Weitere Kapitel dieses Buchs durch Wischen aufrufen
This chapter explores the challenges of critical decisions regarding the management of enterprise-scale risks. Section 12.1 offers a tutorial on risk analysis and risk management. Section 12.2 presents a conceptual model for managing risk adapted from the theory of financial portfolio management. Section 12.3 describes how this portfolio-based approach grounds our test drive model for critical decisions to allocate resources to reduce enterprise risk. Section 12.4 discusses the results from test drives for two decisions about reducing risks from terrorist threats to our national transportation networks. Section 12.5 explains why the portfolio-based decision test drive solution is superior to competing analytic approaches.
Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten
Sie möchten Zugang zu diesem Inhalt erhalten? Dann informieren Sie sich jetzt über unsere Produkte:
As Bernstein [ 2] puts it: “Risk and time are opposite sides of the same coin, for if there were no tomorrow, there would be no risk. Time transforms risk, and the nature of risk is shaped by the time horizon: the future is the playing field. Time matters most when decisions are irreversible. And yet many irreversible decisions must be made on the basis of incomplete information.”
Kaplan and Mikes [ 15]
Slywotzky and Drzik [ 23].
Ulsch [ 26].
Oakland [ 20].
Common variations include earnings, cash flow at risk, market or net present value (NPV), or in financial institutions, a widely used parameter called Value at Risk, which estimates how much value a portfolio might lose, given normal market conditions, over a set time period Nocera [ 19].
Such consequences can be analyzed by defining numeric scales that represent ranges of monetary or functional damages (e.g., death and injury, direct economic, indirect economic, environmental impact, national security) Downs [ 7].
IRGC [ 12].
Insurers pool risk from multiple parties and invest those funds. If the risks are assessed accurately (underwriting) the premiums charged are sufficient, and returns from investing pooled premiums are satisfactory, the insurance company can pay off any losses incurred (hopefully by a small subset of the population) and still make a profit.
The government limits or shares some types of large-scale financial risk and liability, for example for pensions for workers from bankrupt companies, damage from flood or other natural disasters, and losses from terrorist attacks.
Consequences are often categorized as primary or secondary. Primary consequences are considered immediate or proximate to the event. Consequences are mitigated by taking steps to recover from them.
Investments to improve analysis and manage risk are perceived as passive and revenue draining rather than proactive. Another contributing factor is that ROI is difficult to quantify, particularly if the relevant loss or harm doesn’t materialize As such, the primary drivers tend to be regulatory mandates or fear of exposure to legal liabilities. Given the general unpalatability of investments in risk management for its own sake, experts recommend linking such initiatives with enhanced resiliency (e.g., backup data centers offer spare capacity to meet growth in business demand) Lewis [ 18] and Sheffi [ 22].
For example, risks associated with bonds include property damage, natural disasters, market risks, and insolvency by the bond issuer.
The key to mitigating market risk exposure through diversity is finding asset classes whose valuations or performance are weakly correlated. That is, based on historical evidence, different asset classes change value more or less independently of one another. For example, as stocks decline in value, the price of gold and other precious metals tend to increase.
Two simple criteria guide the formation of risk exposure segments. First, do all of the assets in a group have similar levels of risk? That is, are the consequences and likelihoods of adverse events comparable for all group members, such as a fleet of delivery vehicles? Secondly, do the relevant risk reduction measures apply uniformly to all members of the group? If the answers to both questions are yes, it is safe to bundle them together. If not, they should be treated as separate risk exposure segments.
Another useful metric is operational efficiency; risk reduction measures often differ in their impacts on operational metrics such as production throughput. For example, the Transportation Security Administration (TSA) must consider speed (e.g., the rate at which passengers and cargo can be screened through airport security systems) as well as quality.
One implication of looking at the ROI in terms of cost components that becomes clear is that TSA will never be able to protect large populations of “soft” targets without significant investments in advanced automation technologies, include sensors, data mining, image and speech understanding, remotely controlled switches (e.g., to cut off motors of vehicles or power down systems). Soft targets in the transportation sector include bus terminals, train stations, commercial buses, school buses, and truck fleets. Lifecycle labor costs for deploying in-place security personnel across these large or enormous target sets quickly degrade ROI to abysmal levels.
