It is universally understood, at least in theory if not in practice, that life involves risk. Every action we take has some consequence that we, as adults, are conditioned to understand. We believe that being accountable for our actions and their consequences is to our benefit. Time spent working hard by advancing our education, certification training or volunteering for ISACA® has a positive outcome over time if not immediately, on our careers, our personal finances or our social lives.
Such investments are necessary to accrue benefits. It makes sense that rational actors would want to minimize such investments to maximize the gains. If we can limit the amount of time we are in school, or have the opportunity to work while in school, this allows us to do just that; we have minimized our opportunity cost while still making the gain for which we hoped.
This is essentially a type of personal risk management. We routinely attempt to minimize the cost of pursuing goals, necessary as that cost may be. It does not make such costs desirable, as no one would invest twice the amount of time in pursuing a degree if they had the option not to.
This train of thought is useful to better understand the long-running debate in risk management as to whether “risk” can be a positive thing. Indeed, we understand intuitively that risk is negative. We want these bad things we manage on our IT risk registers to never happen and take steps to prevent them from coming to pass. The countervailing argument acknowledges this fact but casts items on the risk register as necessary to achieving organizational goals and, as such, that makes them positive. For example, we need to leave external ports open to enable data transfer with a critical client, so even though that control weakness can contribute to a scenario whereby we would incur a loss, it is necessary risk in pursuit of our greater organizational objectives.
Though it may be necessary, we would all rather not have to endure that exposure, if offered the choice. That desire to reduce something tells us that it has a negative connotation. We live our lives in a way where we attempt to maximize good things and minimize the bad. We view things in the long term to avoid bad things that are not evident in the present. As a result, this makes risk “bad” by definition. The notion that sometimes we need to take a risk to pursue our goals already has another word to describe it: uncertainty. We are uncertain about our investment and our exposure, but we endure them anyway, while keeping an eye out for strategies to minimize loss (risk). Put bluntly, we do not need risk management to provide governance over good things. I do not walk around all day fretting over the possibility of receiving a giant windfall because of a government lottery. Instead, we keep an eye toward the future to minimize the bad things that may come to pass.
But perhaps persuasive rhetoric is unconvincing. Practical experience often trumps academic reasoning, right? If you believe that risk may still have some positive attribute to it, let us test that theory. In the next top-5 risk report you prepare for your organization, fill it with all the good things that may benefit the organization:
- Expenses could come in under forecast.
- Hackers may skip over your organization and attack a competitor.
- Insiders may choose not to misuse their access.
- A tornado will not hit your data center.
Then, of course, the next step is to choose a risk response: Are you going to avoid, transfer or mitigate these good things? It is likely that if the executives to whom you are presenting do not laugh at this report, they will choose to accept them all. Indeed, we would all gladly accept the “risk” of these good things without hesitation, which belies the underlying truth: Risk is a negative thing by nature and it requires risk management to avoid exposing our organizations to unnecessary harm. But I am willing to be wrong about this; feel free to reach out to me if you have a different perspective.
Jack Freund, Ph.D., CISA, CRISC, CISM, CDPSE, is head of cyberrisk methodology for the Moody’s/Team8 Cyber Risk Assessment Venture, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, Factor Analysis of Information Risk (FAIR) Institute Fellow, International Association of Privacy Professionals (IAPP) Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.