Risk Managers   of the universe              Jurgen van der VlugtDialogues House, 16 augustus 2012
Introductie
AgendaRisk Management,• Top-down• Middle-out• Bottom-up
Top-down• RM ∆ In control over risico’s  • Risico’s ∆ negatieve events     • Positieve? risico ↔ rendement     • Events: d...
In control?
In control?
JanusResultaten uit het verleden … toekomst
De Toekomst…• ALLE risicodiscussie is subjectief• Gaat over de toekomst,  • De ∆ van onzekerheid  • Bestaat alleen in de v...
OverheadEvaluate design &                             Analysis                          Monitor & react     set-up        ...
Zoals voorspeld
Middle-out
n:m, feedback, time, continuity
Initiële auditissues                                              Forecast ultimo 2011                                    ...
In particular, for any consistent,effectively generated formal theory thatproves certain basic arithmetic truths,there is ...
∫   ( Kansfunctie ×? Impactfunctie )     ∑( Kosten van tegenmaatregelen )Voor vele series van functies en parameters, impa...
Beter modelleren ..?
Resultaat
En dan zijn er nog kostenWhat was it astronaut John Glenn saidwent through his mind as he awaitedlift-off?"Youre thinking ...
Ja Maar …1.    Yes we know all that. Nothing’s perfect.2.    The assumptions are reasonable.3.    The assumptions don’t re...
CombinatiesExterne data                                              Scenario´s• Relevantie; toepasselijkheid  (modereren ...
Tóch blijven proberen…
Bottom-up dan ..?In theory, nothing works, In practice, everything works,and everyone knows why.           but no-one know...
Klein beginnen
Onderaan beginnen
Risico’s van alle tijden
Dus lat niet te hoog verkopen
‘Stress-testen’• Maar dan goed
Management = risico(Management)
J. R. Galbraith, "Organization Design: An Information Processing View" Interfaces, 4 (1974), 28-36 SummaryGalbraith believ...
Combinatie
Combinatie uitwerken
Conclusie• Risk Management op de huidige manier,  werkt niet  • Gedreven door CYA, angst voor de wereld  • RM of the Unive...
Work In Progress
That was all. Thank you.         Hope you enjoy(ed) the ride
Dank u
Contact details•   Jurgen = Ir.drs. J. van der Vlugt RE CISA CRISC•   Maverisk Consultancy, IS Audit and Advisory services...
Risk Managers Of The Universe
Risk Managers Of The Universe
Risk Managers Of The Universe
Risk Managers Of The Universe
Risk Managers Of The Universe
Risk Managers Of The Universe
Risk Managers Of The Universe
Upcoming SlideShare
Loading in …5
×

Risk Managers Of The Universe

332 views
266 views

Published on

On how the current top-down (command-and-)control approach, and the \'middle-out\' modelling aproach, will and can not work in the end. A new paradigm, bottom-up KISS risk management will be needed.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
332
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Risk Managers Of The Universe

