The risk of not managing risks

By Julián Laski

A couple of years ago, I was faced with the challenge of carrying out the audit of an important Latin American public entity. When I say “important”, I mean the size of the institution, its strategic nature and the volume of its operations, with a number of resources – financial, human and technological – according to its size.

A few months before starting the tasks, I was surprised to read an email sent by the institution’s Systems area, where it was requested to inform which computer would enter the entity by the audit team, specifying the brand, model and number of Series of devices. I must admit that at that moment I was impressed: I imagined that if I were asked for such data with such anticipation, I would encounter an entity that would have a robust control structure, which is not so common in the public sector of the region.

Until the day came: I had my first meeting in the entity, to which I was, of course, with my computer – the same one I had declared a few months before. As soon as I arrived, I found a security post in which a guard asked me to show the laptop I was entering. “Good, now, they are going to collate the information I indicated a few months ago,” I thought. But at that point I began to realize that, again, not everything that glitters is gold: the security employee began to take note of the computer data by hand on a worksheet, where instead of typing the number Serial, wrote down the license of the operating system, whose label was stuck to the back of the laptop. “It does not matter, then he will check it and inquire about the inconsistency,” I told myself … But no, that never happened. And I was not asked for the computer when I left. Not even the next day: as the guard knew me, he only asked me if he had the same laptop as the previous day, and as I said yes, in my successive entries he did not even consult me ​​about it. And, not controlling myself at the exit, no one analyzed the possibility that he was taking me something much more valuable than a computer (which could well be mine or another): the information of the institution.

This situation ignited my warning signals – like every auditor, I am skeptical by nature – regarding the risk analysis by the public entity. For that reason, I asked to speak with the person in charge of the area of ​​risks. The answer was clear: there was no risk manager there, but it was the financial manager who handled insurance. That is, it was assumed that insurance contracting was the only possible risk response. Almost resigned, I joined the financial manager, and asked him about the insurance they had hired. “We invest more money in insurance every year, because we want to be calm,” he told me. When I asked about the type of claims for which they had insurance, I realized that they did not cover half of the possible events for which coverage could be contracted. The subsequent result of the insurance audit was lapidary, and it almost cost the position to the financial manager, who was so calm simply to spend money …

Does insurance reach as a response to risk? No, clearly. Is it enough to know that many resources are invested in coverage for quiet sleep? Even less. An organization that manages its risks effectively must:

List possible financial and non-financial risks to which you are exposed. Therefore, it is not usually advisable for a financial manager to be responsible for risk management. There are no unlikely risks or absolutely unexpected events; If not, let us think about the attack on the Twin Towers, per case.
Evaluate adequately, through qualitative and quantitative tools, the probability and impact of events that could affect the achievement of their objectives. Not all risks are just as important! For the entity, it has a much greater impact if someone takes, by whatever means, a database without permission, than the possibility that an official or visitor enters with one computer and leaves with another.
Design and implement adequate risk responses, not only considering insurance coverage, but also mitigation, risk avoidance and, in some cases, even the need to accept risk. We can not take action against all risks, but we must know them and be aware of them. If there is a possibility that it rains, and our goal is to go see an Atlanta football game, outdoors, what can we do, besides waiting for the sky to not cloud?
Verify that the measures taken are effective, and monitor the strategy against risk. A risk can be important in a moment, and stop being it afterwards.