Operational Risk and Resiliency Frameworks

A tale of five risk management characters and how they fit into your organization.


Five guys walk into a bar: a banker, an ex-cop, a technology nerd, a mandarin (or skilled administrator)

and a soldier. The banker pops off his cuff links, rolls back his sleeves and orders a cognac. The cop

puts his hat on the table and gets a pint. The nerd orders a colano ice. The mandarin gets a gin

and tonic, and the soldier orders Scotch. They are old friends from before they were professionals. They

are all now risk managers, and good ones.

These five have rekindled their relationship now that they all claim the same occupation. The cop, the nerd

and the soldier have been seeing each other frequently in recent years and work together pretty well.

They appreciate and are intrigued by the mandarin and have taken to inviting him out, but he is

traditionally an introvert and his instinct is still to work alone. The banker, well, no one really knows

what to make of him yet, and the feeling is mutual. Everyone sees a convergence of interest, which

has brought them together this evening.

"Well," says the banker as the Hennessy warms him. "I manage financial risks, which are the most important

of all because money makes the world go 'round, and puts roofs over heads. I work with credit risk,

debt risk, derivatives, interest rate fluctuations and equity valuations. I forecast for and warn

institutionsand individuals to a small degreeabout how, when and where to place their

money with the least risk and the most possible upside. That is what risk management is all about."

"Rubbish!" says the cop as he wipes a little stout off his moustache. "I manage physical risks, which

are the most important of all because this is a mean world full of beasts in people's clothing. I

work with cameras, digital video recorders, door locks, motion detectors, proximity cards and RFID

tracking of people and goods. I design and implement security systems for institutionsand

individuals to a small degreeto allow them to reduce and manage risks from either external

or internal threat agents. That is what risk management is about."

"You all seriously overestimate your midi-chlorian-count!" says the nerd as he orders another cola.

(Only those who have a high midi-chlorian count

in their bodies can be Jedi.) "I manage information and communications technology risks, which are the most

important of all because from traffic lights to paying for these drinks, IT keeps our world running.

Without IT, the world we live in stops in its tracks. I work with broadband pipes, firewalls and

intrusion-detection systems, antivirus, antispam and high-availability data centers. I design

information management and data communications systems for institutionsand individuals to

a small degreeto create resilient services to reduce and manage risks from either external

or internal threat agents. That is what risk management is about."

"Please!" sputters the mandarin, gently swirling the ice cubes in his cocktail. "I manage natural

and man-made disaster risks, which are the most important of all because losses from these events

are measured in lives, not dollars, property damage or downtime. I am talking about hurricanes,

blackouts, pandemics and bombs. I work for institutions and with first responders conducting

exercises involving emergency services like police, fire and paramedics. I design tests and

develop plans and procedures to manage the unimaginable. That is what risk management is about."

"You all need a reality check," says the soldier as he savors the malt. "I manage confidentiality

of information, which is the most critical because it deals with national security and personal

privacy, which is about our ability to be sovereign as a nation and individuals. We are talking

about defending our data against malicious entities that would use it against us, and to their

advantage. Lives can easily be at stake, but very large sums of money too. I deal mostly with

government and militarywho best appreciate the requirement for 'confidentiality first.'

That is what risk management is about."

At the Confluence of Risk

This little scene illustrates what many organizations are experiencing: There are many risks

to be managed and very different characters needed to manage them. The purpose of that scene

was to illustrate where the necessary skills to address a comprehensive enterprise resiliency

strategy might be found, not to propose a taxonomy of risks that aligns to bankers, cops or


Let's look at a few different risk taxonomies to understand how risk is being approached at

an enterprise level, and how a wider and wider variety of skills is needed to support a

comprehensive (and increasingly regulated) risk management program. There are risk models

that exist at the highest abstractions and offer broad guidance around specific risks;

alternately, there are basic models outlining specific guidance around broad risk classes.

Between these levels of analysis exists the world of "utility" risk models with varying

degrees of industry-vertical bias. Utility models applicable across industries are rare

and difficult to support.

Risk Taxonomies: The Abstract

At the highest, most abstracted end of the risk model is a global risk taxonomy

provided by the World Economic Forum (WEF). This is probably not intended to be

applicable to any institution or industry as a whole, but is a framework from which

to extract risks for regrouping according to organizational requirements and using

the skills of the five wise men from the prologue.

* Oil prices/Energy supply * Asset prices/Indebtedness * U.S. Current Account deficit and U.S. dollar * Coming fiscal crises * China * Critical infrastructures * Regulation * Corporate governance * Intellectual property rights * Organized crime * Global pandemics * Slow and chronic diseases (industrialized world) * Epidemic disease (developing world) * Liability regimes * Tropical cyclones * Earthquakes * Climate change * Loss of ecosystem services * Convergence of technologies * Nanotechnology * Electromagnetic fields * Pervasive computing * Terrorism * European dislocation * Current and future hot spots

This taxonomy from the WEF is probably most interesting for its grouping headings.

The actual risks identified under these groups are obviously temporal and subject to

current events.

Risk Taxonomies: The Middle Ground

Occupying the middle ground are risk management models from respected academia and

management consultancies that aim for industry-neutral, utility frameworks.

