Brian Barnier | Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL
In the last years, it has become more and more evident that there is a growing gap between taking financial risk and the liability for taking risk. We all know the results too well. But, without taking risk, there cannot be much growth.
There is also an ethical component when taking risk. Was the impact of a negative outcome considered before taking the risk? Many aspects of business, science, discoveries and life depend on taking risk. We need to be thankful that at some point in time someone took a risk that had a positive result from which we all benefit today.
So, risk taking has some magic and some uncertainty, which is often filled with wishful thinking; can lead to a neglect of a positive critical view about the intended steps, risky strategy or risky product; and bears the potential to end in failure.
Generally, everyone knows the common term to counteract uncontrolled risk taking: risk management. It is well understood that risk management is critical for a successful outcome of an endeavor or financial product. But, the art of good risk management is difficult: What is the risk? What are the dependencies? What could change? What does not change? What is the goal? What could cause a bad outcome? Where are dependencies and impacting factors? What can mitigate a risk? What is the remaining uncertainty—the residual risk, which can be taken responsibly?
Brian Barnier addresses this topic from a very practical perspective. He says, “We are running a business and need risk management (like financial or human resource management) to enable our success.” This tone gives the book a progressive and open quality toward operational risk management, in contrast to a reducing and limiting approach when starting risk management with the requirements for regulatory compliance. Sure, compliance requirements are to be considered, but understanding the risk is imperative. And, this book helps find those answers.
The strength of the book is the combination of a little, but essential, theory with real-world scenarios and experience from six board members of financial institutions. The book’s content is tailored to meet the needs of financial organizations, but the concept of operational risk makes the book interesting for the cross-industry reader as well. The 240-page book is structured into four major parts:
Each chapter has a wealth of graphics, tables and examples to present the book’s message in a clear and entertaining way. Key points and key concepts underline the essentials at the end of each chapter. The last chapter of the book, Your Opportunity to Make a Difference, gives concentrated advice and summarizes the book’s message.
This book is written for the business leader, board member and auditor, as well as those interested in risk management. For those who are operational risk leaders, the book is a must read.
The Operational Risk Handbook for Financial Companies is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, email firstname.lastname@example.org or telephone +1.847.660.5650. Learn more and collaborate on risk assessment at www.isaca.org/topic-risk-assessment.
Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL, president of DELTA Information Security Consulting Inc., which provides consulting services in information security, risk management and sustainable compliance, and SAP. He also advises clients in WebTrust and security integration with public key infrastructure. He is the author of information security articles, several books reviews and coauthor of SAP Security and Risk Management.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.