This is the first of a series of articles about “metarisk” and probably
it would help to start with a small definition of what this thing is about. No,
this is not related with social networks and if you arrived here looking for
that you can continue your search (maybe another day we can talk about that). At
least in the IT Security community the buzzword ‘meta’ is well-known since many
years ago, we use it to describe the data within Office documents and we find this
‘metadata’ with the glorious FOCA,
the queen of metadata (congrats to those developers!). Then we have a little
piece of software called Metasploit, probably it rings a bell to you too. This list may continue for a while...
Saying this, what is the Metarisk? If we follow the structure of
thinking of other definitions, it’s the data about risk, just it. But this and
next posts we are going to look at that from a slightly different angle, let’s
talk about the risk of not reading / understanding the data about risk that
we have. That’s a risk that face not business processes but, in particular,
risk management departments such as those present from the 1st to
the 3rd line of defence of the existing industries. Of course,
external auditors or regulators are special guests in this journey.
As years go by and experience starts to flourish, there are certain
patterns, errors, pitfalls or whatever you prefer to call them that repeat
everywhere. In this series I try to present them and give some light on the
many mistakes we all can make in our everyday job within risk departments. For
the sake of the discussion I will provide the example of an internal audit
department (so 3rd line), but you can replicate / adjust the
patterns in your favourite risk management department.
“The first
principle is that you must not fool yourself, and you are the easiest person to
fool”.
Richard P. Feynman
“The internal audit activity must
evaluate and contribute to the improvement of the organization’s governance,
risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility
and value are enhanced when auditors are proactive and their evaluations offer
new insights and consider future impact”.
IIA – 2100 (Nature of work)
So, let’s start from the very beginning… What are we talking about when we talk about risk? Well, as apprentices in the matter let’s check what the experts have to say:
Institute of Internal Auditors
“The
possibility of an event occurring that will have an impact on the achievement
of objectives. Risk is measured in terms of impact and likelihood”.
“The
effect of uncertainty on objectives.”
“An uncertain event or condition
that, if it occurs, has a positive or negative effect on a
project’s objectives”
- dangerous chance.
- the
chance of loss.
- to
put or place someone or oneself near the chance of injury or danger.
- to
take the chance
of;
to hazard.
Crystal
clear, isn’t it? As per the different definitions, risks share these
attributes:
-
Risks
happen in the future.
-
Risks
produce damage (destruction that reduces value) or opportunity (¿?).
-
Risks
are random (they happen, but we don’t know when and where). There is
uncertainty around risks.
Here the challenge to the PMI folks (and whoever agrees with their definition) would be the following: There is nothing such a good outcome from risks, otherwise they would not be risks. It’s when the risk does not materalise or it has such a low impact that it’s meaningless when the good outcome arrives. So just in case that there were doubts, ‘risk departments’ are there to prevent risks mainly (that may feed other opportunities and value gains, but that’s not the focus of this post).
The associated formula for calculating risk is:
But we know that there is no 1 to 1 relation between risks and activities, so what we are actually talking about is the following:
So that is our starting point. To put it in
simple-plain words:
We just may just have an idea of the how …But we don’t know when.
And considering the Risk definition… How do human beings deal with things that are random, happen in the future and produce damage?
Let’s think about it…Ok, enough
sarcasm. I don’t wanna be pesimistic, we are wired to deal with risks, aren’t
we?
Then, why all the fuss? Well, even if we are
well wired & prepared to deal with risk, that doesn’t mean that our history
with risk is a complete success. Understanding, preventing and dealing with
risk is a continuous process that may waste a lot of our brainpower because there is no single risk-free decision that human beings can
take:
•
If
you drink coffee or water.
• If you buy another t-shirt or save
the money.
• If you call your mother / father
once per day, once per month or never.
• If you take the bike or the bus,
even better, if you work from home (always).
• If you answer that e-mail at 19:00
p.m. or the next day.
• If you go to the gym or practice
sports outdoor.
• If you go on holidays to Seville or
Milan (the 17th of February 2020).
• If you buy your son that toy or that
video game.
• If you use facemask in the street or not.
• If you read this post or tun the TV on.
Even thinking that something is a ‘zero-risk’ event / activity is a well-known
BIAS (quite common I would say).
So, to get this thing called risk under control
big players / companies define three lines of defense, Governments create public
agencies, national security forces (dozens of them and usually independent but
reporting to the top-level politician elected every X years, or not). That
should increase our chances of success, of preventing impacts, of progress…
Well, at least that is what we all try to accomplish. Sometimes with more success than others.
Risks could be very simple or extremely complex to deal with. Many
times, the higher is the goal, the biggest is the risk and our
success is determined for how can break this formula. To be more clear, we gain
value when we are able to achieve higher (more complex, more difficult) goals,
objectives while keeping the risk ‘under control’. Let’s try to visualize it
with a few images:
So, the risks of one single activity are an addition of all the things that may go wrong in that activity. As processes may have up to N activities, each step has it's own risks and interdependencies. So when we look at high level the impacts, on the contrary to the risk, may scale to unforeseen levels.
In any case these statements are simplifications for the sake of the discussion, just to set a common foundation. Then we may wonder if all the risks are the same and where do we go exactly with this 'risk for dummies' article. It is so obvious, is it? We will talk about it in the part 2…
0 comentarios:
Publicar un comentario