Is risk management getting too ‘mechanized’?

I was at a recent meeting we hosted for leading South African CISOs in Johannesburg. We were discussing the pros and cons of risk quantification models when one of the participants said: “I worry that attempting to quantify risks is leading us to ignore sound judgment as a decision-making tool. We believe more in the number that the system spits out rather than the instinct and advice of individuals who understand the terrain and the business context.”

Quantifying information risk and producing a single number for residual risk levels at a company is considered the holy grail for information risk professionals worldwide. It is considered an essential tool to systematize the ever-changing world of information risks. This CISO was arguing for “a return of judgment” in risk decision-making.

Interestingly enough, the latest (October 2009) issue of the Harvard Business Review (login required) makes a similar argument in its ‘Spotlight on Risk’ Issue. In an article titled “The Six Mistakes Executive Make in Risk Management”, the authors argue that
“Instead of trying to anticipate low-probability, high-impact events, we should reduce our vulnerability to them. Risk management, we believe, should be about lessening the impact of what we don’t understand – not a futile attempt to develop sophisticated techniques and stories that perpetuate our illusions of being able to understand and predict the social and economic environment.”

The fundamental questions that Information Risk professionals need to answer are:
– Where and how do quantification models help?
– How can use them to supplement sound judgment (and not substitute for it)?
– How can we help our team members get a better understanding of the business context they operate in to help them make the right decisions?

In IREC, we have taken the view that CISOs have a better shot at understanding their controls environment and plug obvious gaps in their controls portfolio than invest time and effort in building out sophisticated risk models. In other words, how do we reduce our vulnerability to high impact events by strengthening our controls.

Some would say that it is only pragmatic given that most companies don’t have good actuarial data on threats, loss events and the like. Others would consider it is heretical that Information Risk professionals are calling into question the very need for risk quantification. What is your view?

Explore posts in the same categories: Risk Management, Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: