Risk has never been absent from any commercial enterprise, and documentation has long been recognised as one good way to minimise it: the oldest surviving writings from the cradle of Western civilisation, Mesopotamia, are records of goods bought and sold. Those goods were things the traders could see, touch and lock up in a protected space. The current explosion in over-the-wire global trading - non-tangible trading - has created whole new areas of high risk, many of them invisible.
Is there a simple way to work out where the risks lie, and manage them? Well, no, it seems, there isn't, and there won't be for some time. They are so complex, according to Dr Charles Wurtz, a mathematician and leading US risk analyst, that no organisation can rely on off-the-shelf solutions to reduce or manage all risks.
"At least for the near future, all successful risk management systems will be bespoke," says Dr Wurtz , director and chief architect of global risk management systems for Sybase Professional Services. "No two firms have identical operations, so no two risk management systems will have identical functional requirements."A recent visitor to Australia, Dr Wurtz has come up through academic mathematics and a variety of senior positions in trading organisations to his current level of architect for systems which his employer claims to be installed in 90 per cent of the front and middle offices of major global trading organisations. His experience has clarified methods for establishing and installing risk management systems, and has gone on to show that fixing things at the IT level, while an expensive and lengthy activity, goes only part of the way towards applying the required level of management. Nobody can dump responsibility for corporate risk management in the CIO's lap. Only part of it belongs there.
That portion is burden enough. Any corporate risk manager must tailor his or her system around at least the following risks:marketcredit & counter-partyliquidityoperational (including limited) andlegal compliance.
Dr Wurtz applies the principal mathematical tool for risk assessment and management, "stochastic mathematics", an impressive word whose Greek root means nothing more than "aiming", or "guessing". Risk management itself goes considerably beyond risk assessment, and while continuing investments of billions in dollars, pounds, yen and deutschmarks is developing improved risk management tools, these have yet to reach the stage at which risk management insomnia will be an ailment of the past.
The risks listed above are financial. Others are not, although their presence can have active effects for good or ill on the corporate bottom line. One sign of skill in any risk manager is that he or she knows what kinds of risk his organisation is undertaking. There are, for example, what Dr Wurtz calls political risk and transparency risk, credit risk, market risk and more.
Regardless of the type of risk, the skilled manager responds from the base of correct and exact knowledge of the market the organisation participates in, and so can answer the two principal questions: Why go into this risk? What's the possible return?If the perceived reward is a political favour, then assessing and thereafter managing the risk in cash terms would be inappropriate. Going as far as some currently troubled Asian nations have, suggests that the political path bears its own risks, which, like the financial ones, should be recognised and can be managed.
It's after these initial questions have been answered that information technology comes into its own: "In a financial institution, you gotta get the data right," Dr Wurtz observes. "You need data cleansing. You need to have a trading and management team, not a collection of superstars running their own private ledgers. And you need to understand that when somebody expresses concerns about your trading activities, you don't shoot the messenger. You must have accurate data, or else you will be in serious trouble."In Dr Wurtz's view, being a risk manager is a bit like being a dentist: people dread coming to you, and quite often, they don't come even when they know they should. As in the fang world, leave a sore tooth long enough, and you wind up with an abscess. He takes the analogy a bit further: "From time to time, you will see an insurance or trading company that catches some sort of disease, which shows up on the operational side. Baring's failure was an operational issue."His reference is to the Singapore operations of a British bank in which one man, Nick Leeson, bet what turned out to be the whole bank on a mistaken view of the value of a national currency, a classical risk trading position, and reduced the value of his long-established employers to one pound sterling. It's generally agreed that the Baring calamity arose because front and back office operations were both under Leeson's control.
Corporate attempts at risk management are unlikely to succeed unless senior management accepts that the process is not a cost centre, but is instead a strategic weapon enabling its user to be competitive. The application of stochastic maths to the subject is in its early days, and the tools still have a long way to go. The process starts with analysis of the core business, through development of scenarios for activities in that business, to back-office tools (not under trader control) which allow constant assessment of all recognised type of risk. Typically, at the end of the process, the owner of the new tools has new metrics of success, and resolves earlier conflicts or misapprehensions about what the organisation is really up to: in Wurtzspeak, the company knows it's adding up fruit, not apples and oranges.
