Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Erik Wisløff (39) works in the<br />
field of risk management at<br />
<strong>Telenor</strong> R&D. Prior to this he<br />
worked in the security domain<br />
at AIRMATCOMNOR.<br />
erik-dagfinn.wisloff@telenor.com<br />
Telektronikk 3.2000<br />
<strong>Telenor</strong>’s Risk Management Model<br />
ERIK WISLØFF<br />
Introduction<br />
<strong>Telenor</strong> defines risk as “the possibility of loss<br />
caused by threats or unwanted events” [1]. However,<br />
risk is a fuzzy, abstract and highly subjective<br />
concept that is inherently difficult to measure<br />
and sometimes next to impossible to come<br />
to terms with.<br />
One reason for the difficulties in understanding<br />
risk is the fact that risk comes from a variety of<br />
sources: political, cultural, financial, legal, technical,<br />
environmental, competitive and personal<br />
framework. Another reason is that one risk may<br />
be a business requirement in one context, but a<br />
threat to the same business requirement in a different<br />
context.<br />
Good risk management will improve the competitive<br />
edge of a business, product or service.<br />
The improved competitive edge comes from better<br />
project management, fewer nasty surprises,<br />
fewer accidents, lower costs while at the same<br />
time improving quality, meeting deadlines,<br />
meeting budgets, better customer communication,<br />
etc. Consultancy firms, hoping to land a<br />
“hefty contract with lots of money attached”,<br />
are quick to point to these benefits of risk management.<br />
Small wonder, then, that some people view risk<br />
management more as magic than science, and<br />
are deeply suspicious of the claims that risk<br />
managers promote. Risk management is neither<br />
science nor magic. Risk management is a repeatable<br />
business process that systematically examines<br />
all the various products, processes, business<br />
surroundings and business objectives at all levels<br />
of the company. No more, no less.<br />
What is Risk Mmanagement<br />
in <strong>Telenor</strong>?<br />
<strong>Telenor</strong> defines risk management as the business<br />
process of managing risks by identifying, analysing<br />
and controlling costs related to risks. The<br />
rewards of an on-going risk management regime<br />
include<br />
• Better knowledge of the risks one faces;<br />
• Better understanding of the interaction<br />
between the business and its environment;<br />
• Better understanding of the business’ critical<br />
success factors.<br />
This understanding could be used in many ways.<br />
For instance, it is difficult to cost justify loss<br />
reduction measures unless one knows the risks<br />
one faces. In addition, it is equally difficult to<br />
select reasonable risk financing strategies without<br />
knowing the risks one faces. Selecting a reasonable<br />
risk balance between different products,<br />
services or branches is impossible without a<br />
realistic understanding of the business environment.<br />
Discontinuing a product or service without<br />
regard to the business’ critical success factors<br />
could turn into a nightmare. Thus, knowledge<br />
and understanding lead to an improved competitive<br />
edge and the benefits mentioned in the introduction.<br />
However, risk management must be<br />
an on-going business process in order to harvest<br />
the benefits.<br />
Risk management is a flexible business process.<br />
You can use risk management to manage risks<br />
associated with a single product or service or to<br />
manage aggregate business risks.<br />
The primary goal of risk management in <strong>Telenor</strong><br />
is to minimise the aggregate risk cost, which is<br />
the sum of all individual risk costs in the business.<br />
The first challenge is to balance future<br />
costs caused by an unwanted incident against<br />
costs of attempting to prevent the incident from<br />
happening in the first place. The next challenge<br />
is to balance all the individual risks and costs in<br />
such a way that the grand total is minimised.<br />
The optimal protection level point, as a risk<br />
manager sees it, is the lowest point in the curve<br />
labelled “total costs”. This is illustrated in Figure<br />
1.<br />
A secondary goal is quite simply to identify risks<br />
and then selectively “fixing any unacceptable<br />
problems”. This is typically a support activity in<br />
the business process of managing aggregate risk<br />
exposure. It is a necessary activity, but it quickly<br />
turns into an isolated series of suboptimalisations.<br />
However, this is also an important step<br />
towards developing a mature risk management<br />
oriented business attitude.<br />
<strong>Telenor</strong>’s Risk Management<br />
Model<br />
<strong>Telenor</strong>’s risk management model illustrates the<br />
business process of managing risks. The risk<br />
management model is based on a refinement of<br />
the classical ‘analyse – act – evaluate’ cycle. As<br />
65