The time has come to go from a traditional ‘Prioritize – Reduce’ approach for risk analysis to an ‘Adapt’ approach that better fits the present environment.
Any of us could quote from memory, with only small variations, the basic steps of a Prioritize – Reduce risk management process: identify and prioritize threats based on risk level (calculated from probability of occurrence and magnitude of impact estimations). In fact, we are so used to proceeding in this way that we rarely stop to think that this is only one of the many possible options for risk management.
This approach has delivered good results in the past and in different sectors, and it is also the prevalent one in the information security field. However, it is only effective under some conditions. First of all, the enterprise must be able to identify all threats, and that is not so easy in the complex and dynamic ICT world. Past references, incident history and logs lost their meaning very quickly due to innovation, and risk professionals must continuously face threats that some weeks ago we could not even imagine. In fact, in analyzing failed projects, it was clear that the more devastating risks were the ones that no one could think about.
This happens because the Prioritize – Reduce approach makes sense when we are in known, uncomplicated or simple situations, but when we must face new projects or systems, how good are we at anticipating threats? The answer is, in the best case, really poor. This conclusion is supported by many experiences that show that humans cannot predict the future, nor prevent or identify threats under complex and dynamic conditions. Moreover, even if we were able to identify threats, risks analysis depends on probability and impacts estimations, and again, there is a lot of evidence (experiments) that shows that humans are not very good at estimating. Our brains have built up many shortcuts that we use continuously for evaluating our environment and making decisions that drive us into systematic mistakes (referred to as cognitive bias).
Even worse, risk mitigation plans in unpredictable environments could become part of the problem because, according to authors like Mintzberg1 or Klein2, these plans lower commitment to a high-alert attitude due to the sensation of feeling secure. Plans focus on predictable threats and make it easier to ignore unknown or unpredictable events.
In brief, traditional risk management approaches make people feel more confident than they should. In complex environments, we cannot depend on best practices; when there is no evident relationship between causes and effects and we can only go ahead paying attention to emerging patterns through trial and error (adaptative). According to this approach, under uncertain conditions, we should focus on being ready to respond to unexpected events.
We should learn a lot from agile approaches used on software or complex products development. Values, principles and agile practices drive us to minimize inherent risks. An agile organization becomes resilient, and is able to adjust its performance before, during or after changes. Agile approaches help to create and maintain team and organizational resilience, making available all the knowledge, letting everyone compare current facts with the desired situation, and providing the tools to make the adjustments needed to solve any deviation from course in “real time.” It is time to change our way of doing things. Instead of focusing on building an impregnable fortress, we should focus on being ready to respond.
Mario López de Ávila, Owners and Entrepreneurs Management Program Director at IE Business School and Owner at NODOS CTC, Spain
Antonio Ramos Garcia, CISA, CISM, CRISC, CEO at leet security, Managing Partner at n+1 Intelligence & Research, and President of the ISACA Madrid Chapter, Spain
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now link in the blue box on the left.
1 Mintzberg on Management by Henry Mintzberg (Paperback - Aug 21, 2007)
Management? It's Not What You Think! by Henry Mintzberg, Bruce Ahlstrand and Joseph Lampel (Hardcover - Sep 15, 2010
2 Streetlights and Shadows: Searching for the Keys to Adaptive Decision Making by Gary A. Klein (Sep 30, 2011)
The Power of Intuition: How to Use Your Gut Feelings to Make Better Decisions at Work by Gary Klein (Paperback - Jun 1, 2004)