Skip to main content

WANTED: People to undertake hazardous journey…

April 03, 2013

“…small wages; bitter cold; long months of complete darkness; constant danger; safe return doubtful; honor & recognition in case of success” (London Times 1907). This was the ad placed by Sir Ernest Shackleford, the explorer who was searching for people to accompany him on the expedition to the South Pole.

He summarizes the basic elements of a business (ad) venture nicely: an endeavour that is challenging, the outcome is uncertain, great rewards are possible but not guaranteed, and the costs can be high with risk, hard work...and sometimes danger.

So the ultimate business question is, "How do we maximize our rewards (desired business outcomes) while improving the probability we will be around (survive) to enjoy the benefits?" There are several ways. One is to manage the risks, uncertainties, and dangers...risk management.

Risk management has been around in some form for thousands of years. It hasn't changed much over the last several decades, but recently it has more prominence in organizations throughout the private and public sectors. Risk management is a key element in the way organizations make important decisions; many have a major impact on you and me. It is time we start taking a more critical view of risk management and seriously reassess the methods.

The recent credit crisis, terrorism, Hurricane Sandy, Hurricane Katrina, hackers, outsourcing overseas, investment irregularities, and air travel disasters all have something in common: the methods used to assess risks are often flawed. There are some serious problems with our risk management methods, especially those revolving around risk analysis.

This presents an interesting dilemma. If risks are not properly evaluated then the risk management itself is a risk. Ineffective risk management methods are frequently described as best practices. And the problems are rarely apparent until it’s too late.

Studies show that risk management is rarely based on actual measurements and it is uncommon for methods to be measured and validated. Also, many methods comprise components that are known not to work. While there are a variety schemes to assess risk, few have any real basis in statistics or decision science. In his books “Fooled by Randomness” and “The Black Swan”, Nassim Taleb highlights these problems but doesn't provide much practical guidance for risk managers.

So what are risk managers to do? It is time to step back and reevaluate the situation. It is time to take a critical view of the methods we have accepted as best practice and determine if they really lead to better decision making in our organizations. This means we need to find better ways to measure and analyze the effectiveness of risk management methods. We can begin by frequently asking three powerful questions, about our risk management methods:

1) Does the method really work?

2) How would you know if it didn't work?

3) What are the consequences if it didn't work?

In cases where studies have been conducted and data is available, the answers are not good. We will describe these problems and discuss solutions in future blogs.

Like Shackledord's South Pole expedition, business is an adventure. You only have two real ways to approach any adventure. One is to merely survive by avoiding all the risks and just getting by, or you engage in the hard work and embrace the uncertainties, risks, and dangers completely…near the edge where the real rewards unfold. Risk management is an essential tool for survival. Make sure you know you have one that works

Related Blogs

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

February 26, 2018

The GDPR 90-Day Countdown is on! (No Need to Freak Out)

May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 31, 2017

Governance, Risk and Compliance

Learn how to mature and optimize your GRC program and technology investments.

See Details

September 19, 2017

Governance Risk and Compliance Services

Optiv works with your organization to optimize its investment in RSA Archer.

See Details

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.