Recent work

at Carnegie Mellon University in managing the security of an enterprise speaks in terms of "critical

success factors" (CSFs) for organizationsthe most important issues to focus on for the good of

the enterprise. Taking the liberty of translating this into risk language, CSFs are also critical

risks. Carnegie Mellon considers CSFs/risks to come in five specific types:


Operating risks typical of the industry, e.g., energy costs for transport firms, brand risks to consumer goods firms.

Competitive-Position or Peer

Operating risks relative to the enterprise's position in the industry, i.e., dominant leader, low-cost alternative, bulk wholesaler.


Operating risks relative to conditions over which the enterprise has little control, e.g., socioeconomic, regulatory, terrorism.


Operating risks relative to rapid short-term or gradual long-term changes, e.g., inventory gluts/recall, natural hazards (hurricanes), war, mergers and acquisitions, new product/market entry.


Operating risks common across different levels of management in the same organization or even industry, e.g., brand risks, currency risks at the executive level, productivity and margin risks at the operating unit level.

The specific risk within each of these types is determined by applying Carnegie Mellon's analytical

methodology to the organization in question. Interestingly, the model above does not seem to take

the banker and his financial risk management into too much accountit is merely implied as a

"Management Position" riskbut it does seem to cover the risk areas defined by the cop, nerd

and mandarin.

Mercer Management Consulting, a division of Marsh Insurance (the second-largest re-insurer in the world)

introduced a new risk taxonomy in 2004 in an article titled

Re-thinking Risk. Marsh Insurance deals

with risk as a core part of its business and has a flourishing risk-management professional

service practice. Mercer also views the world with five types of risk:






Property/Casualty * Political * Environmental * Regulatory Currency * Interest rate * Commodity prices * Credit Inventory * Supply chain * Capacity * Information systems Governance gaps * Wrong organizational structure * Talent/Morale * M&A integration Technology * Brand collapse * One-of-a-kind competitor * Industry economics collapse Customer shift * New project/investment * Stagnation * Obsolete business design

Within the Mercer framework, all the risk characters are represented, and the risks themselves are

more tightly defined than in the Carnegie Mellon model.

Risk Taxonomies: The Basic

The term basic means to convey the notion of few moving parts, not of lowest common denominator.

A basic model doesn't have a great deal of complexity, but it is specific in its advice around how to

use the few moving parts. An example of such a theory is "risk conductors." In this model, a crisis

or significant impact inside a large organization starts at a single point (physical/logical/organization)

and is then dramatically amplified as it resonates through the organization, down into the supply chain

and up to clients. To place this in context: A physical event such as an earthquake, pandemic or attack

is a geographically focused event that in and of itself will not impact an entire geographically

dispersed organization. Risk conductors amplify or dampen such physical events by transmitting

(conducting) the impact across an organization beyond the physical impact zone of the event.

A Closer Look: Risk Conductors

There are two primary varieties of risk conductors around which organizations plan all-hazards

controls and safeguards: human factors (HF) and information and communication technology (ICT).

HF deals with the management and mitigation of risks associated with the loss, damage or interference

with the people-components of an enterprise or organization. How will people react to different

threats and risks, and how will those reactions affect the enterprise? People are a completely

pervasive element in the enterprise, spanning all lines of business (LOBs). People will react

to impacts and incidents in other LOBs whether or not there is a material impact on their own

line of business or they even know anyone within the impacted LOB. Enterprises must manage

human factors in order to dampen the conduction of risk and impact from LOB to LOB.

In ICT, the convergence of data, voice, industrial controls, physical security, facilities

management, financial transactions, metering, etc., to Internet protocol means there is one

technology whereas before they were all distinct, standalone systems and networks. ICT is

now a potent, monolithic asset within enterprises with the ability to deliver great value

and efficiencies; however, this concentration of value and sensitivity has raised the overall

requirement for assurance. Not only does the network touch all parts of the enterprise, but

it also supports all the information and communications requirements.

Enterprise LOBs may be geographically dispersed and only vaguely related in terms of day-to-day

operations. Yet they will be tightly linked by ICT for the purposes of efficiency and control.

An impact on an LOB of any magnitude will impact the ICT assets and be transmitted to the rest

of the enterprise to varying degrees. In the past the less efficient, but partially redundant,

information and communication technologies would have dampened if not simply absorbed any

conducted risk impact. No longer.

The model of risk conductors is simple in that it speaks of only two moving partspeople and

technologyand how they result in an interconnectedness of modern organizations. As Mercer

Management recognizes in one of its latest publications: "While many managers recognize the fact

of interconnectedness, few firms have internalized the consequences for risk management."

Risk conductors offer the potential to address all classes of risks with "all-hazards" controls and

safeguards that can be translated into "standards-based" controls and safeguards. The result is

some specific guidance that the cop, nerd, soldier and mandarin will all approve and recognize,

like ISO 17799/27002 or CoBiT. However, the banker is left to his own devices. Once again.


Whether isolated within a unique risk category or ignored by the others, the banker remains in a

more remote risk world than that of the cop, nerd, soldier and mandarin, who increasingly

overlap and combine their skills into a broad-based "operational risk" category. Is this the

"real" risk categorization that enterprises must consider? Financial and Operational? These

1 2 Page 1
Page 1 of 2
Microsoft's very bad year for security: A timeline