This is somewhat of a simplification. There may be a learning curve, particularly with new equipment and/or processes. Also, risk reduction performance can degrade over time, for example training effectiveness may diminish. But generally, a new process, procedure, software program or system produces benefits soon after it is deployed. The most important exception to risk staying reduced arises in the case of intentional adversaries, such as hackers or terrorists, who change their tactics and strategies (e.g., attack modes and/or targets) in order to restore risk. This adaptive behavior is called threat shifting .
Risk models are defined in fields such as accounting, finance, actuarial science, geology, meteorology, medicine, epidemiology, materials science, and various engineering disciplines – electrical, mechanical, nuclear, computer, etc. Businesses and government agencies develop custom models as needed (e.g., for quantifying risk from terrorist threats).
Tables allow modeling of rollout schedules with non-uniform rates, such as a limited pilot deployment followed by a larger-scale accelerated deployment.
Start-up costs are assumed to be one-time costs, while labor and O&M values are pro-rated monthly (or weekly or quarterly, depending on what unit of time is chosen for simulating roll-out of plan units).
Estimating risk reduction for some threats can be extremely difficult, particularly for events such as hacker or terrorist attacks, which are relatively rare and driven by adaptive adversaries about which little is known. One requirement is to address the issues of subjectivity, consistency, and verification raised by expert judgments. Hubbard [ 10] and [ 11]. Actuary science also has a branch that focuses on very low frequency (i.e., rare, long tail, or black swan) events.
This model could be refined to allow schedules to reflect the termination of existing security measures, freeing up assets for reuse and personnel for retraining and/or redeployment (and altering spend rates).
The most volatile changes in the threat landscape come from more virulent adaptive adversaries, such as hackers and terrorists. These adversaries don’t merely compete for customers and market share. Instead, they target companies directly, attacking their assets, employees, and facilities.
USCG has an unusually broad mandate compared to other Homeland Security agencies such as TSA. It has statutory responsibilities for eleven missions: including maritime security (ports, waterways, and coasts), drug interdiction, aids to navigation, search and rescue, living marine resources, marine (boating) safety, defense readiness, migrant interdiction, marine environment protection, U.S. Immigration and Customs Enforcement operations, and other law enforcement. Resources allocated to one mission can be shared by other missions (e.g., boats and boat crews), which complicates resource planning and scheduling as well as calculations of agency-wide ROI.
USCG measures risk using a non-financial metric called Risk Index Number (RIN points) rather than dollars. This precludes a conventional financial ROI calculation but RIN reduced/Cost offers a similar metric. Note that this study did not use the CROI metric described earlier, which we developed later.
In contrast, it is much more difficult to attack an airplane at cruising altitude, so attacks are primarily confined to airports and takeoff/landing paths (vulnerable to attacks by short-range, portable missiles).
This capability presupposes a detailed analysis of how threats cause harm and reduction measure prevents or mitigates that harm. In the TSA study, we used a technique called event trees to model terrorist attacks and how security measures reduce vulnerability or consequence at various tree nodes.
It would be a nightmare to expect expert analysts to take this factor into account on their own when estimating the risk reduction impacts from individual measures. Different strategies propose different combinations of risk reduction measures (e.g., based on budget constraints). Similarly, it is unreasonable to expect consistent judgments about attenuating risk efficacy across time and different analysts. Instead, we define a universal attenuation factor using a backward sigmoid function (i.e., an “S-curve”): early in the strategy, where initial (residual) risk is high, the discounting effect is minimal. As the amount of risk reduction increases, discounting increases quickly. Finally at the bottom flat part, the discount levels off. Historical data can be applied to determine the exact shape of the discounting function with some realism.
Modeling adaptive adversaries goes well beyond the scope of this book. However, in broad strokes, assume that adaptive adversaries monitor the risk gaming table over time. When you increase security protections for one rectangle, your actions decrease the likelihood of a successful attack, the severity of attack consequences, or both. That rectangle becomes less attractive and others become relatively more attractive. Adversary decision rules must set thresholds to trigger their attention to significant changes. Our model employs utility functions to capture the adversary’s preferences for different kinds of mayhem (e.g., direct vs. indirect economic damage, injuries and deaths, symbolic impact). The THEN clauses use this information to update the likelihood of attack threats for relevant risk rectangles to reflect adversary adaptations (i.e., changes in their relative priorities of target sets and attack modes). See also Kott and McEaneaney [ 16] and Taquechel and Lewis [ 25].
