Are you risk averse?

Back in the mists of time when I started working in local government, I was assured by experienced staff members that the council was a very risk-averse organisation that wouldn’t take kindly to any fancy new ideas.

Well, I’ve come to realise that nothing could be further from the truth: local government takes enormous risks all the time – they just don’t see them as risks.

So what do we mean by risk? In information security it’s often expressed numerically:

Risk = impact x likelihood

This simple equation tries to capture the essence of the risk decision: if a system has a vulnerability then it may or may not be easy to exploit. If it’s easy to exploit then the “likelihood” number goes up. If the consequences of that are major, the “impact” number goes up. Even if you use a totally arbitrary way to determine these numbers, you still end up with what you want: a prioritised list of risks so you know which ones are the most serious so you can tackle them.

Great. So why do I have a bee in my bonnett about it?

It’s just that we choose to ignore some risks and blow others out of proportion. Software vulnerabilities are well-understood and get a high profile – I’m not complaining about that – but risks in other areas, like the software portfolio or HR policies, are not. So what are these risks?

In the software portfolio, a number of things could happen: the supplier of the software may go out of business, hike licensing or support costs, lose a key member of staff, or decide to retire the software you are using. In HR any new policy carries the risk that a key member of staff might get the hump and leave. There is demographic risk that younger people won’t want to work for you leaving you with a skills shortage in key areas: the economy might take a nosedive (the very thought!) leaving you with drastically reduced budgets.

The possible sources of risk are actually as infinite as the universe. In many organisations it is the IT department that deals with IT-related risks, but what if a reduction in the risk in some IT area (for example a tightening up of policy on, say, removable media) leads to an increase in the risk carried by another area (as workers decide to use Google Wave or a social media platform to share documents instead)? This is known as risk asymettry.

There’s also the risk of doing nothing. Sometimes this is greater than the risk in doing something, even something radical, but our brains are programmed to favour stuff that is familiar so we mentally downgrade the risk of doing nothing: this can lead to some pretty nasty situations. I’ve seen projects and applications carry on many years beyond the point at which they were starting to cause instablity in other parts of organisations, simply because the risk of carrying on as before hadn’t been properly calculated and compared with the risks involved with change.

These issues can only be sensibly resolved if the risks are owned in the right place and practical frameworks are adopted to ensure that as many risks as possible are factored into decision-making. This might sound like a lot of red tape, the nanny state, health and safety gone mad etc etc but actually it’s just common sense. If you put your hand in the fire, it will get burned. If you don’t take it out again, it’ll get burned some more. Oh and by the way, we don’t solve the problem by putting the fire out: you must take your blinking hand out!

Risk-based decision-making doesn’t have to be always favouring the conservative approach. It can liberate you as well by enabling you to take decisions you wouldn’t otherwise have taken because you were afraid of the unknown risk. We recently had a supplier down to talk to us about moving to an open-source model for our software: at first sight this is a major change and fraught with danger and difficulty. But if we understood the risks we were currently running with proprietary software properly, then maybe it would look less risky by comparison (please note: I’m not saying this will happen, it’s just an example).

Thankfully my organisation is moving towards a much more comprehensive view in many of these areas as we implement ISO27000. But many organisations are still stuck in an emotional mindset: you only have to look at the banking system to see what happens when all risks aren’t factored in to decision-making!

I feel that risk is a very powerful concept when it comes to aligning IT decisions with the business because it shares a common language and a common goal. IT must realise the risks that it loads onto the rest of the business by making changes (sometimes very minor ones) – but the business must also step up and own all the risks (including the IT ones) in their respective service areas. This forces realistic IT decisions to be made as it becomes clear that risk cannot be outsourced, and procurement, training and whole lifecycle costs naturally get a higher profile in decision-making than before.


One Response to Are you risk averse?

  1. Pingback: Effective Risk Management is the driver for Social Software adoption « Carl's Notepad

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: