Video Screencast Help
Storage & Clustering Community Blog

Operational Risk: Mitigation is not Self-evident

Created: 18 Dec 2012 • Updated: 11 Jun 2014
dennis_wenk's picture
0 0 Votes
Login to vote

Operational risk is everywhere in the business environment, every decision has its share of uncertainty.  Nothing is a sure thing, yet we when we make important decision we certainly want to “keep the odds in our favor”.  I have often heard the terms like ‘risk appetite’, ‘risk tolerance’, or ‘risk aversion’ used in reference to making forward-looking choices about operational risk as if we can rationally and effectively manage risk based on our subjective feelings.  These terms, however, provide little guidance and position risk-management in the domain of oracles and soothsayers.  Business is not a game of chance based on our subjective ‘feelings’ regarding operational risk. 

The stakes are too high relative to operational risk to leave it to subjective guesses or ‘gut’ feelings.  Mitigation actions or counter-measures are often quite expensive, and the consequence of doing nothing or doing the wrong thing can be enormous.   When Executive Leadership is asked to make a choice such as ‘investing $60 million for an effective disaster recovery solution’ or to ‘continue to operate under the status quo and risk going out of business'; do we really expect our executives to make this choice by asking themselves the Dirty Harry Callahan question, ‘Do I feel Lucky?’.  

Of course not, we expect our executives to make rational and well-informed decisions.  We don’t expect our leaders to gamble with $60 million neither do we expect them to put the organization into a position of 'going out of business'.  Terms like risk appetite, risk tolerance, and risk aversion are not measures of risk.  These terms are merely abstract measures of emotional and subjective feelings and it has been well established that people tend to make many mistakes about risks when they use their subjective feelings. 

In addition, there is a flawed notion that when a risk is intuitively large, such as a 'going-out-of-business risk', that the solution will be self evident.  This notion, however, is also just another subjective feeling. Knowing that there is a large risk does not mean the optimum mitigation-action is also well known.  Whether it is a ‘$60 million investment’ or a ‘going-out-of-business’ condition, the stakes are too high to take a guess at it.  To develop a proportional response we must to inform ourselves accurately about the facts of the situation.  To keep the odds in our favor we must economically-quantify the operational risks so that we can properly evaluate the many tradeoffs. 

Blog Author:
Mr. Wenk is Principal Resiliency Architect for Symantec’s Storage and Availability Management Group. He has consulted worldwide with large Fortune 500 customers; Generating demand for Cloud Infrastructures and architecting private cloud solutions for technology-intensive organizations in over 20 different countries; tackling some very challenging, complex, and ambiguous problems. His experience includes developing architectures and strategies for highly available, resilient and secure infrastructures in heterogeneous IT environments. He has performed quantitative operational risk assessments that were used to justify the significant investments required to build, transform and maintain resilient infrastructures; he has performed technology assessments, IT consolidation and transition strategies, and developed site selection criteria for complex heterogeneous technology consolidations. In addition, he has developed charging methodologies, performed capacity planning and performance evaluations in large, complex IT environments. Dennis has developed a number of risk-based services that quantify the return on technology investments that increase resiliency and improve continuity programs. His background includes experience with EMC Consulting as Senior Cloud Architect and with Hitachi Data Systems as Principal Global Solution Architect for High Availability Solutions, IBM Global Network as an Outsourcing Project Executive; Comdisco where he was Western of Director Technology Consulting; KPMG where he was Senior Manager, Group Leader for IT Operations and Transformations, as well as Heller Financial where he served as VP/Information Processing. Dennis Wenk earned an MBA in Accounting and Finance, BS in Computer Science from Northern Illinois University. He is a certified Information Systems Auditor (CISA), Certified Data Processor (CDP), and Certified Systems Professional (CSP), certified in ITIL Service Management. He was awarded Best Management Paper by Computer Measurement Group, and currently he sits on the Advisory Board for Continuity Insights and Serves as their Technology Chair. He has held the Cloud Special Interest Group Leader for the Outsourcing Institute and the Business Continuity Focus Expert for Information Technology Infrastructure Management Group. He is an advisor to Business Continuity Services Group. Dennis has written award-winning professional articles, white-papers and has been published in Information Week, Computer Performance Review, Trends and Topics, Continuity Insights, Infosystems, Computer Measurement Group, and DR Journal. He is a regular speaker at world-wide industry conferences. Some current topical expertise include; ‘3 Simple Complexities of Data Protection’, ‘Think About Never Failing, Not How To Recover’, ‘Focus On The Largest Source Of Risk: The Data Center’, ‘Risk Economics’, ‘Gaining Competitive Advantage: The Myth of the Resiliency Paradox’, ‘Eco-Friendly Data Center’, ‘Virtualization, a Resiliency Enabler’, ‘Economic Impact of Interruptions’, ‘Risk-based Business Continuity’, ‘High-Stakes Business Impact Analysis’, ‘A Risk-Based Approach to Internal Controls’, and ‘Resiliency: Clearing the Five Nines Hurdle’.