Complete Loss Risk Management– The only successful approach.Authors: Andreas von Grebmer | Heike Klaus
Complete Loss Risk Management (CLRM) is for risk management the same as Zero Trust is for Cybersecurity. Both approaches are ingeniously simple and at the same time game changer towards a more secure and sustainable and resilient business environment.
What you read about “Zero Trust” is that it is a model or a framework that is based on the decision to deny all access by default. Any access from users, services, application etc. whether is granted on a conscious decision and is limited as much as possible. What most of the experts forget to mention is, that regular review/reapproval is key to the success of the concept. Simple to understand, maybe not so simple to implement.
Complete Loss Risk Management assumes that you can lose any business relevant asset (tangible and non-tangible) at any time to the full extent. The benefit of this Risk Management approach is that you cover Business Continuity preparation in the same thought. Also, a simple concept, right?
The Subject Matter Experts are the main difficulty in implementing this concept. They will give you thousands of reasons why it’s not that easy, and so far, everything has always worked out.
Let us give you an example of how CLRM could have worked:
If the EU countries had acted according to the CLRM, they would have been better prepared for the loss of Russian gas. CLRM would have asked before signing the contract and in regular intervals: “what happens if this supplier does not deliver tomorrow? How to minimize my loss? In the finance sector, this is known as «hedging».
The implementation is based on further basic principles that are not only relevant for safety and worst-case scenarios, but also make economic sense.
- All assets are inventoried
- Each asset has a responsible person
- Each asset is classified according to its business relevance
- The dependencies and the relationships of assets are known
- Regular review of effective protection vs. protection needs according to classification
- Management of protective measures/risk minimization
- Regular monitoring of these principles
A risk manager once told us, «I can’t go to the Board of Directors with every risk as a total loss.» Our answer: You don’t have to, only with those for which there is no adequate plan B, no alternative, no workaround.
These are the essential information the board wants and needs to know.