There has been a lot of discussion and buzz around risk lately. Let’s just assume that we all agreed on how to determine risk, whether quantitative or qualitative. Then what? We have a level of risk –what can we do to make business decision around this?
There are four ways an organization can deal with identified risk. As outlined below, these decisions have a number of impacts on time, money and resources for an organization.
Accepting the risk is a business decision that is reflective on the level of “acceptable risk level,” or the willingness for organization to assume the risk. This does not mean that an organization that does not know their risks can accept an unknown. Thus as noted above, we have already determined the level of risk and we are now determining the best course of action.
Many times I have briefed the CIO and executive management on risks that we identified, and far to often I get the response, “I know, I am willing to accept some level of risk.” Of course, I follow-up with, “what is your acceptable level of risk for the organization?” This of course is a rhetorical question. They do not know, but really do not want to deal with the identified risks and use this as a way to dismiss the findings.
In many instances the risks identified are insignificant to the organizational risk portfolio, and thus can truly be accepted, assuming the organization has an Enterprise Risk Management (ERM) structure.
Many business leaders confuse Avoiding risk and Accepting risk. Let’s make it very clear. Avoiding risk means you are going to do nothing with the identified risks. How does this differ from Accepting risk? When you accept the risk, you are actually doing something; you have chosen to accept the risk and the impacts to that decision, right or wrong.
During the financial industry collapse (late 2000), economists for these financial institutions were providing risk forecasts to decisions makers, based on subprime mortgage practices. However, these risks were avoided, or ignored. The financial institutions therefore fell into financial ruins and requested bailout funding from the government. Unfortunately, your business probably won’t get bailout money if you decide to avoid risks. If they had truly accepted the risk, they would have been prepared to deal with the consequences.
Organizations and industry segments that, as a whole, decide to avoid risks, usually introduce government oversight to reduce the risk. Thus the Dodd-Frank law was passed to reduce the risks that financial institutions were unknowingly accepting.
In past presidential debates, the Dodd-Frank law was discussed stating that the government needs to reduce oversight and interference in banking operations. While I agree, let’s also agree that by the financial institutions avoiding the risk, we are all paying for that mistake.
While it maybe cost restrictive to reduce all risks, certainly based on the level of acceptable risk, the remaining should be mitigated. Mitigating risk means that you are reducing risks by implementing controls, fixes or other countermeasures that have a direct effect on the risks identified.
Residual risk is the risk after you have mitigated a portion of the identified risks. By focusing on residual risk, you can make more informed business decisions, specifically the cost of mitigating and the benefits gained from these controls.
Residual Risk = Identified Risk – Mitigated Risk Controls
Many organizations are turning towards transferring risk as an alternative to the options above. Transferring risk can take various forms, including cyber liability insurance and outsourced services. However, in many instances, some residual risk remains.
Specifically for cyber liability insurance, companies should be using this to reduce their acceptable risk or reduce the financial exposure in event of an incident. However, buying cyber liability insurance without an understanding of your acceptable level of risk means you may be trying to mitigate your risk by transferring, which is never the case.
Case in point, organizations are transferring risk from processing credit cards transactions. The organization is assuming that if an outsourced provider performs this function, they are free and clear in the event of a breach. However, in most instances, the organization has the contractually obligation with their merchant bank; therefore if a breach occurs, there will be liabilities/fines associated to the organization. The organization would need to prove that the outsourcer was negligent and attempt to recoup/recover the fines they incurred.
Understanding your risks is a critical step in understanding how you want to deal with them. Decisions surrounding risk have a number of consequences and should not be taken lightly. Clearly, every decision point has a cost associated with it, and these costs need to be weighed against the losses. In our examples above, the risk of avoiding the information presented by the economists had severe impact to financial institutions’ continuing operations, thus a very high operating risk. If this information would have been considered and controls were in place to reduce the risk, it may have diluted the effects and possibility the financial industry collapse would have been prevented.
Remember, not all risks are known, there is uncertainly in everything that we do, thus when risks can be quantified, it is extremely important to take these serious and make the appropriate decision.