Op Risk: Containing the loss continuum
A few days back, my boss asked me.... (Argghh!!...Let me stop myself right there! Are too many people using this line? Hmm.... the bosses get the brightest of ideas, after all)..."Have you ever thought about how a ship or submarine's damage control mechanism works?" What resulted is one of our finest implementations yet.
Traditionally, in the OpRisk world, the loss from a risk was thought of, as being one isolated event (say loss of revenue from system downtime). However, the reality is much different, take for instance, rogue trading, which in many a case, has resulted in a series of losses before being unearthed. The key to effective control is to monitor and react whilst ensuring there is always a fall back for worst case scenario. The biggest risk is being blithely unaware of a looming vulnerability. Let's take the popular instance of laptop theft - sure, data encryption could be prescribed and implemented, physical security beefed up; but that does not rule out the possibility of laptop going missing or data remaining unsecure. In this case, even if invoking access prevention, remote data purging etc fail, the business could make arrangements to reduce or eliminate some costs, say legal (eg: data confidentiality).
In this context, we created a concept, "Contained Damage" which is also an integral part of our risk management platform. Imagine an entire gamut of systems working like a neural network - slightest signs of trouble sensed, impact points delineated (by process maps), damages estimated (using algos), slew of preventive mechanisms kicked in (based on criticality of impact areas and predicted losses) and relevant people notified. (I'll save how this works, for a later post). Contrast this with a vessel - a series of 'flood gates' are activated on impact and damage is contained to a small portion between two gates. When one gate fails, the next provides resistance, still limiting damage. Meanwhile sirens blare and parallel evacuations ensue.
In short, be aware of vulnerability, contain the damage, have a safe 'wrangle out' strategy.
Have you ever thought of it this way?