Alex Hutton

About

Hi. This is my personal weblog. I also write at:

http://www.newschoolsecurity.com
http://securityblog.verizonbusiness.com

Twitter

    Following

    http://jonrobinson.tumblr.com/
    Designed by Josh. Powered by Tumblr.

    Risk Decision Making: Whose call is it?

    I still occasionally run into a debate with colleagues over whether security should be making the major information risk decisions for an organization, or whether it’s business management’s responsibility. Rather than just spew my opinion, let me try to build an illustration of how I view the problem.

    Picture this…

    1. Risk decisions are the things that drive policies, priorities, initiatives, and actions (this falls under the category of “duh”).

    2. Well-informed risk decisions are dependent upon knowing the risk associated with the decisions, as well as the best risk management options. Risk tolerance also is an inevitable factor (we’ll discuss the question of whose risk tolerance further on).

    3. Understanding risk, of course, requires that we understand the factors that drive impact (stakeholders, laws, contracts, competitive landscape, etc.), the assets associated with impact, threats against those assets, and controls that are in place to manage risk. Absent any of these inputs, our understanding of risk can be seriously deficient and the resulting decisions flawed.

    4. So far – no surprises. At this point, however, things begin to get a bit more interesting… Specifically, risk tolerance is derived from three inputs; risk capacity, the decision’s value proposition (the potential upside associated with the risk scenario), and the decision-maker’s subjective risk tolerance (more on this further on).

    5. Risk capacity also has three inputs; the organization’s current condition relative to its objectives, as well as the portfolio of competing risk issues. It’s important to recognize, too, that these factors will often vary across the different types of loss (e.g., productivity, competitive advantage, resources, reputation, etc.). For example, an organization that has a significant stockpile of resources will have more capacity for resource loss than will an organization that operates on a shoestring. Likewise, an organization that is trying to build market share will have less capacity for reputation damage than will one that already leads the competition and/or that has a very loyal customer base.

    The point is, tolerances will vary not only between organizations but also between types of loss within an organization.

    With regard to competing risk issues, it’s important to keep in mind that information-related risk is only one of many risk domains management has to deal with (e.g., market, insurance, investment, etc.). Combine this with complex organizational conditions and objectives, as well as limited resources, and it becomes clear how important (and difficult) it is to strike the right balance in applying risk management resources.

    6. Speaking of resources…available resources and capabilities help to drive which risk management options are feasible. These resources, of course, are dependent on the organization’s condition. Note, too, that resources and capabilities can affect risk tolerance, as an organization with fewer resources for mitigating risk may be forced to accept more risk if, for example, a decision’s value proposition is particularly compelling.

    7. And finally, the policies, priorities, initiatives, and actions that result from risk decisions will have an effect on risk and the organization’s condition (for good or ill). At the very least, expenditures made to manage information risk are no longer available to use on competing risk issues and opportunities.

    Okay, if by now you haven’t fallen asleep or decided to spend your time elsewhere, I’ll tie all this back to the original question of who should be making the decisions regarding information risk…

    Carving it up

    Using this illustration of the risk decision elements we can draw lines that carve the landscape into three parts –

    • Those elements that would appear to belong to business management,
    • Those elements that would appear to belong to the subject matter experts (in this case, us), and
    • Those elements in the middle that, well, could go either way

    Note that the decision itself falls into the “could go either way” domain, which means I can’t give you a definitive, “This is how it should be” answer. What isn’t surprising is that who makes the risk decisions will vary from organization to organization. What’s unfortunate is that in many companies security leadership believes they are (or should be) empowered to make the major decisions while business leadership believes otherwise. Speaking from painful personal experience, this disconnect can cause significant trouble.

    Size matters

    Of course what I mean is that the size (significance) of the risk decision also determines who can/should/will make the decision. Business management isn’t usually going to be involved in day-to-day operational risk decisions. Furthermore, security management can’t personally be involved in each discreet risk decision that takes place throughout the organization (e.g., Clerk: “Hmmm. Should I shred this document, or just chuck it in the trash?”). These day-to-day and discreet risk decisions are where good policies, procedures, and risk awareness education come in.

    At the end of the day, decision significance is a continuum rather than a binary or clearly differentiated scale. Consequently, some decisions fall into a grey area regarding who should make what call. For these issues, the question of who should make the decision will vary from organization to organization. You can, however, work with management to come up with some ground rules, for example; policies, policy exceptions, strategic initiatives, and significant expenditures fall into business management’s court, and security deals with the rest.

    Look again

    With regard to discreet risk decisions, take a close look at the risk decision diagram. You’ll see that the diagram applies quite well whether we’re talking about major strategic decisions or the discreet risk decisions being made by employees countless times each day. The only difference is that, in the absence of a clear understanding of organizational risk tolerance, employees WILL substitute their own views of organizational risk tolerance (or leave it out of the equation altogether). In any event, employees often will be placed in the unfortunate position of having to reconcile organizational risk tolerance with their own conditions/objectives/competing risk issues, etc. (e.g., the question of choosing compliance with security policy over meeting the deadline their bonus is resting on…). This highlights the need to be aware of, and manage, issues related to competing individual and organizational priorities.

    Something else to think about is that policies and processes will never cover all of the potential risk decisions our employees face. As a result, it’s critical that education and awareness efforts go beyond regurgitating policy, and include information that helps employees understand risk and the organization’s risk tolerance so that they can make good judgment calls. This better understanding also helps them tolerate those policies they otherwise chafe at.

    Things to consider

    The simple fact is, security leadership will never know as much about the business-related elements at the top of the illustration, and business management will never know as much about the risk elements at the bottom. Consequently, if security is empowered to make the major decisions, then they need to spend the time and effort to learn as much as they can about the business-related elements. On the other hand, if business leadership is making the major risk decisions, then security must provide clear, unbiased, and useful information so that the decisions are well informed.

    (For those who are curious, I strongly prefer that business management make the major risk decisions where I work. I’m far more comfortable in my ability to provide them with good risk information and mitigation options than I am in my ability to sufficiently learn and understand the complex business landscape. Besides, when they’re the ones who have made the decisions, pushback and arguments are largely eliminated. I’ve also found that you have far more influence as a trusted advisor than as a combatant.)

    A decision-maker will to some degree ALWAYS apply his or her own personal risk tolerance to a decision. Consequently, if security leadership has been empowered to make major risk decisions, they should try very hard to be as aware as possible of business management’s risk tolerances. If security leadership isn’t careful on this, then they will, invariably, run into issues where business management doesn’t support security’s decisions. And if the misalignment is bad enough (and I’ve both witnessed this and come close to having it happen to me – long ago) then it can become a “terminal” condition. At the very least it makes the waters far choppier than necessary.

    I make it a point to review the risk decision question (and now the diagram) with business management whenever I take a new job or have a new business leader join the organization I work for, even if I’m pretty confident about where they stand. When I’ve had these conversations it’s always generated very productive dialog and has strengthened the relationship.

    Note: This posting will soon be reproduced as a white paper and/or PowerPoint on the RMI website.

    (via RiskAnalys.is)



    July 09, 2007, 6:40am   Comments