« on: November 18, 2013, 09:09:17 PM »
Consider looking around some actuarial forums. The Society of Actuaries offers a Chartered Enterprise Risk Analyst credential. I'm not sure what you know about actuaries, but you'll probably find that it's a bit more rigorous than "never, ... , defnitely" and "negligible, ... , catastrophic".
Ooh, that looks interesting.
The frequency (time) versus severity (cost) metric is extremely common. It is the established operational risk management pattern used to plan military action, and is referenced in some form in most texts I've looked at for risk. Kepner-Tregoe Potential Problem/Opportunity Analysis cites a format where you list risks with likelihood and severity; this is the same thing as an ORM chart, and I tend to implement it as such. Risk management always comes down to mitigation (actions taken to reduce risk ahead of time--probability and/or severity) and contingency (actions taken when a risk event occurs--reduce severity). These can create new risks (i.e. if a RAID drive fails, you have to replace a drive at a cost; if multiple fail, you have your original risk in greatly reduced probability).
My big problem is most texts on risk management are in one or more of three categories:
- Light and fluffy: Good, basic concepts. The same stuff I've gleaned already, the same stuff you could get out of Google in five minutes. You know the drill: "Here's the most basic concepts, and let's talk a lot about them." Think about if Kepner-Tregoe's "The Rational Manager" was just entire chapters devoted to each single one of the 11 specifying questions, no overall process to tie them together, and a lot of talk about the supposed virtues of each--still 300 pages, but no decision analysis, no risk management, no actual processes, and no final chapters tying it all together and discussing a solid overall strategy.
- Unqualified dumpster bait. Leadership is an important skill; there are volumes and volumes on leadership that read like Dilbert's PHB wrote them. That is: they deliver feel-good advice, but it's mostly wrong and teaches you to be a s***head. There are books on Risk Management which, similarly, droll on about risk as some abstract thing, explaining how it's not well-handled and how it's all over the place and gets ignored, and talk about how you have to do something about it... without actually explaining how to look at a risk and qualify its importance in any meaningful way.
- Specialized. Insurance, financial, investment. Books about how to be All-State or how to run a Bank or manage a Mutual Fund.
What I want is something technical in the operations risk management area... which CERA seems to fit. Good catch. I'll look into that.