Few would now doubt the benefits of integrating their IT strategy into their business strategy. However, this entails an integrated approach to risk management, which requires a common understanding of the risks to the firm. Steve Cumbers FIAP, IAP Vice President, takes the broad view and warns against a wholly intuitive assessment of risk.
From buying a house to crossing the road, from starting a business to outsourcing IT, from vaccination (MMR, smallpox) to modifying genes, all depend on a balance of risks. But, no matter what the context, in a risk assessment there are three essential questions: What can go wrong? How likely is it to go wrong? How severe is the penalty if it does go wrong?
A Definition of Risk
Risk can be defined as exposure to change, coupled with the sensitivity to change of that which is exposed. Some changes are beneficial of course, but risk is usually taken to mean downside risk since undesirable outcomes are typically of greatest concern. Unlike risk, a hazard is a change potential exposure which, given susceptibility, creates a downside risk. Sensitivity (vulnerability) is the degree of response to change. For example, the measles virus is a hazard, human beings are susceptible (c.f. dogs are not), contact with infectious persons is exposure, and lack of personal immunity is sensitivity. So risk can be thought of as the ‘product’ of four factors: hazard, susceptibility, exposure and sensitivity. If any one of the four factors is absent (zero) then there is no risk.
Types of Business Risk
Commercial risks, viewed from a largely financial standpoint, fall into a dozen broad categories: price (market); currency (FX, IR, inflation); credit (default); liquidity (cash, opportunity); operational (systems, production); systemic (payments intermediary); extramural (national infrastructure); reputational (‘Andersen-Enron’); personnel (morale, retention, incapacitation); acquisitive (M&A); legal & regulatory; and political (‘Zimbabwe’, ‘al-Qaeda’). Some might add environmental impact and social discord, which engender blowback risk.
The Management of Risk
Many risks can be mitigated by purchasing insurance. However, purely financial risks are usually managed by actively balancing assets and liabilities and by hedging with off-balance-sheet positions. Alternatively, when the objective is business continuity, risks are managed by contingency planning. Precautions typically include the provision of redundant systems and offsite (or mutual) backup facilities, as well as assigning workforce understudies to assume key roles in a personnel crisis. The importance of this approach became all too apparent on September 11, 2001. A germane example of preparedness was the re-routing of US data traffic through Goonhilly on that fateful day.
From Risk to Probability
Risk is a function of hazard, susceptibility, exposure and sensitivity. However, a relationship based upon explicit probability is more amenable to calculation. Avoiding a formal derivation we can reasonably assert that risk is proportional to P x D, where P is the probability that it will go wrong and D is the size of the disaster if it does. So to assess a risk we need to determine a probability.
A Fragment of History
In the middle of the 17th Century, Pascal and Fermat corresponded over a gambling problem posed by the Chevalier de Méré: apparently, a pair of dice that had been winning money for him had begun to lose it even faster! Thus gambling provided the prototype problem for a new mathematical discipline – Probability Theory. Numerically, probability is a measure or estimate of the degree of confidence one may have in the occurrence of an event, expressed on a scale from 0 (impossibility) to 1 (certainty). Equivalently, it is the expectation that a specified event will occur, as measured for example by the ratio of the number of pertinent cases to the number of possible cases (when all ‘cases’ are equally likely).
Probably Wrong
Fifty-seven executives attend a breakfast meeting about risk. The chairman of the meeting makes an extraordinary offer: ‘if any two delegates celebrate the anniversary of their birth on the same date then I will pay for a joint party for them on the occasion of their forthcoming birthday.’ Using the accompanying figures, or otherwise, assess the risk that has been taken by the chairman… Did it agree with your educated guesstimate? The point is that most risks are assessed by intuition rather than mathematics and the consequence of getting it wrong can be a tad more serious than the cost of a birthday party.
[Interesting project or development? Let us know at eo@iap.org.uk!]
