Risk Management for Dummies
by Josh Sokol (Creator & CEO of SimpleRisk)
Today I had a really interesting conversation with a guy from Japan via LinkedIn. It started with him trying to sell me some website design services, but when he realized their services weren't a good fit, he asked me a question. He said "I checked a few websites - what is this risk management thing? If we have this web design studio, how do we calculate our risks?"
Now, the guy asking me this question wasn't like the prototypical security practitioners we speak with every day. He was a Project Manager with no concept of corporate risk management. I started out explaining how every business has risks and how there are good risks (opportunities) and bad risks (losses). I told him that the secret is to keep a list of those risks and prioritize what order you will address them in. I said that our tool helps with that and gives you the ability to track those action plans (along with a bunch of other stuff). Do nothing with your risks and when something bad happens, you are liable for the consequences. Manage your risks properly, and you will hopefully lower your potential liability to an acceptable level.
When I checked to see if that made sense, it was clear that I missed the mark entirely. My challenge was how do I explain the concept of risk management and how our software helps in a language that he could not only understand, but relate to. I had an idea.
The reality is that we are all performing risk management activities in our daily lives and just don't call it that. He probably thought that I was an idiot when I asked him if his home has locks on the doors and windows. Of course, I knew the answer to that question before I asked it so when he said yes, I promptly asked him "What do you think is the purpose of those locks?" Jokingly, he said "I'm in Japan so I don't know. Nobody steals anything here." I chuckled, but he followed that up with the expected answer that the locks are there to protect his home from a robbery.
Ironically, my nine year old daughter was sitting next to me practicing her lockpicking skills as I'm having this conversation. As a Security expert, I know full well that locks are basically just there to keep honest people honest, but it didn't change the point. I told him that he has made an assessment that there is a risk that his home could be robbed. Based on what he told me earlier, I told him that it is probably unlikely that his house would be broken into, but what if it was? What would the impact be? Perhaps he is just getting started in life and doesn't really have anything of value. Or, maybe he has laptops, 70" TVs, and diamond jewelry strewn about the place. I explained to him that risk assessment is a product of how likely it is that this event would occur and the impact it would have on him if it did.
Now, to really drive the point home I explained that this clearly isn't the only risk that his home is facing. While the likelihood is quite rare, there is almost always a risk of a house fire. And if your house did burn down, the impact could be significantly higher. Now we're not just talking about a thief taking his stuff, we're talking about the destruction of everything including things of sentimental value, irreplaceable pictures, and perhaps even the loss of loved ones.
The real challenge, however, isn't in assessing our risks. When put to the test, I think we could all name a ton of things which we worry about on a daily basis. What most of us struggle with is how to prioritize which risks need to be handled and when. In both the corporate world, as well as in our personal lives, the resources that we have to invest in these risks are limited. So I told him that to address the risk of burglary, his locks probably aren't enough and he may need to invest in an alarm system. As for the risk of fire, he probably needs to purchase new smoke detectors and some fire extinguishers. Unfortunately, he only has enough money to do one of them so I asked him "How do you decide which one to choose to spend your money on?" His answer showed that my second attempt was far more effective than my first.
He said "It depends on my system of values and life conditions. For example, personally I live alone and I don't have anything valuable at home. I can always make more money using my skills. Generally, I think that people would want to protect their family first."
"Precisely!", I exclaimed. Everybody (and every company) has a different level of risk tolerance or "appetite". Things that are within our level of tolerance, we say are risks that we "Accept". Things that are outside of our level of tolerance, we need to "Mitigate" or "Transfer".
That brings up a really interesting topic, especially in light of my scenario. If I have homeowners insurance, I have transferred the risk of things like a burglary or fire to the insurance company. If I am renting, though, and do not have insurance, then I have either accepted the risk outright, or I have ideally taken actions to lower the likelihood or impact of the risk to an acceptable amount. The remaining risk is what we refer to as the "residual risk".
Now that it was clear that he had a firm grasp on what risk management was, I could better articulate what it is that SimpleRisk does. I explained that our software doesn't necessarily tell you what to do, but it helps you to understand where to focus. SimpleRisk is about using formulas to determine which risks are a higher priority than others, deciding the actions you will take for those risks, and ensuring that key stakeholders are making the decisions on how their limited resources will be spent. In short, we help to drive visibility and accountability where it didn't exist before.
We talked a bit more after that about other tools in the space and why I think they cost as much as they do. That's a topic for another blog post, I suppose. Our conversation ended with him asking me if my daughter successfully picked that lock. I told him that she had picked it several times over the course of our conversation and that I had to add more pins to it in order to make it harder on her. I smiled as he told me that "Now she can go to different companies, break in, and tell them that they need our software...and insurance." I think I successfully got the point across.