Does risk management matter?
Risk management is all about helping us to create plans for the future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day to day basis.
We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated, there are limits.
A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. This can be easier said than done as we all would like to abolish risk, as if that were an easy and simple option.
You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven't defined? Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk'?
We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.
Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’? This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium or low, depending upon the perceived hit on the bottom line.
It’s a false and dangerous notion that you can fully understand and manage all risk. Instead you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent.
Don’t try and chase the Holy Grail of perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.
Don't despair, you can still protect yourself from many cyber attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.