- LATEST BLOG POST
- echo $post_date ?>
- Cadia tailings facility failure expert review and risk considerations allow us to discuss InSAR application and low seismicity considerations for…
- Read More
In Riskope’s day to day review jobs we notice a number of Pitfalls in Risk (Management) approaches.
These pitfalls have lead some very reputable global companies to opt for a technologists’ binary (yes/no) view of security. In their eyes, systems are either secure and safe, in which case they have no vulnerabilities, or are insecure. In tis last case they have vulnerabilities that require remedial action. Often users forget the definition of risk as unclear glossary is not used, further complicating matters.
Based on the excuse that a model is only as good as the information one puts in (point 2 above), convinced that only “very precise numbers” would fit the needs of analyses, neglecting the fact that ranges are the safest option, even large corporation make astounding decision mistakes!
Large amounts of money are wasted as a result of a choice that is often made because of a refuse to forward thinking.
Some approaches look exclusively at assets values (at risk) and ignore to put on the balance safeguards/mitigative costs (meaning they do not use risk as a discriminant). The results are erratic at best, and may lead to:
Some other approaches like scenario-analyses, involve the construction of different hazard/risk/crises scenarios. Scenario analysis is customarily employed to dramatically illustrate how vulnerable an organization is.
The primary drawback of an exclusively scenario-analysis based approach is the generally limited scope and consistency. For example an expert will build a very detailed risk scenario in his domain but will forget the most basic scenarios in other areas.
In a recent case we even saw a company censoring reality to credible scenarios, thus cutting away any low probability high consequence scenarios!
Assessing only a few scenarios leaves the possibility to miss important paths, leaving serious risks unaddressed. By narrowing the focus in this way, the analysis becomes tractable, but incomplete.
In the meantime, ignorance is a self-reinforcing problem since organizations are reluctant to act on security/risk concerns unless they see a real problem.
Riskope’s ORAPR offers the opportunity to quickly assess an Operation Risk Awareness and Preparedness. The benefits for the evaluated entity are considerable: the Operation Risk Awareness and Preparedness Rating (ORAPR) constitutes a very fast, easy, repeatable and inexpensive approach revealing global management and leadership strengths and weaknesses and delivering a metric of the Operation/ Corporation/ Project Survivability Readiness and Awareness in case of hardship, extreme events, crises and mishaps.