Taking the right risks for success
This has been a consistent message of mine for a long time. While I generally prefer not to talk about ‘risk’ because the four-letter word evokes a knee-jerk negative reaction from most business people (it is seen as a compliance exercise that gets in the way of running the business), I think it is fair to say that everybody understands that they need to “take risks” if they are to succeed.
The question is whether they really understand what they are doing: do they understand both the range of adverse things that might happen and their likelihoods and the range of beneficial things that might happen and their likelihoods.
This is where the risk practitioner[1] can help. They can use their tools and techniques to help decision-makers understand what might happen, given the context of what has happened and is happening.
XX
More recently, I have seen others take up much of this message.
Carol Williams is one of these individuals. Her website ERM Insights by Carol has some useful references (especially the list of thought leaders – thank you, Carol). But I especially like her recent post, Is Technology Risk Bigger than “Cyber” Risk? Here are some excerpts:
It’s not an earth-shattering thing to say that news of hacks, data breaches, and other technology hiccups has grown exponentially in recent years. Between January and September 2019, 7.9 billion records were exposed, marking a 33% increase from the same period in 2018.
A few of last year’s data breaches include:
- An error in pharmacy giant Walgreens’ mobile app messaging feature exposed names, prescription numbers, shipping addresses, and other sensitive information. The number of impacted customers was not disclosed, but the app has over 10 million downloads.
- Personally identifiable information of over 280,000 current and former employees of General Electric was exposed following a data breach of a third-party vendor.
- Credentials of over 500,000 Zoom accounts, including email addresses, meeting room IDs, and passwords were found for sale on the “dark web” and hacker forums. (A good reason to use auto generated meeting room IDs and passwords and their waiting room feature!)
Of course, this barely scratches the surface…
There’s no doubt that these and other hacks are serious, but many sensationalist headlines and opportunistic consultants spread alarm about technology risk, cybersecurity and so on, leading many companies to place too much emphasis on this particular issue.
Companies have several frameworks to choose from for helping them address technology risk, with the Risk Management Framework for Information Systems and Organizations from the National Institute of Standards and Technology (NIST) considered the most authoritative. Other examples include the Factor Analysis of Information Risk (FAIR) framework and the ISO 27005 standard.
While these standards do provide guidance on identifying, assessing, and managing technology risk, they each have one big shortcoming.
They fail to address business risks associated with technology…
Truly understanding and managing technology risk effectively requires a holistic approach focused on the business.
At this point, Carol starts to quote from my book, Making Business Sense of Technology Risk.
She also repeats this thinking in my book:
Simply saying a particular cyber or other technology risk is high is not helpful for decision-makers. In a 2016 survey published by Osterman Research for example, an astounding 85% of board members believe they are not getting helpful information from IT executives and staff and 59% say these same personnel will be let go from their jobs for not providing actionable information.
With that in mind, risk professionals have an important role to play in ensuring the link between technology risks and goals and objectives is understood by decision-makers. This will mean getting rid of the technical terms and talk the talk of the business.
Again, just saying a particular risk is high, medium, or low without any context doesn’t help executives understand its impact on objectives, much less develop any plans to address it.
How would you answer the question she poses?
Does your company link technology risks to corporate goals and objectives or are they viewed strictly through the eyes of the IT experts?
I welcome your comments – as I sure she will also.
XX
I would also point to Dan French, CEO at Consider Solutions. His latest post asks Is it time to say goodbye to “Risk Management”?
What do you think?
XX
[1] It is better, if you can, to remove the four-letter word from any title. Decision support works so much better.
Leave a reply to John J Brown Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
The board of directors has two jobs: select/manage the CEO and ask questions. If I tell a board that a source of risk/hazard/opportunity (use whatever word turns you on) is high, I expect these highly intelligent, usually overpaid persons, to ask questions and explore the topic. I.e. why is it ‘high’ and what does that mean etc etc. Don’t keep beating up on auditors and CROs when most board members are not doing their job. I failed to convince one board that cyber security was an important issue after my staff found that the IT department was installing patches only every six months….
Let’s first remember that this discussion is all about an English word and an English phrase. It is quite possible that ‘taking a risk’ is not translatable into some other languages. I point this out as some foreign language speakers may be wondering what the fuss is about. I tend to agree with them.
As an Auditor, I never agonised about the exact definition of a control; I understood enough about their purpose to ensure they assisted an organisation in achieving its objectives.
I am sure elephant keepers in a zoo would describe them in slightly different ways. That won’t prevent them providing the correct food. The inability to be ‘precise’ does not prevent appropriate action.
Norman, “Is it time to say goodbye to “Risk Management”? As used in Dan’s article, referring to the function, yes – it should never have existed in the first place. As the article points out, the management of risk is the responsibility of management. So move risk managers to the training department where they can teach how to make good decisions and leave the opinion of the management of risk to internal audit.
And if we said goodbye to risk management we could say goodbye to lengthy discussions about what it is.
So, about ‘controls’…
A big challenge faced by any risk professional is the use of terminology and what specific words mean to different people. Risk is nothing more than the effect of uncertainty. It is not an evil waiting to destroy us. Better to call it “uncertainty management”? And a company’s or organization’s risks should be viewed in total, not in isolated buckets. Leveraging technology is critical for success today and tomorrow. And there are many risks (uncertainties) related to the use of technology including exposing sensitive or personal data or violating privacy regulations and expectations. So technology risk should be viewed alongside cyber risk, people risk, market risk, strategy risk, and whatever else we use. What are the uncertainties if we don’t leverage technology? Probably significant downsides. So we learn about what could go wrong with technology and implement methods to minimize the negatives — up to the point we are willing to pay. And that point will change based on current and expected situations. Which brings up the topic of psychological aspects of risk (uncertainty) perception. All of this is why risk management is such a fascinating discipline.
John, how would you weigh the benefits of implementing a new technology on time against the “risks” that can only be addressed after a delay?
I would need more information on the specific uncertainties and timeframes, including the benefits afforded by the new technology. Some risks involved in new technologies are not known at the time of implementation. A risk management program must include mechanisms to detect and respond to new/emerging risks in “near-time”. And if risks are known at the time of implementation but cannot be addressed until later, a good look at the risks and their level in the intervening time gap must be considered. A potential response in the interim could be to detect the onset of a risk early and respond quickly.
The benefits are also uncertain; I believe everything that might happen, both adverse and positive, needs to be understood in a way that permits a view of the big picture and an informed and intelligent decision whether to take the risk.
Well said!
Thank you
Technology adoption is to be taken as a separate risk though it will cause cyber risks, as more and more data/information will be captured and stored online. Drive for Technology adoption is initiated with objectives of enhancing efficiency, cost optimisation, to meet in-time data availability, minimise the personal risks, centralised data storage, one source data for decision making etc.. The outcome of all these is customer satisfaction in terms of quality, quantity and cost which will lead to ULTIMATE goal of any organisation and i.e. Profitability. But technology adoption will not come easy as it entails exponential investment, skill operators/users, changed work culture, increased overheads so on and so forth. Then comes the Cyber risks, which can be managed with deployment of right resources and tools. Hence technology adoption is an investment decision and it is linked an organisation’ goals.