The process certainly takes months, and can take years. Since it is in a constantly changing environment, it requires extensive stress-testing of the models it generates, well before application to the deploying corporation's portfolio. Corporations acquainted with business process re-engineering will recognise it, as will businesses exploding due to the use of new technologies.
In the Internet environment, Dr Wurtz says, businesses accustomed to 1000 transactions a month can find themselves called on to generate 20,000 or more a day.
Detroit, Dr Wurtz points out, had considerable knowledge about how to make cars that Americans wanted to buy, but 15 years ago it did not understand the significance of Japan's "everybody's a quality inspector" approach to assembly.
"In Detroit, if your job was putting on wheel covers, that was all you paid attention to," he says. "In Japan, workers were rewarded for stopping the assembly line for quality reasons." The results of the Japanese approach are visible on every American - and Australian - street.
The issue goes beyond manufacture and trading, into every realm of human existence. One notorious case: the wreck of Morro Castle, a luxury liner in the Caribbean holiday trade which burned and sank within sight of the US coast with immense loss of life in the 1930s. The vessel's owners defensively and fictionally claimed the cause of the incident was a firebomb placed in the ship in Havana. A later US inquest established that it was sloppy fire controls matched to a criminal level by the fact that crew had not been taught how to lower the lifeboats, and nobody knew how to do it. Many of the boats themselves were rusted into place: even trained crew could not have shifted them. The vessel's owners had opted for a path which minimised dock time and economised on staff numbers by abandoning fire drills. After the fire started, nobody thought to tell the radio operator to call for help, which was available from many nearby vessels. In the absence of instructions, he sent no messages. All this because there had not been a major fire on the ship before, and from this, the owners argued incorrectly that there would never be a fire in the future.
They were making a dollar.
It took years of complacency to sink Morro Castle and Detroit, but sinking a risk trading organisation can take only days or weeks. One rogue Englishman sank Baring Brothers and now awaits trial on criminal charges in Germany; one leading United States' broker was driven out of business completely because, in Dr Wurtz's view, it did not fully understand the business it was in. And the Daiwa Bank calamity is instructive: first, it lost billions because a rogue trader hid losses successfully; then the bank followed Japanese standard operating procedure by hushing up the losses; then the US Government discovered the cover-up, and took away Daiwa's US trading licence. The bank had not recognised that hushing up, sought and respected in Japan, is illegal in the US.
In today's volatile, complex financial markets, it does not take long for the results of market misjudgements to overtake the unwary.
The most advanced risk-management system known today, and reasonably expectable in human history, will not work unless those operating it are up to the task, and trained by repeated exercises to be good in more than one environment.
Nothing stays the same, Dr Wurtz points out, and companies who do well on rising markets can burn out almost instantly when this environment vanishes.
"It's almost a genetic issue," the American mathematician says.
Five Kinds of IT-Related Business Risks
There are five types of IT-related business risks, all of which are encompassed in a new report on risk management and IT strategy done by Arthur Andersen and its Economist Intelligence Unit. These are the risks and definitions, which can be found in more detail at http://www.mbria.com/itdef.htm/.
Integrity risk: Encompasses all risks associated with authorisation, completeness and accuracy of transactions and information. The risks can be found in user interface, data processing, error processing, change management and data.
Relevance risk: Links to the timeliness and usability of information and directly affects decisions. Best summarised as making certain the right information gets to the right person (or place) at the right time so that the best decision can be made.
Access risk: Involves inappropriate access to systems, information or data.
Availability risk: Relates to risks that can be avoided by monitoring and taking action before problems occur; risks involving short-term systems disruptions during restore/recovery processes; risks caused by disasters that lead to long-term disruptions for which the solutions include backups and contingency plans.
Infrastructure risk: Involves effective IT infrastructures, including hardware, software, networks, people and processes.
- Nancy Weil
Top 10 IT Security Myths
The top 10 technology myths (and a bonus myth) as identified by Arthur Andersen's Economist Intelligence Unit include the following:1. Security is only about protecting my "things".
2. Our company management just doesn't care about security.
3. Technology will solve the security problem.
4. We don't have information anyone would want.
5. The "enemy" is outside.
6. Firewalls provide enough security.
7. My PC is secure, so I'm secure.
8. The Internet can't be used for secure communications.
9. The built-in security in our computer systems and applications is adequate for our needs.
10. Our people won't tolerate security.
11. Bonus myth: Security problems have never happened here.
- Nancy Weil
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.