  1. 1. Risk Managers of the universe Jurgen van der VlugtDialogues House, 16 augustus 2012
  2. 2. Introductie
  3. 3. AgendaRisk Management,• Top-down• Middle-out• Bottom-up
  4. 4. Top-down• RM ∆ In control over risico’s • Risico’s ∆ negatieve events • Positieve? risico ↔ rendement • Events: definitie? volledigheid? • In control ∆ geen afwijkingen / correctie • Geen afwijkingen: totale beheersing inputs • Correctie: kosten, schade, positieve resultaten? • Fantasie: Werkelijkheid beheersen
  5. 5. In control?
  6. 6. In control?
  7. 7. JanusResultaten uit het verleden … toekomst
  8. 8. De Toekomst…• ALLE risicodiscussie is subjectief• Gaat over de toekomst, • De ∆ van onzekerheid • Bestaat alleen in de verbeelding• RM is speculeren over de toekomst• Toch… amechtige pogingen
  9. 9. OverheadEvaluate design & Analysis Monitor & react set-up Operational Risk Problem Management Mgt Incidents ORAP Inherent for analysis Controls Risk indicators risks (Problems) R(S)A (K)ORC KRI Incident (+Audit) (Mgt) (Mgt) Mgt Insu- Near rance Designed, Tuning, Selected for Mandatory misses CLD Mgt efficiency Corrective KRI actions values Incidents Indemnities Process Breach Very, very basically Surprise!
  10. 10. Zoals voorspeld
  11. 11. Middle-out
  12. 12. n:m, feedback, time, continuity
  13. 13. Initiële auditissues Forecast ultimo 2011 1 2 3 4 4 3 5 9 7 8 6 9Kans Kans 6 2 7 1 Impact Impact • 1 Kans Kansloos • … per? jaar? transactie? nanoseconde? • 1 Impact Kansloos • … Alleen financieel? reputatie, etc.? tijd; vs ingrijpen? • H x H = 25 Kansloos • 3xM=H Kansloos • ’16’ > ’12’ Kansloos • Wie schat ‘H’; hoe en met welk ‘bewijs’?
  14. 14. In particular, for any consistent,effectively generated formal theory thatproves certain basic arithmetic truths,there is an arithmetical statement that istrue, but not provable in the theory.Kurt GödelNo matter how perfect you try to riskmanage, incidents will happenYours Truly
  15. 15. ∫ ( Kansfunctie ×? Impactfunctie ) ∑( Kosten van tegenmaatregelen )Voor vele series van functies en parameters, impactschattingsranges (…), variabele sets van tegenmaatregelenInclusief variabele maten van effectiviteit, met vage noties vanrisk appetites in de achterhoofden van sommigen
  16. 16. Beter modelleren ..?
  17. 17. Resultaat
  18. 18. En dan zijn er nog kostenWhat was it astronaut John Glenn saidwent through his mind as he awaitedlift-off?"Youre thinking youre sitting on top ofthe most complex machine ever builtby man, with a million separatecomponents, all supplied by the lowestbidder."
  19. 19. Ja Maar …1. Yes we know all that. Nothing’s perfect.2. The assumptions are reasonable.3. The assumptions don’t really matter.4. The assumptions are conservative.5. You cannot prove the assumptions are wrong.6. We only do what everyone else does.7. The decision maker is better off with us than without us.8. The models are not completely useless.9. You gotta make the best of the data you’ve got.10. You need assumptions to make progress.11. The models deserve the benefit of the doubt.12. Models and assumptions don’t do any harm so why bother …?© David Freedman (in Nassim Taleb’s Black Swan)
  20. 20. CombinatiesExterne data Scenario´s• Relevantie; toepasselijkheid (modereren vs bias)• Resultaten uit het verleden• Te weinig data (?)• Self-reporting !?• Veel (!) te weinig data; kwaliteit • Te weinig data (?)• Self-reporting !? • Kennis, zicht op risico’s• Resultaten uit het verleden • Zuiver en alleen lokaal bruikbaar • Kennis en kundeInterne data • Percepties van risico RSA´s
  21. 21. Tóch blijven proberen…
  22. 22. Bottom-up dan ..?In theory, nothing works, In practice, everything works,and everyone knows why. but no-one knows why. We have in our organisation a combination of theory and practice.
  23. 23. Klein beginnen
  24. 24. Onderaan beginnen
  25. 25. Risico’s van alle tijden
  26. 26. Dus lat niet te hoog verkopen
  27. 27. ‘Stress-testen’• Maar dan goed
  28. 28. Management = risico(Management)
  29. 29. J. R. Galbraith, "Organization Design: An Information Processing View" Interfaces, 4 (1974), 28-36 SummaryGalbraith believes that "the greater the uncertainty of the task, the greater the amount of information that must be processed between decision makers during the execution of the task to get a given level of performance". Firms can reduce uncertainty through better planning and coordination, often by rules, hierarchy, or goals.Galbraith states that "the critical limiting factor of an organizational form is the ability to handle the non-routine events that cannot be anticipated or planned for".When the "exceptions" become too prevalent, they overwhelm the hierarchys ability to process them. Variations in organization design arise from different strategies to increase planning ability and to reduce the number of exceptional events that management must resolve.Galbraith defines a continuity of organizational forms that firms utilize to reduce uncertainty:1. Creation of Slack Resources. These include extending delivery times, adding more money to the budget, and building inventory (all which have inherent costs). If a firm fails to actively create a higher level strategy to address uncertainty, this strategy will occur by default.2. Creation of Self-Contained Tasks. One strategy at this level is changing from functional to product groups.3. Investment in Vertical Integration Systems. Condensing the flow of information by building specialized languages and computer systems can help analysis and decision making.4. Creation of Lateral Relationships. Moving the decision making power down in the firm to where the information exists can reduce uncertainty at the decision level.There are various strategies of increasing complexity to achieve this:A. Direct contact between managers across groupsB. Liaison personnel between groups.C. Task ForcesD. TeamsE. Cross-group Managers (project managers, program managers, etc.)F. Linked Managers (with power over some cross-group resources)G. Matrix Organization
  30. 30. Combinatie
  31. 31. Combinatie uitwerken
  32. 32. Conclusie• Risk Management op de huidige manier, werkt niet • Gedreven door CYA, angst voor de wereld • RM of the Universe is een fantasie• Idealen bijstellen, via Bottom-up (andere) idealen halen
  33. 33. Work In Progress
  34. 34. That was all. Thank you. Hope you enjoy(ed) the ride
  35. 35. Dank u
  36. 36. Contact details• Jurgen = Ir.drs. J. van der Vlugt RE CISA CRISC• Maverisk Consultancy, IS Audit and Advisory services (KPMG, ABN AMRO, Noordbeek, Achmea, ABN AMRO• (IS) Audit, (Info)Security, Y2k, BCM, ERM/ORM• ISSA, NOREA: Various committees• Jvdvlugt@maverisk.nl• LinkedIn, Twitter (etc.etc.)Motivate yourself! www.despair.com/viewall.html

×