IT risk

Abstract: Risk management has become increasingly politicized and contentious. Polarized views, controversy, and overt conflict have become pervasive. Risk-perception research has recently begun to provide a new perspective on this problem. Distrust in risk analysis and risk management plays a central role in this perspective. According to this view, the conflicts and controversies surrounding risk management are not due to public ignorance or irrationality but, instead, are seen as a side effect of our remarkable form of participatory democracy, amplified by powerful technological and social changes that systematically destroy trust. Recognizing the importance of trust and understanding the “dynamics of the system” that destroys trust has vast implications for how we approach risk management in the future.

Abstract: Understanding Risk addresses a central dilemma of risk decisionmaking in a democracy: detailed scientific and technical information is essential for making decisions, but the people who make and live with those decisions are not scientists. The key task of risk characterization is to provide needed and appropriate information to decisionmakers and the public. This important new volume illustrates that making risks understandable to the public involves much more than translating scientific knowledge. The volume also draws conclusions about what society should expect from risk characterization and offers clear guidelines and principles for informing the wide variety of risk decisions that face our increasingly technological society. Understanding Risk * Frames fundamental questions about what risk characterization means. * Reviews traditional definitions and explores new conceptual and practical approaches. * Explores how risk characterization should inform decisionmakers and the public. * Looks at risk characterization in the context of the entire decisionmaking process. Understanding Risk discusses how risk characterization has fallen short in many recent controversial decisions. Throughout the text, examples and case studies--such as planning for the long-term ecological health of the Everglades or deciding on the operation of a waste incinerator--bring key concepts to life. Understanding Risk will be important to anyone involved in risk issues: federal, state, and local policymakers and regulators; risk managers; scientists; industrialists; researchers; and concerned individuals.

Abstract: This paper presents a theory of corporate risk management that attempts to go beyond the “variance-minimization” model that dominates most academic discussions of the subject. It argues that the primary goal of risk management is not to dampen swings in corporate cash flows or value, but rather to provide protection against the possibility of costly lower-tail outcomes–situations that would cause financial distress or make a company unable to carry out its investment strategy. (In the jargon of finance specialists, risk management can be viewed as the purchase of well-out-of-the-money put options designed to limit downside risk.) By eliminating downside risk and reducing the expected costs of financial trouble, risk management can also help a company to achieve both its optimal capital structure and its optimal ownership structure. For, besides increasing corporate debt capacity, the reduction of downside risk also encourages larger equity stakes for managers by shielding their investments from “uncontrollables.” The paper also departs from standard finance theory in suggesting that some companies may have a comparative advantage in bearing certain financial market risks–an advantage that derives from information acquired through their normal business activities. Although such specialized information may lead some companies to take speculative positions in commodities or currencies, it is more likely to encourage “selective” hedging, a practice in which the risk manager's “view” of future price movements influences the percentage of the exposure that is hedged. But, to the extent that such view-taking becomes an accepted part of a company's risk management program, it is important to evaluate managers' bets on a risk-adjusted basis and relative to the market. If risk managers want to behave like money managers, they should be evaluated like money managers.

Abstract: The likelihood that the firm's information systems are insufficiently protected against certain kinds of damage or loss is known as "systems risk." Risk can be managed or reduced when managers are aware of the full range of controls available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be. This is one viable explanation for why losses from computer abuse and computer disasters today are uncomfortably large and still so potentially devastating after many years of attempting to deal with the problem. Results of comparative qualitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with the problem. This theory-based security program includes (1) use of a security risk planning model, (2) education/training in security awareness, and (3) Countermeasure Matrix analysis.