Making Sure Your Risk Management Isn’t a Wreck

We’re all bad at risk.

There, you said it. We as humans are fundamentally bad at the concept of gauging risk. Now, before the pitchforks and CRISC certifications get raised, let me give you a real-life example of why that is.

Imagine you’re a seventeen-year-old, fresh out of high school and enjoying the summer before college. You’ve got a part time job, you’re participating in a few extracurriculars around town, and you’re fortunate enough to have your own (albeit clunky) car to get around in. Oh, and add your first “serious” partner into the mix.

Why is the partner important?

Well, you’ve been driving on these roads all your life. You know every little bend, every curve. You’re headed home in the middle of the day, and you get a text. Being seventeen and in love, you take your attention off the road for just a few seconds to see what sweet message you’ve received this time.

Then the crash happens.

The airbag does not deploy. You look up and see a giant red truck in front of you—the one you’ve just rear-ended. The sound of metal against metal buries itself in your head.

You’re okay. The puppies in the back of the truck are okay. Your car definitely isn’t.

For the rest of your driving career, you find yourself holding the steering wheel 10 and 2 at all times. You leave an absurd amount of space between your car and the one in front of you. You get nervous when you have passengers because they’re a distraction. Your phone stays face down on the seat next to you. Sometimes you avoid driving all together or find back roads to avoid busy interstates. When you ride with someone else, you find yourself closing your eyes if the driver gets too close to another car, bracing for the impact.

I, Mary Beth Warner, am bad at judging risk when it comes to driving.

That one experience in my life has changed the way I drive. I’m overly cautious because I know how terrifying an accident can be. I know how lucky I was to be able to walk away—and what might have happened if I wasn’t so lucky.

Now imagine that you’re an IT expert charged with the task of developing a risk management program for your company. You’ve had years of experience, have been through data breaches, technological failures, the whole nine yards. You consider yourself well-versed in everything that can go wrong in an environment—from the smallest bits of malware, to an entire system shutting down.

But then you start filling out your risk register. Maybe you think to yourself: Oh, I’ve had to do a full system restore, the impact wasn’t that devastating! Or: I once lost an entire day’s worth of backups during a power failure—this has the potential to be a major issue.

The point is—our personal biases and experiences are what make us bad at risk.

So how do we combat this?

Thankfully, one of the fundamentals of a good risk management program is getting a team involved. That’s right, a team. At first glance, we might see the purpose of forming a team to ensure we cover all aspects of the organization in our risk assessment. However, there’s another advantage to having a group of individuals discussing and evaluating risks:

It means that the decisions aren’t completely reliant on one single person.

Takes a lot of stress off, doesn’t it?

Having multiple voices and opinions means we can get a more accurate and realistic view of what is happening, what could happen, and what the impact of those events might be. Now, I won’t get into the nuances of good communication and how important they are to risk management (that’s another post all together). Ideally, your risk management committee should consist of company stakeholders, representatives from multiple units in the organization (don’t forget HR!), and employees who are familiar with the processes and systems being discussed.

And it always helps to have accounting or the CFO involved–who else to better understand the financial impact of our risks?

By having a committee responsible for the risk register, we have a greater likelihood of encompassing all the risks in our organization. It opens us up to having valuable conversations about issues within the company and offers perspectives that might otherwise be lost if we limit ourselves to only involving a single department. The folks in IT might not be aware of the turnover issues that HR has been trying to handle. Meanwhile, upper management might not be in tune with some of the constraints that the developers are attempting to fix.

As an added bonus—the department representatives might discover ways to collectively mitigate the risks that are identified. Is there a problem with security awareness training being completed? What incentives can HR give to employees to finish their lessons?

We are all bad at risk—but that doesn’t mean we have to be bad at risk management. By creating a strong risk management committee, we have the opportunity to work through our personal biases, learn how to better look at risk realistically, and open up lines of communication that might not have existed within the organization. I was fortunate enough to walk away from that car accident. By creating a risk management committee as part of an overall risk management program, leadership increases the likelihood that their company will also walk away from disaster.

Assess Your Risk with KirkpatrickPrice

Are you sure your risk management procedures meet your organization’s security and compliance goals? Although risk within your organization can be intimidating, managing that risk doesn’t have to be as scary as it seems. At KirkpatrickPrice, we want to help you mitigate risk within your organization by providing risk assessment reviews and access to experts who care.

Having one of our experts review your risk assessment process will help you stay proactive by identifying vulnerabilities and threats before they become a problem. Sign up for your free risk assessment review today!

Start Free Risk Assessment

About the Author:
Mary Beth Warner has 4 years of experience in information security. She has a Master’s in Cybersecurity with a concentration in Forensics from Utica University and has earned the SSCP, Security+, PCIP, and Project+ certifications. She has a passion for educating both clients and coworkers in risk management and other best practices. She lives with her two cats in Bowling Green, KY.

Leave a Comment