While there may be a debate whether risk should be assessed using qualitative or quantitative measures, I believe that is answering the wrong question.
Knowing what the level of risk is, even whether it is an unacceptable level of risk, is insufficient information.
It doesn’t answer the questions of:
- Should I take the risk?
- How much should I invest to reduce the level of risk given the opportunity cost? (Assuming the best business decision is not to take more!)
These are simple questions to ask, but not so simple to answer.
They are essential questions to answer.
If all you wanted to do was to avoid risk, you would never buy a house, cross the street, drive a car, or get married.
There are reasons for doing all of these in our personal life, and there are reasons for taking risk in our business life.
People talk about risk management enabling decision-making and go on to talk about whether the level of risk is acceptable (using terms like risk appetite, limits, and criteria).
But in real life, whether personal or business, you need to answer both of my questions.
Resources are limited.
Every penny spent to mitigate one source of risk is a penny that cannot be spent mitigating another source of risk.
Every penny spent on mitigating risk comes at the expense of investing in opportunity.
Is it any surprise that surveys of CIOs report that they prefer, overall, to spend their limited budgets on new systems rather than on cybersecurity? They can see both the risk and the reward of each alternative use of scarce funds.
So I end this short post with another question:
Is your risk management activity helping executives and board members know which risks should be taken, and how much should be invested in each of the following?
- Regulatory compliance
- Product development
- Employee morale and development
- And so on
I try to provide something of a roadmap to answering my questions in my various books. I am currently working on one (due out next month) that is intended to help executives and board members figure out how much to invest in cyber.
I welcome your thoughts.
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023
Leave a Reply