All URLs Accessed 05 Jul 2019.
Abo, Tom, John R.S. Fraser, and Betty J. Simkins. 2005. The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One. Journal of Applied Corporate Finance. 17(3): 62-75.
Bernstein, Peter. 1996. Against the Gods: The Remarkable Story of Risk. New York: John Wiley & Sons.
Caralli, Richard A., Julia H. Allen, and David W. White. 2011. The CERT resilience management model a maturity model for managing operational resilience. Upper Saddle River, NJ: Addison-Wesley.
Cech, Richard. 2009. Measuring causal influences in operational risk. Journal of Operational Risk. 4 (2): 59-76. CrossRef
Courtney, Hugh, Jane Kirkland, and Patrick Viguerie. 1997. Strategy under Uncertainty. Harvard Business Review. 75(6): 66-79.
Cruz, Marcelo. 2013. Benefits and pitfalls of a risk taxonomy. Operational Risk and Regulation. O5 Apr 2013. Available at https://securityrisk1.wordpress.com/2014/05/01/benefits-and-pitfalls-of-a-risk-taxonomy/.
Downs, Brady. 2007. The Maritime Security Risk Analysis Model: Applying the Latest Risk Assessment Techniques to Maritime Security. Proceedings of the Marine Safety & Security Council, 64(1): 36-39.
Elton, Edwin J., Martin J. Gruber, Stephen J. Brown, and William N. Goetzmann. 2010. Modern Portfolio Theory and Investment Analysis. Hoboken, NJ: John Wiley & Sons.
Fraser, John R., and Betty Simkins. (Eds). 2010. Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley and Sons.
Hubbard, Douglas W. 2007. How to Measure Anything: Finding the Value of Intangibles in Business. Hoboken, NJ: John H Wiley and Sons.
___ 2009. The Failure of Risk Management: Why It’s Broken and How to Fix It. Hoboken, NJ: John H Wiley and Sons.
International Risk Governance Council (IRGC). 2008. An introduction to the IRGC Risk Governance Framework. Geneva. Available at https://www.irgc.org/risk-governance/irgc-risk-governance-framework/.
International Organization for Standardization (ISO). 2012. Standard 22301:2012 - Societal security -- Business continuity management systems -- Requirements. Geneva: ISO.
___. 2018. Standard 31000:2018 “Risk management— Principles and guidelines.” Geneva: ISO.
Kaplan, Robert S. and Anette Mikes. 2012. Managing Risks: A New Framework. Harvard Business Review 89(6): 49-54.
Kott, Alexander, and William M. McEneaney, eds. 2007. Adversarial Reasoning: Computational Approaches to Reading the Opponent’s Mind. Boca Raton, FL: Francis Group.
Krell, Eric (2006). Business Continuity Management. NY: American Institute of Certified Public Accountants.
Lewis, Ted. 2006. Critical Infrastructure Protection in Homeland Security: Defending A Networked Nation. Hoboken, NJ: Wiley-Interscience.
Nocera, Joe. 2009. Risk Mismanagement. New York Times Magazine, January 4, 2009. Available at http://www.nytimes.com/2009/01/04/magazine/04risk-t.html.
Oakland, John S. 1996. Statistical process control. Boston: Butterworth-Heinemann.
Russo, J. Edward, and Paul J.H. Schoemaker. 2001. Winning Decisions: Getting It Right the First Time. New York. Doubleday Currency.
Sheffi, Yosef. 2005 The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage. Cambridge, MA: MIT Press.
Slywotzky, Adrian J., and John Drzik. 2005. Countering the Biggest Risk of All. Harvard Business Review 83(4): 78-88.
Taquechel, Eric F. and Lewis, Ted G. 2016. More Options for Quantifying Deterrence and Reducing Critical Infrastructure Risk: Cognitive Biases. Homeland Security Affairs. 12. Available at https://www.hsaj.org/articles/12007.
Ulsch, MacDonell. 2013, Third-party risk management: Horror Stories? You are not alone. Available at: http://searchsecurity.techtarget.com/feature/Third-party-risk-management-Horror-stories-You-are-not-alone.
- Managing Enterprise Risk
Richard M. Adler
- Chapter 12
Neuer Inhalt/© Stellmach, Neuer Inhalt/© Maturus, Pluta Logo/© Pluta