Allow me to set the stage to pose to you something I've been thinking about the past few days. Specifically, have you ever noticed how sometimes certain situations tend to favor the ignorant? Follow the logic with me on this... Risk management is about increasing your risk-awareness, right? Now, by "increasing your awareness", I mean that you try to understand what your current risk profile is, you set a tolerance threshold for how much risk you feel you can absorb, and you actively work to remediate any risks that are above the threshold. The process involves understanding your current situation, making a decision about it, and moving on. Now, most of us would tend to assume that understanding your current position is desirable. You'd think so, right? For the organization as a whole, it's probably all upside. The organization is better off understanding where they stand and making intelligent decisions. But what about on an individual level? I mean, are individual employees and executives incented to move to this model?
Compare two different companies: say Company A goes through the risk management process. they find an issue that introduces risk; but for whatever reason, they don't remediate it. Maybe they decide that the risk isn't worth the likelihood it will be exploited; maybe they don't have budget to fix the problem. Whatever the reason, it doesn't get fixed. Now, Company B is a "fly by the seat of the pants" kind of company; they haven't even heard of risk management, let along employ it. They don't have any clue about what problems they may or may not have. Say, hypothetically, they both get hit by the same problem - company A knew about it but didn't do anything while company B had no clue it was an issue. Who's better off? Both companies suffered the same damage, right? Both companies are in a world of hurt and need to take action... But at a micro level... at the level of the individual would you prefer to be in the position of knowing about an issue and not acting or in the position of not knowing? After all, somebody could come around with the benefit of hindsight and say "you KNEW that this problem could occur but yet you elected to IGNORE it" or "who EXACTLY made the decision that this issue costing us x million dollars wasn't a priority?" Yes, somebody in Company A is probably going to be looking for a new job sooner rather than later, don't you think? Company B, on the other hand? Instead, they're saying, "Gee, who knew that could happen? How could we possibly have known?" Force Majure... Another day at the office...
Now, I happen to think risk management is the right way to do things. I don't understand how people can possibly plan if they don't know where they are today. But I think there's something more to it... there needs to be a reason for executives to want to push risk management. And today they arguably have reasons not to (or at least to be nervous about it.)
So, it was with this in mind when I came to reading Pete Lindstrom's blog entry from yesterday where he references the Donn Parker article suggesting we get rid of risk management. Now, when I read Pete's reference to this, I was actually somewhat hopeful... Given what had been on my mind, I thought maybe Donn was going to come up with some straight dope on the issue. Needless to say, I was disappointed. So Donn's take is that we should take risk management and replace it with "unbelievable greatness - with the goal of total and unadulterated awesomeness". Well, maybe that's not exactly what he said... but it's close. What he actually said was that we need to replace risk management with "practical, doable security management" with the goal of "due diligence, compliance consistency, and enablement." Here's the problem with this line of reasoning - "risk management" is a methodology - a process. Having "doable, practical security management" is a state that you come to as a result of some process - not a process itself. One could say, for example, that a potential outcome of risk management as an approach would be having practical, doable security management whereas one could not say the inverse. For example, if I said that instead of driving my car that I wanted to be at my destination. That wouldn't make sense, right? To get to my destination, I need to go through some process. Driving is one option, as is walking, flying, crawling, hopping, skijoring, etc. Anyway, my goal here wasn't to diss Donn - he actually makes quite a few interesting points, not the least of which are critiques about how risk management is currently practiced in enterprise. All valid criticisms. But it wasn't what I was hoping for.
Posted by Ed at December 12, 2006 07:24 PM | TrackBackWhat are you drinking? I want some ;-)
Risk exists whether we know it or not. Even in the absence of active management, we are "managing risk" simply by accepting it, regardless of whether we are aware of it.
If we are exercising some sort of "due diligence" then somebody, somewhere must have determined what level of diligence was due. This, of course, is risk management. If we are "complying" with something, then somebody, somewhere must have decided what was necessary to comply. This, of course, is risk management. If we are "enabling" someone or something to do something else, then, well you guessed it - we must have managed risk in order to provide that capability.
Donn Parker's article is hogwash all over and I was trying to illustrate one of the big reasons why with that quote about groupthink - somebody, somewhere MUST be doing risk management in order to get started. I apparently failed, but that's life with my blog - I enjoy it anyway.
Now, an organization can assert its own right to evaluate its own risks, or it can rely on someone else's judgement that relied on someone else's judgement that relied on someone else's judgement... and so on. In both cases, the folks are performing... wait for it.... RISK MANAGEMENT.
Yes, somebody in Company A is probably going to be looking for a new job sooner rather than later, don't you think? Company B, on the other hand? Instead, they're saying, "Gee, who knew that could happen? How could we possibly have known?" Force Majure... Another day at the office...
Or the other way around. Company A knew about and accepted the risk and as a result had a plan for dealing with it should it become a problem and did so when the incident occurred. Whereas heads rolled at Company B because someone has to pay the price....
Posted by: Arthur at December 13, 2006 11:13 AMDefinitely depends on the spin the company puts on things, even behind closed doors, and the impact of that incident. New Orleans made a risk management decision in their levee system to not withstand a category 4+ hurricane. Then one struck. Was there anything wrong with that risk assessment? Perhaps there was, but the evil in risk management is what happens when risk is managed/accepted and the unlikely events happen? Business has this weird "need" to always blame someone and "fix" that something, even for fluke, extraordinary incidents. That or credibility is diminished for years or longer.
At any rate, your first paragraph reminds me of an example I use a lot for security awareness and implementation. Most people know, deep inside, how easy it might be to break into their own house. But they tend not think about it and not do anything about it. Buy a home alarm system and get it set up? That is effort, time, and money, and thus they would rather not do that, and not even think about the incident. Of course, until it happens. I would bet that most people with security alarms (regular homes, not mansions and estates...) have them because of a past incident, not because of their inherent desire to prevent the incident in the first place.
Posted by: LonerVamp at December 13, 2006 12:33 PMSometimes there is a greater liability in knowing the risk exist then not knowing. Risk is not always about the event itself. More frequently then should be, there are benefits it being ignorant or even pretending to be ignorant.
The lack of better integration between risk management, law, and market pressures, is where todays "IT" risk management exhibits its adolescents.
I think we all practice "risk management", to a certain extent. The issue is branding. People sometimes fear the risk manager as negative/bad/restricting. A well know company risk manager referrs to his work as "STEALTH" risk management. Somehow it is necessary to build the awareness and energy around managing the business which will inturn help to manage the risks.
Tom
Posted by: Tom at January 3, 2007 02:02 PM