By Brian Barnier
Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL
In the last years, it has become more and more evident that there is a growing gap between taking financial risk and the liability for taking risk. We all know the results too well. But, without taking risk, there cannot be much growth.
There is also an ethical component when taking risk. Was the impact of a negative outcome considered before taking the risk? Many aspects of business, science, discoveries and life depend on taking risk. We need to be thankful that at some point in time someone took a risk that had a positive result from which we all benefit today.
So, risk taking has some magic and some uncertainty, which is often filled with wishful thinking; can lead to a neglect of a positive critical view about the intended steps, risky strategy or risky product; and bears the potential to end in failure.
Generally, everyone knows the common term to counteract uncontrolled risk taking: risk management. It is well understood that risk management is critical for a successful outcome of an endeavor or financial product. But, the art of good risk management is difficult: What is the risk? What are the dependencies? What could change? What does not change? What is the goal? What could cause a bad outcome? Where are dependencies and impacting factors? What can mitigate a risk? What is the remaining uncertainty—the residual risk, which can be taken responsibly?
Brian Barnier addresses this topic from a very practical perspective. He says, “We are running a business and need risk management (like financial or human resource management) to enable our success.” This tone gives the book a progressive and open quality toward operational risk management, in contrast to a reducing and limiting approach when starting risk management with the requirements for regulatory compliance. Sure, compliance requirements are to be considered, but understanding the risk is imperative. And, this book helps find those answers.
The strength of the book is the combination of a little, but essential, theory with real-world scenarios and experience from six board members of financial institutions. The book’s content is tailored to meet the needs of financial organizations, but the concept of operational risk makes the book interesting for the cross-industry reader as well. The 240-page book is structured into four major parts:
- Evaluating Risk
- Responding to Risks
- Oversight of Risk Management
- You in Your Institution
Each chapter has a wealth of graphics, tables and examples to present the book’s message in a clear and entertaining way. Key points and key concepts underline the essentials at the end of each chapter. The last chapter of the book, Your Opportunity to Make a Difference, gives concentrated advice and summarizes the book’s message.
This book is written for the business leader, board member and auditor, as well as those interested in risk management. For those who are operational risk leaders, the book is a must read.
The Operational Risk Handbook for Financial Companies is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, email [email protected] or telephone +1.847.660.5650. Learn more and collaborate on risk assessment at www.isaca.org/topic-risk-assessment.
Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL, president of DELTA Information Security Consulting Inc., which provides consulting services in information security, risk management and sustainable compliance, and SAP. He also advises clients in WebTrust and security integration with public key infrastructure. He is the author of information security articles, several books reviews and coauthor of SAP Security and Risk Management.