Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Storage & Clustering Community Blog

Beyond Luck & Guesses: Overcoming the High Cost of Worthless Op Risk Models

Created: 27 Feb 2013 • Updated: 11 Jun 2014
dennis_wenk's picture
0 0 Votes
Login to vote

The modern organization is highly dependent on information technology, simultaneously and quite unintentionally, information technology has introduced new exposures which have deceptively seeped into every layer of the financial organization.  The likelihood that an organization will experience a catastrophic loss from an IT-service interruption caused by an IT issue is far greater than an interruption coming from some disaster or ‘black swan’ event.  Still, the key to survival is allocating the appropriate amount of resources to the “right” risks; while that may include planning contingencies for a worse-case scenario, to be rational about risk more guidance regarding the investment tradeoffs that mitigate risk.

The “Big Question” is how to optimize scarce resources today, to achieve the greatest reduction in future losses.  The Big Question two components: (1) which risks are the serious ones and (2) what are the optimal risk-reduction actions.  The real problem for `traditional’ approaches like the Business Impact Analysis (BIA) and qualitative High-Medium-Low Risk analysis, is not that they are wrong, but that they offer no guidance on how to improve the situation. These traditional methods offer little advice for answering the Big Question.  In fact, they can be dysfunctional.  The unintended consequence of these outdated methods has been that the operational aspects of IT have been systematically neglected: This might be the biggest blunder in business today.  

The value of operational risk management lies not in identifying risks and exposures; the value lies in determining the optimal ‘investment to mitigate the most serious risks.  The cost-of-downtime and the BIA neither help identify causes nor help prioritize preventative actions.  The BIA provides little value for controlling operational risks because its primary purpose is to respond and recover, not prevent.  It overlooks the causal relationship of risk because it was never intended to treat a cause or a symptom.  It is an after-the-fact approach to produce contingencies for worse-case circumstances and not a preemptive, proactive approach to strengthen operations.

While traditional methods have inherent disconnects and do not answer the Big Question, there are things that can be done today to keep the odds in our favor.  A loss-expectancy risk model that economically quantifies operational risk will not only identify the serious risks but it also will provide the important cause-and-effect correlation needed to rationally evaluate risk-reduction tradeoffs through cost-benefit balancing. Visit the link below to read the details in Beyond Luck & Guesses: Overcoming the High Cost of Worthless Op Risk Models Click Here to Read.

Blog Author:
Mr. Wenk is Principal Resiliency Architect for Symantec’s Storage and Availability Management Group. He has consulted worldwide with large Fortune 500 customers; Generating demand for Cloud Infrastructures and architecting private cloud solutions for technology-intensive organizations in over 20 different countries; tackling some very challenging, complex, and ambiguous problems. His experience includes developing architectures and strategies for highly available, resilient and secure infrastructures in heterogeneous IT environments. He has performed quantitative operational risk assessments that were used to justify the significant investments required to build, transform and maintain resilient infrastructures; he has performed technology assessments, IT consolidation and transition strategies, and developed site selection criteria for complex heterogeneous technology consolidations. In addition, he has developed charging methodologies, performed capacity planning and performance evaluations in large, complex IT environments. Dennis has developed a number of risk-based services that quantify the return on technology investments that increase resiliency and improve continuity programs. His background includes experience with EMC Consulting as Senior Cloud Architect and with Hitachi Data Systems as Principal Global Solution Architect for High Availability Solutions, IBM Global Network as an Outsourcing Project Executive; Comdisco where he was Western of Director Technology Consulting; KPMG where he was Senior Manager, Group Leader for IT Operations and Transformations, as well as Heller Financial where he served as VP/Information Processing. Dennis Wenk earned an MBA in Accounting and Finance, BS in Computer Science from Northern Illinois University. He is a certified Information Systems Auditor (CISA), Certified Data Processor (CDP), and Certified Systems Professional (CSP), certified in ITIL Service Management. He was awarded Best Management Paper by Computer Measurement Group, and currently he sits on the Advisory Board for Continuity Insights and Serves as their Technology Chair. He has held the Cloud Special Interest Group Leader for the Outsourcing Institute and the Business Continuity Focus Expert for Information Technology Infrastructure Management Group. He is an advisor to Business Continuity Services Group. Dennis has written award-winning professional articles, white-papers and has been published in Information Week, Computer Performance Review, Trends and Topics, Continuity Insights, Infosystems, Computer Measurement Group, and DR Journal. He is a regular speaker at world-wide industry conferences. Some current topical expertise include; ‘3 Simple Complexities of Data Protection’, ‘Think About Never Failing, Not How To Recover’, ‘Focus On The Largest Source Of Risk: The Data Center’, ‘Risk Economics’, ‘Gaining Competitive Advantage: The Myth of the Resiliency Paradox’, ‘Eco-Friendly Data Center’, ‘Virtualization, a Resiliency Enabler’, ‘Economic Impact of Interruptions’, ‘Risk-based Business Continuity’, ‘High-Stakes Business Impact Analysis’, ‘A Risk-Based Approach to Internal Controls’, and ‘Resiliency: Clearing the Five Nines Hurdle’.