September 24, 2008
Risk Managment: It's Pretty Meta
Ed just posted on a blogversation regarding what's wrong with risk management. The net of the discussion came out to treating the sickness not the symptoms when dealing with risk. Ed added the concept of proportional levels of risk in context.
I wholeheartedly agree - but there's an additional point about context that I thought might be useful for us to consider. We don't know the whole system, so treating it systemically is even trickier than treating only symptoms.
What do I mean? Well, for anyone that remembers the faux Mac Ads that VH1's "Best Week Ever" did a few years ago, I mean what happens when we create a mash-up of Gnarls Barkley tunes and Hitchcock's Psycho? Not doing that in your enterprise? Okey, what about what happens when my Enterprise or Intranet Portal application relies on consuming services, widgets, or some other piece of code that was created by some entity outside of the system? What if our internal resources are updated and fed with information from someone outside? How does the interaction impact my organization's systemic risk? How is the system impacted by events that occur outside of the system as a whole?
Parsing it out - consider a UL (Underwriters Laboratories, Inc.) approved piece of electronic equipment, like, say, a toaster. The toaster has been vetted and tested and works perfectly in the correct context: plugged into a properly grounded wall socket, no knives being inserted to fish out errant toast pieces, etc.
Now consider a nice bath. The water heater in the house is configured to prevent scalding water coming out of the tap. The tub itself is properly caulked. And the aroma-therapy bubble bath in the water is paraben-free.
Right. Nicely risk managed piece of toast waiting for us after the nicely risk-managed bath. But in a “mash-up” (and read in SOA or Web 2.0 here, they both fit) environment, maybe I want that toast while I'm having the bath. Heck, it's a partial continuous attention world, why not?
Of course, we know why not. Even though I’m using the toaster properly, and I'm using the tub properly, the consequences of bringing the two components together is catastrophic for the system as a whole. Like your enterprise, there are a number of contextually complicating layers beyond the single system that we have to figure out before we can get risk management "right."
Agreed, it's about sickness - but what about inherited sickness in an ever consuming, evolving space?