Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Frank Cassano

The core truth of risk

Welcome to the inaugural “The Risk Rack” column. Being the first column I thought it would a good idea to use it to start simply and slowly. First I wanted to note that this column is intended for information technology risk management professionals, information technology auditors, information technology management and anybody else who may be interested in the field of information technology risk. This column will attempt to provide some insight and guidance to readers with varying levels of experience. This column will also try and provide readers with practical tools to perform their jobs better.

Now that I gotten the housekeeping out of the way let’s get on with the show. First place to start of course is with definitions: Webster defines risk as: “possibility of loss or injury”. I best define information technology risk analysis (or what some people refer to as information technology risk assessment) as: A systematic method of identifying the assets of information technology systems, the threats to those assets, and the vulnerability of the system to those threats. Finally I define information technology risk management as the process of analyzing exposure to risk and determining the best way to address those exposures.

Ok now what? Since this is the first column in this series I feel we should start with the basic core truth of risk analysis and risk management which I never want you to forget. As the risk definition implies risk is a basic fundamental constant in life and has been with us since the first caveman decided to poke his head out of a cave. The trick is to remember what we are here for. The cavemen had probably hundreds of risks that imperiled either him directly his possessions or his family. One caveman let’s call him Gronk could have spent years pouring over every risk and evaluating every possible scenario and then he could have acted. Of course by then the other cavemen probably would have taken all of his possessions, his woman would have left and or he would have been eaten by some big ugly beast. Another caveman let’s call him Fronk probably just thought a moment looked around for a little while then fashioned himself a club out of a tree branch and lit a fire. It wasn’t that Fronk wasn’t aware of his risks or as concerned about coming up with the best solution but Fronk’s job was to survive and he knew that a little good analysis and action was better than a lot of analysis and no action. Fronk may even have used the same control framework that Gronk used but, Fronk knew the fundamental reason for risk analysis and management in the first place is to keep alive. That was true back then and it is true today the only difference is that what we are now trying to keep alive are our businesses.

The biggest mistake risk management professionals make today is that they over think their programs and forget the core truth of risk, stay alive. Like Gronk they feel that endless analysis is the answer but these managers do not lead successful risk management programs. Yes risk analysis and management has become much more sophisticated since Fronk’s time but the core elements have never changed risk will always be defined as “possibility of loss or injury”. So to all the Information technology risk management professionals I say remember our primary focus is to MANAGE risk not eliminate it or spend endless years trying to find the optimal solution. Select an effective framework for identifying and managing risk and do so with clear strategies and solutions not endless analysis.

One Comment

  1. Robert Mar 17, 2008 at 10:19 am | Permalink

    I think you should modify your statement from MANAGE risk not eliminate it…to MANAGE risk within the proper context of your company not eliminate it. Too many IT Risk people get caught up in this is what we did at my last company or this is what the Jones’ do without remembering that what a company that produces electronics for USAF fighter and a company that makes grass seed are completely different in context of what is a risk.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*