Don’t do that, the risk is too high!
You need to spend more money on cyber/fraud prevention/anti-money laundering/(fill in the blank) because there is a high risk of something really bad happening.
You can’t announce the new product/roll out the new system because it’s not ready. We haven’t fixed all the bugs.
The people who shout these warnings are focused on risk. If they see it as high, they see red. STOP signs. DANGER!
But, what about the people who are trying to get something done?
Do they see prudent, business-oriented people or do they see the boy who called wolf (from Aesop’s fable) or Chicken Little calling out that the sky is falling?
Do they see people who are helping them or getting in the way of running the business?
In a recent RiskMinds video (thank you for sharing, Alexei Sidorenko) Nassim Nicholas Taleb, who is famous for talking about black swans, tells us that there should be no risk management and we should be studying risk taking.
In fact, in his Amazon bio, he says he “spent two decades as a risk taker before becoming a full-time essayist and scholar focusing on practical and philosophical problems with chance, luck, and probability”.
I couldn’t agree more.
Focusing on avoiding hazards (things that might go wrong) is a recipe for failure. You only succeed in life and in business by taking the right level of the right risks.
It all comes down to helping leaders make informed and intelligent decisions. Informed means having as good information as you can about what might happen, both good and bad, on your way to achieving your objectives – whether your objective is to grow revenue or lose weight. Intelligent means involving the right people, considering your options, leaving your biases behind (see here), and taking the time to think things through.
Taleb is asked what he sees as the greatest risk. His answer (in my translation) is that when you are not taking risk intelligently (and that can mean steaming ahead through the shoals when the need requires) you are putting your future and its success ‘at risk’.
Unfortunately, most practitioners see their job as requiring them to call out that the sky is going to fall if we don’t delay/spend money/change our practices/etc.
A list of risks is not a list of ingredients for success.
What emphasizes the scale of the problem is that the interviewer doesn’t understand what he is saying. She doesn’t hear the point that we shouldn’t be making a list of risks but enabling better risk-taking. Instead, she wants his help to prioritize her list of risks.
In Risk Management, a recent article purports to guide information security practitioners on how to assess and manage the security of information. But nothing is said about understanding how a security incident could affect the business and the achievement of its objectives.
The author is managing data security risk, not helping people take the right level of cyber risk.
By the way, the only way you can eliminate cyber risk is by closing the business (and it’s questionable whether it is totally eliminated even then). The question for business leaders is how much cyber risk should they take; or, putting it another way, how much should they be spending on cyber defense, detection, and response?
These are business decisions, not risk decisions.
There are too many articles, frameworks, and standards that focus on managing risk, and not nearly enough discussion on taking the right risk (after weighing the consequences) through informed and intelligent decisions.
What do you think?
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024