The Next Big Thing
Posts about next generation technologies and their effect on business.

Risk Assessment Modeling

The current economic crisis is a consequence, at least in part, of a failure by financial service enterprises to properly assess and reveal the level of risk they were taking in the operation of their businesses. Regulations attempt to prevent businesses from taking some risks and require public corporations to provide financial reporting for stockholders to make informed investments. However, many risks are not addressed by regulations and are not visible to boards of directors and stockholders.

In the Regulatory Compliance Special Interest Group (RC-SIG) at the OMG (Object Management Group) meeting last week, we discussed the need for better risk assessment and visibility.

The RC-SIG focuses on standards for the codification and management of regulations to enable more effective compliance. The Governance, Risk Management and Compliance Roundtable (GRC Roundtable) is another OMG forum for information exchange for improvement of GRC practices.

Codification of regulations has been enabled by the OMG Semantics of Business Vocabulary and Rules (SBVR) specification that captures rules in a structured form and expresses them in a natural, language-like form. The RC-SIG is considering development of standards for more effective codification, management and analysis of regulations.

However, as demonstrated by the current economic crisis, there is a need for a structured discipline for assessment and reporting of risk to complement regulations and current financial reporting disciplines. As an ideal, all aspects of an enterprise should be assessed for risk just as all aspects are assessed for budgeting and accounting. Security risk assessment practices may provide a starting point for more extensive assessments.

Some form of composite report could provide visibility for boards of directors and stockholders, as well as executive management. The complexity and record-keeping workload of such an assessment would require modeling and automation. Products to support such assessments could be enabled by industry standards. Visibility could provide the incentive to properly manage risks while retaining flexibility that might otherwise be encumbered by regulations.

This is not yet a well-formed solution. We plan to hold an afternoon session to discuss this at the next OMG meeting in March, 2009.

Showing results for 
Search instead for 
Do you mean 
Follow Us
About the Author(s)
  • Steve Simske is an HP Fellow and Director in the Printing and Content Delivery Lab in Hewlett-Packard Labs, and is the Director and Chief Technologist for the HP Labs Security Printing and Imaging program.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.