a report by PricewaterhouseCoopers and the Economist Intelligence Unit that says that quantifying credit market, regulatory, and even IT risk isn't enough.
``But what about those areas, like reputational risk, that are both harder to measure and more sudden and severe in their impact?''
According to the report, which is based on a survey, while the internal corporate profile of risk management has increased in recent years, this has been not so much because of proactive measures as reaction to outside pressures from regulators and rating agencies. It seems most companies still see risk management as a relatively low-level activity having to do with crunching numbers of types they are already familiar with, rather than as a strategic activity that involves both quantifying additional areas of risk and making plans for types of risk that may never be quantifiable to the extent of some of the traditional areas. The report says that those companies that have made the shift to viewing risk management as such a strategic activity find it a source of competitive advantage.
``Such institutions accept that uncertainty cannot be tamed, only mitigated.''
Like the Chairman of Lloyds, the report recommends risk management plans be overseen at the board level; however it notes that that mostly isn't happening yet. Reports like this will help make the lack of board oversight of such a plan a reputational risk.
Curiously, the report doesn't say anything about insurance, which is one of the more obvious ways of mitigating risks that cannot be tamed.
I think a time will come not long from now when a company that does not have Internet business continuity insurance will suffer a reputational risk.
The report does mention Basel II, as not only a way of witholding enough capital to deal with risk, but also as an incentive to dramatically improve risk management policies and procedures. And it notes worries that if Basel II becomes best practices that further risk management strategies might be inhibited.
It mentions geopolitical risks beyond the control of the corporation, such as regime change, and it emphasizes the importance of risks outside the corporation involving supplies and outsourcers and the like, yet the report does not mention Internet continuity problems that could result from such sources and affect business.
No report is perfect. This one makes some important points based on real data about what companies have done to manage risk and some more things they need to do.