|
||
 |
||
Handling Compound Risk |
||
|
||
 |
||
NOTE: This article originally appeared in the May 2008 issue of Flawless Compliance, under the "Hello Rubber, Meet the Road" section. The link to the actual issue is at the bottom of this article. Last month we talked about managing risk on a compliance project. This month, we’ll take your risk management up a notch and cover a subtle nuance that I call compound risk. Your understanding of compound risk will not only demonstrate your sophistication in the area, but it will also give you greater visibility and control over your risk portfolio. So, what is compound risk? Compound risk happens when the impact of a risk event produces another risk. Before your head explodes, let me give you an example. Suppose your company faces the risk that a tired night watchman will fall asleep on the job. What’s the real business impact of this? Well, somebody might sneak in and steal your inventory. The operative word here is might. This should tip you off, that another risk is involved. Carrying the example forward, what’s the impact of somebody stealing your inventory? This is more tangible. If, on any given night, you stock $100K worth of inventory, then that’s the real impact of the theft, which happened because the night watchman was asleep. This is what I call a compound risk. To understand how to handle compound risk, let’s review how normal risk is handled. When talking about Enterprise Risk Management for your company, you deal with an important risk, by introducing a control. This is a key operating principle of most compliance projects. For instance, the risk of an inexperienced processor entering in the wrong data could be controlled by a manager’s review and approval of the data. So, let’s look at a compound risk in the enterprise. Let’s say you have a Segregation of Duties ( SOD ) program in place, and you have the risk that your employees inadvertently violate the policy due to a worker shortage. Normally, three people should be handling a process; however one person isn’t there, so the other two are covering the position, and unknowingly triggering SOD violations. What’s the real impact of an SOD violation? It leaves you exposed to possible unethical behavior, which could cause financial misstatements. In and of itself, an SOD violation does not financially harm your company. However, it’s possible that one of these SOD violations could spell trouble. That’s why the control was put there in the first place. This is actually a good situation for your company, because you have the opportunity to introduce a mitigating control. A mitigating control is a backup control in case your original control fails. In our example, think of the overarching impact that we’re trying to avoid. The real damaging impact ( according to the SEC ) is the misrepresentation of financial data to the public. To mitigate the SOD control, you may put in a mitigating reconciliation control. That way, if there is some unethical tampering of the data, the recon will catch it. There’s another place where compound risks may show up, and that’s on your compliance project. If you remember last month, we talked about managing risk on a compliance project with a contingency reserve. To determine the contingency reserve contribution for any given risk, you multiply the probability of the risk by the impact. For example, let’s say your project runs the risk of network failure. If the network goes out, you’re estimating 1 day’s worth of lost work. On any given day, the probability of the network going out is 5%. So, if your project is scheduled for 150 days, you would allocate 7.5 days in your contingency reserve to handle network outages. Let’s take a compound risk example. Let’s say there are rumors of a layoff announcement. The chances of this announcement actually happening are about 30%. If the announcement happens, there will be layoffs, but the layoffs might not affect your project. In fact, there is only a 20% chance that any layoff announcement would have any impact on the project. If the layoff announcement does affect your project, it’s estimated that it will cause a 30 day delay as you scramble to readjust. In your qualitative analysis, you deem this compound risk as important, so you will make a contribution to your contingency reserve. But how much is appropriate? To handle this situation, simply multiply the probability of the first risk ( 0.30 ) by the probability of the second risk ( 0.20 ). In our example, this gives us a combined compound risk of 6% ( 0.3 x 0.2 ). Now apply this 6% to the impact ( 30 days ), and you arrive at 1.8 days ( 0.06 x 30 ) of contingency reserve. Understanding risk is vital to your enterprise and project risk management, however understanding compound risk will demonstrate your savvy and give you greater visibility into your uncertainty. Compound risk in an enterprise can be handled through a mitigating control, and compound risk on a project is handled by simply multiplying the respective risk probabilities together. Revisit your risk portfolio today to uncover hidden compound risks, and adjust as necessary with your new found knowledge.
|
||
| ... read the May 2008 issue of Flawless Compliance | ||
| ... browse more free articles | ||