Why do so many practitioners misunderstand risk?
My apologies in advance to all those who talk about third–party risk, IT risk, cyber risk, and so on.
We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos.
We should address risk because of its potential effect on the achievement of enterprise objectives.
Think about a tree.
In root cause analysis, we are taught that in order to understand the true cause of a problem, we need to do more than look at the symptoms (such as discoloration of the leaves or flaking of the bark on the trunk of the tree). We need to ask the question “why” multiple times to get to the true root cause.
Unless the root cause is addressed, the malaise will continue.
In a similar fashion, most risk practitioners and auditors (both internal and external) talk about risk at the individual root level.
Talking about cyber, or third–party risk, is talking about a problem at an individual root level.
What we need to do is sit back and think about the potential effect of a root level issue on the overall health of the tree.
If we find issues at the root level, such as the potential for a breach that results in a prolonged systems outage or a failure by a third party service provider, what does that mean for the health of the tree?
Now let’s extend the metaphor one more step.
This is a fruit tree in an orchard owned and operated by a fruit farmer.
If a problem is found with one tree, is there a problem with multiple trees?
How will this problem, even if limited to a single tree or branch of a single tree, affect the overall health of the business?
Will the owner of the orchard be able to achieve his or her business objectives?
Multiple issues at the root level (i.e., sources of risk) need to be considered when the orchard owner is making strategic decisions such as when to feed the trees and when to harvest the fruit.
Considering, reporting, and “managing” risk at the root level is disconnected from running the business and achieving enterprise objectives.
I remind you of the concepts in A revolution in risk management.
Use the information about root level risk to help management understand how likely and to what extent it is that each enterprise business objective will be achieved.
Is the anticipated level of achievement acceptable?
I welcome your thoughts.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management