Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk Management

04:27 PM
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

When Is a Risk Not a Risk?

By Mike Everall, CISO, DrKW Yes, we have all seen the seminars and training camps and white papers, such as: "This is how you manage risk!" The trouble is there are as many ways to "manage" risk as there are pundits and white papers. So, I say let's get back to basics and get the fundamentals laid out. What is risk? What are the types of risk? And when is a risk not a risk? What is a risk? A risk is when an active (or potentially active) exposure by your organization creates an

By Mike Everall, CISO, DrKW

Yes, we have all seen the seminars and training camps and white papers, such as: "This is how you manage risk!" The trouble is there are as many ways to "manage" risk as there are pundits and white papers. So, I say let's get back to basics and get the fundamentals laid out. What is risk? What are the types of risk? And when is a risk not a risk? What is a risk? A risk is when an active (or potentially active) exposure by your organization creates an adverse impact. This doesn't mean that passive risk doesn't exist: If you "passively" don't do something you can expose the organization just as badly as if you "actively" do something. What are the risks? There are many specific types if risk, but at the end of the day the four basic classes are: Financial, Operational, Reputational and Regulatory. Some argue that regulatory risk can be folded into the first three, but it makes it easier to explain regulatory risk to a non-professional colleague if you split it out.When is a risk not a risk? This is the fun one. It comes down to you knowing your business as well as the needs and requirements. I use what I call the "Rule of 4" to apply sanity checks: 1. Truthful It's a real thing, not assumed or guessed or prejudicially assigned. For instance, "Someone said that this is true." 2. Verifiable You can prove it, measure it and quantify it;

3. Reproducible The back up that failed one time on a Tuesday may have some risk. The backup that always fails at month end IS a risk; 4. Add Value This may be in cost reduction, meeting a regulatory requirement or consistently capturing log data, for example. The argument that is commonly heard: "My check list says you have to do this, and I don't care about the other mitigating controls," does not add value. So, to sum up: If the purported risk doesn't meet all of the above, it is something that belongs on a wish list and is not a manageable risk. Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio

Register for Wall Street & Technology Newsletters
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.