Risk Managers should lead

Vendors sell it as a dressed up vulnerability assessment. Or as a dressed up patch management. Even change management. And of course threat management. I haven’t seen it yet, but I am sure that there’s an example of an identity management product being touted as a risk management tool. Auditors around the world are looking for a second renaissance by calling themselves risk assurance. And every IT security manager that works for a financial institution nowadays thinks that if only they change their department to risk management they can be part of the hip and cool crowd.But it doesn’t work that way.

Recently I was told of a IT risk management presentation given to a gaggle of executives and senior managers from a number of large insurance companies. The presenter spoke of many things, but mostly of SOX, HIPAA, PCI DSS, and other pickings from the “Compliance & FUD” smorgasbord. Not a word was said, I’ve been told, of actually managing risks. Apart, of course, of the worn out formula Risk = Likelihood * Impact. No matter who you talk to, compliance is generally brought into discussion when risk management is mentioned. Nothing could be more wrong than thinking of compliance with laws and regulations when talking about risks and risk management.Compliance is all about certainties. You don’t comply with rules and regulations, you will be caught. The only (extremely limited) uncertainty is the time it will take, and the magnitude of fees or fines that you will have to pay.

Risk management is about uncertainties. About managing what we know, what we don’t know we know, and about what we don’t know we don’t know (thank you, Mr Rumsfeld). So how do we manage what we don’t know? There are many tools in a risk manager’s toolbox for managing unknown, from avoiding risky activities in the first place, to transferring risk, to mitigating it, or just plain old accepting it. We’re good at it, we do it a lot. Actually, we’re extremely bad at risk management.

What we are good at is loss avoidance. We naturally dislike failure. We can’t accept failure easily, and will go through great pains just to avoid failure. Of course our appetite for risk depends on our acceptance of failures. Those of us from Europe tend to avoid risks if there is even the slightest chance of failure. Those of us from the US are brought up to accept failure as part of a growing process. Failure in Europe and especially Asian cultures is stigmatised to the extent that anyone that failed once, regardless of the great successes later on, will always be remembered as a failure. And this cultural predisposition to failure will guide our risk management performance. There is risk management and loss management. Unfortunately, most people that think they’re in risk management are actually only managing loss.Risk swings both ways. If you don’t take risks - you will never lead.