The Crown Jewels and Risk Management
When considering information security or cyber risk, you usually concentrate on risk to the ‘crown jewels’ – those information assets and services that are most vital to the enterprise.
I am going to suggest that we can extend the concept of a focus on crown jewels to broader risk management.
I think we all know that risk is created or modified with every decision.
We also know that those decisions are made by people, who we know are imperfect.
In my last post, Why do some take risks while others do not?, I talked about the fact that different people will make different decisions in the same circumstances. We need them to make the ‘right’ decisions, taking the desired level of risk. But, policies and procedures, even risk appetite or criteria statements, may not be enough to ensure they will do so.
People are influenced not only by the perceived ‘culture’ of the organization, but also by a number of personal factors including their prior experience, whether they feel ‘at risk’ if they take too much or not enough risk, and even whether they have a sunny disposition that day.
So we are dependent on these individuals and their actions.
What can be done? How can we obtain reasonable assurance that risks will be managed, by them and through their decisions and actions, at desired levels?
I suggest that we consider which individuals are making the decisions and taking the actions that are most likely to have the greater impact on whether the more significant risks to organizational objectives are at desired levels. Which individuals, which actions, and which risks?
If we can identify these individuals, the decisions and actions that need to be made, and the affected risks and objectives, then we can focus on them as the crown jewels of risk management.
- Do these individuals understand the potential for their decisions and actions to affect risk levels and the achievement of enterprise objectives?
- Do they understand desired levels of risk, whether in risk appetite or criteria statements?
- Do they have sufficient information to make intelligent decisions and take the desired level of risk?
- What might affect their decision-making in an adverse way, and what can be done about it?
- What is the likelihood that they will make a decision that takes the level of risk outside desired parameters?
- How will senior management know when they stray from the desired path?
- How will we know when the decision-makers change?
There’s probably more that can be said and more that can be done to provide assurance that individuals, whether on the board, in top management, or at other levels, will take the desired level of risk.
What do you think? What should be done?
Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com. Join us!