The Risk Cost-Worth Postulate
"Cost and Worth are very different things" - Luke Brandon
"Is it worth the risk" - Pessimist Populace
Ok; let's back up a little bit here. Often, the economic concepts of cost and worth are taken to be synonyms. While cost is the factual and quantitative measure of the monetary value expended to achieve or acquire something; worth, though quantifiable is purely subjective and is at the mercy of a vantage point.
From the data at hand, while I can't draw a conclusion on how Basel III will fare in the world of black swans; what I can say with certainty is that movies offer good analogies in conveying the point I am trying to make. In this particular movie, Rebecca Bloomwood tries to buy a scarf by spreading the price over cash and multiple cards, but with one card being declined, is still $20 short. She rushes to a hot dog vendor, going to the front of the line, begging the vendor to give her cash back on a check, even offering to buy all of his hot dogs. Luke Brandon, the man in the front of the line gives her twenty dollars to get her out of the way, so he can get his hot dog, telling her there is a difference between cost and worth.
Back in the world of operational risk, cost and worth still have clear distinctions. The cost of a risk would, for me, really be the cost of the control (including the opportunity cost of capital and resources from their use elsewhere) that can leave the residual risk in the realm of low probability and impact. Besides the 'tail' risks (high impact, low probability items like catastrophes), this would be feasible for the vast majority. Well, but hold on, isn't the cost of a risk, the damages resulting from its graduation into a loss. No, because, for one, it is variable and can range to infinity depending on the dynamics of its occurrence; and for another, the cost of each risk in relation to another would become disproportionate, limiting the evaluation of its economics.
Now, how much is a risk worth?; Ah!, this one would include everything from the simplest, estimated tangible damages to a slightly more complicated to quantify reputational risk, arising from a probable loss event, after setting-off return on capital savings due to better management of risk.
Quantification of reputational risk, eh? - Easier said than done! While there is more than one logical approach, the question is really, how closer to comprehensive can / should you get? (My next post would be on this!)
In short, cost would be the expense in combating the risk, while worth would be penalty, if not. Or, rather, the latter would be the implied benefits from preventing the manifestation of risk into loss.
In the clamour for limited resources, the opportunity cost component needs to clearly reflect the preference in implementing control for one risk over another. Unfortunately, the only element considered for such decision making today, is the estimated loss for a risk based on historical frequency - severity. While what I have talked about above also includes this as a part of worth, (as for obvious reasons, incorrect as it may be, it is the only key statistical data that can be extrapolated from the past), consideration of other factors lowers its weight in the whole decision.
By the definition above, while cost (of risk) is singular across all its occurrences, worth should factor in the effect across the entire organisation. This would add more sanity to the prioritization of risks.
Outside the core business applications landscape, Cloud is doing well, from "Chrome-Alone" browser based OS, streaming OS, game checkpoints on the cloud, multiple device syncing to virtual graphics. Heck, you can even run your own makeshift private social network. However, with business applications, it hasn't gained much steam. With the current approach in this area being, shifting the entire application to, and delivering from the cloud, the key is to discern which chunks make better sense on the cloud. In case of risk management, anonymized "data" (cost, worth and plenty others - More on this later) is a winner. External loss data has been in use for many years now - This in reality extends the horizon of the 'types of data' available, facilitating better and faster intelligence, sans the data warehouses or the 'middle-men' data providers.
Risk management decisions are like much of their other economic counterparts (however, with their own versions of cost and worth) and hence would make a great deal of sense enhancing the risk controls assessment process (RCSA / RCA) in an endeavour to factor in the same.
My experiments on application of cost-worth principles in social relationships have often met with harsh criticism, resistance and the classic "What's wrong with you?" reactions deterring further work in this area [Sarcasm]. Anyways, for the socially challenged, there are other options, like just lighting up your Blu e-cigarettes.