Risk Managment: It’s Pretty Meta

Ed just posted on a blogversation regarding what’s wrong with risk management. The net of the discussion came out to treating the sickness not the symptoms when dealing with risk. Ed added the concept of proportional levels of risk in context.

I wholeheartedly agree – but there’s an additional point about context that I thought might be useful for us to consider. We don’t know the whole system, so treating it systemically is even trickier than treating only symptoms.

What do I mean? Well, for anyone that remembers the faux Mac Ads that VH1′s “Best Week Ever” did a few years ago, I mean what happens when we create a mash-up of Gnarls Barkley tunes and Hitchcock’s Psycho? Not doing that in your enterprise? Okey, what about what happens when my Enterprise or Intranet Portal application relies on consuming services, widgets, or some other piece of code that was created by some entity outside of the system? What if our internal resources are updated and fed with information from someone outside? How does the interaction impact my organization’s systemic risk? How is the system impacted by events that occur outside of the system as a whole?

Parsing it out – consider a UL (Underwriters Laboratories, Inc.) approved piece of electronic equipment, like, say, a toaster. The toaster has been vetted and tested and works perfectly in the correct context: plugged into a properly grounded wall socket, no knives being inserted to fish out errant toast pieces, etc.

Now consider a nice bath. The water heater in the house is configured to prevent scalding water coming out of the tap. The tub itself is properly caulked. And the aroma-therapy bubble bath in the water is paraben-free.

Right. Nicely risk managed piece of toast waiting for us after the nicely risk-managed bath. But in a