home (always).

       If you answer that e-mail at 19:00 p.m. or the next day.

       If you go to the gym or practice sports outdoor.

       If you go on holidays to Seville or Milan (the 17th of February 2020).

       If you buy your son that toy or that video game.

       If you use facemask in the street or not.

       If you read this post or tun the TV on.

Even thinking that something is a ‘zero-risk’ event / activity is a well-known BIAS (quite common I would say).

So, to get this thing called risk under control big players / companies define three lines of defense, Governments create public agencies, national security forces (dozens of them and usually independent but reporting to the top-level politician elected every X years, or not). That should increase our chances of success, of preventing impacts, of progress…


Well, at least that is what we all try to accomplish. Sometimes with more success than others.

Risks could be very simple or extremely complex to deal with. Many times, the higher is the goal, the biggest is the risk and our success is determined for how can break this formula. To be more clear, we gain value when we are able to achieve higher (more complex, more difficult) goals, objectives while keeping the risk ‘under control’. Let’s try to visualize it with a few images:


I hope that you follow me so far. Coming back to our favourite formula, it’s a way to say that the result may grow (exponentially) and sabotage our attempts to obtain something:

So, the risks of one single activity are an addition of all the things that may go wrong in that activity. As processes may have up to N activities, each step has it's own risks and interdependencies. So when we look at high level the impacts, on the contrary to the risk, may scale to unforeseen levels. 

In any case these statements are simplifications for the sake of the discussion, just to set a common foundation. Then we may wonder if all the risks are the same and where do we go exactly with this 'risk for dummies' article. It is so obvious, is it? We will talk about it in the part 2…