This post is mainly focused in Cybersecurity, but it is perfectly applicable, on its premises, to any market where risk management is a key element in strategy.
Not sure to say I had the luck (or the disgrace) of being part of several projects where risk management was an important area. From project lifecycle in several contexts, to huge transformation projects, master plans or threat evaluations.
How to manage these projects governance is always the most relevant element: a project with poor management, use to become a disaster. Governance is extremely important: please note here the difference between management and governance. We’ll get back on this.
In all them I saw repeated problems that I’ll enumerate in the following list:
- Inventory of what is relevant: confussing many times, many times impossible to complete (in my opinion, a money pit).
- Threat inventories not making any sense: where they are paying attention to irrlevant things, and other things, with critical impact, are missing.
- Biased or directly fake likehood: it is questionable that someone can have real likehood information about anything. And more questionable even that biased likehood values focused in reducing the official risk level of a threat.
- Sloppy impact evaluations: in a lot of examples impact for a threat is evaluated in a localized, particular and asset-isolated way. Not assuming the impact value linking our project or organization with other elements on the ecosystem.
- Risk hero not empowered enough: when you identify risks and become the responsible without having enough power, use to have ugly consequences trying to work on them. This has a direct proportional (I dare to say exponential) relationship with rganizations risk apetite.
But, what is risk?
Before entering on formal definitions, I believe it is important to see what the dictionary says about the term. We can check this on Webster’s https://www.merriam-webster.com/dictionary/risk.
Orthodox views on risk management use to coincide in risk being determines by two variables mainly: likehood or probability (or…