GUEST BLOG POST
Assessing the level of any business risk is not nearly as simple as most appear to make it.
Just look at any risk register or heat map (or “risk profile” in COSO language, which is the same thing) and you will see a single point for each source of risk’s potential effect and likelihood. That is simply wrong, as there is almost always a range of potential effects from an event (such as a decision), and each point in that range has its own likelihood.
One of the problems I have with most risk assessments is that they seek to evaluate each source of risk in a silo, rather than considering the big picture. I tackle this at some length in my new book (coming soon), Understanding the Business Risk that is Cyber.
The Tipping Point
One of the sections in the book is on something called the “tipping point.” Here is an excerpt:
In the robotics example [a project discussed earlier in the book], the cyber risk was seen as reducing the likelihood of achieving objectives by 3 percent.
On its own, this might be acceptable.
But the cyber risk might take the likelihood of achieving objectives beyond the tipping point, a concept made famous by Malcolm Gladwell in The Tipping Point: How Little Things Can Make a Big Difference.
It is defined in Merriam-Webster as: “The critical point in a situation, process, or system beyond which a significant and often unstoppable effect or change takes place.”
Perhaps the board is willing to accept a 10 percent likelihood of failing to achieve an objective, and currently the risk of failure (considering all related sources of risk to objectives) is assessed at 8 percent.
But the robotics cyber risk would take the likelihood beyond the 10 percent limit.
In that case, the CEO would have to look at all the risks involved and determine the best course of action. It might be to invest in cyber; it might be to invest in a different source of risk; and, it might be to accept the more than 10 percent likelihood of failure.
It’s not about whether the cyber risk is “high.” It’s about whether taking it is the right option for the business. Making a decision about cyber out of context is likely to lead to making the wrong decision.
This is one of the reasons I dislike the idea of quantifying a source of business risk in dollar terms.
The Bigger Picture
An event (and every decision is an event) can affect the achievement of multiple objectives. Not only are there potential rewards to balance against adverse effects, but different objectives may be impacted by different amounts, at different times, and so on.
The effect on one objective might be acceptable, while the effect on others is not. It may affect one objective immediately, and another in the longer run. In addition, the decision may take the overall likelihood of achieving objectives beyond the tipping point.
The individual risk may be within approved risk limits (or criteria or appetite), but the overall situation is now unacceptable. (By the way, I continue to have major issues with the idea that you can set an overall level of risk appetite, as it assumes you can aggregate all risks to a single number. The meaning of life may be 42, but that number has no practical meaning – just like most risk appetite statements.)
Let me explain further with a hypothetical example:
The CEO is considering an early rollout of the latest version of the company’s product line. In a meeting of her executive team, she hears:
- There is a great opportunity to seize the market since our competitors are clearly lagging.
- An early rollout of the product line increases the risk that customers will not be satisfied with its quality. But the heads of Sales and Engineering both believe that the risk is at an acceptable level, within guidance from the board.
- The early rollout also increases the likelihood of a compliance failure, but the chief compliance officer and the head of engineering both believe that risk is acceptable.
- The CIO and CISO jointly warn that the rollout will increase cyber-related risk, but they believe the risk is acceptable.
- The General Counsel warns that there are pending legal issues related to the use of open-source code, but she believes that the level of risk is acceptable and in line with guidance from the board.
- The CFO comments that the rollout will strain working capital availability, but he thinks it is a manageable risk.
Each of these and other sources of risk to the business’ are within defined tolerances.
But the CEO looks at the big picture and is not happy taking the overall risk that at least one of these issues will bite the company, so focuses on a few of the individual sources of risk to see if they can be reduced before giving the go-ahead for the rollout.
We have heard for a long time that managing risk in silos is not a good idea, and that is why enterprise risk management was born. Some continue to believe ERM is not a good idea. (Some have repackaged ERM as “integrated risk management”, or IRM. I assume this is a marketing device, as there’s no practical difference.) I believe that managing each source of risk without seeing and understanding the big picture is the path to failure.
That is a major issue when it comes to cyber risk assessments. Wait for the book to read more and please add your own views in the comment section below!
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.