Whenever there is a disaster or event that causes losses, it is usually proven that someone or several employees in middle management or on the front lines had been forecasting the event years before but no action had been taken. The recent story of British Petroleum’s oil pipeline leak in Alaska is no different. The headline from the CNN news story, BP was warned, this week reads “Interviews with employees and a 2002 letter predicting 'catastrophe' show that BP’s problems should have come as no surprise to management”

According to the article, “One current BP employee who worked at both Prudhoe Bay and in Texas and spoke to Fortune on condition of anonymity says no one should be surprised by what eventually occurred. "The mantra was, Can we cut costs 10 percent?” he recalls.

How can such bad decision making be made by such smart people? The answer is found in the over reliance on quantitative analysis. There is a philosophy among some risk managers that all answers can be found in the deep quantitative analysis of the numbers in databases to detect patterns. This is true for high frequency risks. However, for low frequency and high impact risks (like the BP oil leak) quantitative analysis will often lead to incorrect decision making or more analysis with no decision making at all. First, there is insufficient data historically to analyze and many possible outcomes can easily and incorrectly be “fit to the data”. Second, with too little data, the patterns of correlation, dependency and therefore big picture ramifications can not be easily understood.

The solution is Enterprise Risk Management (ERM). ERM is an iterative and sequential series of steps that utilizes risk self-assessment (the process of identifying and evaluating risk with regard to their potential impact and likelihood, as well as related controls) as well as the subsequent risk management process of control evaluation, action plan definition, monitoring of risk- and implementation development. Enterprise Risk Management starts with a holistic and qualitative approach to first identify all the possible root causes of an issue and then systematically help quantify the total risk consequence taking all the possibilities into consideration with scenario analysis and if needed quantitative analysis.

Quantitative analysis is expensive and very focused in applicability. Enterprise Risk Management is all about best practices of performing a self-assessment and scenario analysis before deciding where, when and how to invest in an deeper quantitative analysis like loss database approaches. With ERM, management can prioritize the full costs versus the benefits to make a better decision. You can download a whitepaper on Risk Event Classification. Click here to download.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Identification • Risk Mitigation | Permalink | Comments (1) | TrackBacks (0)

Below are four poll questions recently asked to Chief Risk Officers at organizations across North America. Take the survey yourself below and then compare your results by downloading their poll results along with a write-up explanation. Click here to download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Risk Assessment • Risk Maturity Model • Risk Mitigation | Permalink | Comments (0) | TrackBacks (0)

In my blog last week I defined the terms in the poll below and explained how risk management can prevent these failures from occurring. Vote your opinion and then view the results of what others think:

Thanks to Toren for his comments on my blog last week "Intelligence Failures, Part II: Risk Management is the Answer" Toren writes:

"How would Risk management software deal with perceptions and preconceptions that drive leaders and make them look the other way once intelligence points against their gut feeling? Is there a software that integrates human experience and takes preconceptions, even feelings and mere hunches that may drive a decision, into account?"

Business has political interests and politics has business interests, but the discipline of risk management applies to all just the same. Toren's comment highlights the need for acquiring human intelligence front line experts and balancing it with other data sources to achieve better decision making. This is the heart of what risk management software is designed to address.

First, the underlying prerequisite for a successful risk management program is the "tone from the top" from leadership to embrace a rigorous, objective and qualified risk management process. Transparency in the risk assessment and mitigation process is necessary to build the confidence and credibility for this buy-in. Software achieves this with embedded best practices and real-time interactive dashboards and reports for efficiency and governance of the process. Senior leadership commitment to actively engage in the risk management process will result in their conviction in the results.

With this mandate in place, the next issue then is how to widen the net and process the information in an objective and consistent fashion to prevent unsubstantiated preconceptions from blocking out the facts. True Enterprise Risk Management software supports a risk control self-assessment approach with a library of guided questions to qualify, quantify and prioritize human intelligence for follow-up. This process breaks the information down into its root cause categories and factors and quantifies the potential impact of the risk, the likelihood that the risk will occur and the current effectiveness of controls in place should the risk actually occur. A risk index score is calculated with the formula of (impact x likelihood x control). The highest risk score index can now systematically cull a broader base of information systematically to the most dangerous or high risk issues or scenarios.

Follow-up activities are assigned with due dates for deeper analysis that culminates in a recommendation for action along with the supporting documentation of cost benefit analysis, controls, budgets, etc. This web based system aggregates data from all areas of the organization. Control activities enforce discipline in the implementation and monitoring phases of then preventing risks or minimizing the impact of risks should they occur. It is this combination of methodology, process and software that prevents a premature conclusion or disregard for the facts.

Thanks again to Toren, keep your inquires coming and don't forget to vote your opinion above!

Posted by stevenminsky in Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)

IBM announced today their newest Risk Management service offering, Contingency Planning Assessment in their press release, IBM TO HELP COMPANIES DETERMINE PANDEMIC PREPAREDNESS. I had the opportunity to speak with Rich Cocchiara, IBM Distinguished Engineer & CTO for Business Resilience at IBM prior to their announcement. Rich made the point that business continuity and disaster recovery and crisis management is constantly evolving and that new threats need new strategies. Rich outlined a few of the differences to consider in planning for a Bird Flu Pandemic versus a traditional business continuity and disaster recovery issue.

1) People vs. Infrastructure Resources - Bird Flu scenarios can affect up to 40% of employees where traditional business continuity has been all about the physical property infrastructure of buildings, transportation, data and communications.
2) Global vs. Local Geographies - a Pandemic is forecast to affect multiple cities, regions and entire countries simultaneously where traditional business continuity planning has been focused on reactions to single localized events.
3) Long term vs. Temporary Impacts - Avian Flu may have several waves lasting several years and may change the way business is conducted on the long term, where traditional business continuity has been thought of as a few days to a few weeks in duration.

Rich posed the question on corporate preparedness "Does your organization know how operations will be impacted due to a health Pandemic? What business areas will need to be shut down or functions, locations or processes abandoned?” Rich also pointed out that all organizations are impacted, including small and medium sized businesses, not just the largest enterprises and government agencies.

Rich also commented on the importance of risk management software tools to support an Enterprise Risk Management program for identifying and assessing scenarios, evaluating options as well as planning and tracking results. Further, having Corporate Objectives and a Performance Management view in mind can also help address current business operations issues to help make your business better today. For example, enabling business processes for greater effectiveness in telecommuting or shifting operational capabilities for work between offices and regions can help business reduce costs and increase productivity today even if a bird flu pandemic does not materialize.

This announcement by IBM validates the critical need to put an enterprise framework in place with both a methodology and process to constantly reevaluate thinking and planning on how risk can impact your business and what actions need to be taken.

What is keeping you up at night and what are you doing about it?

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)