Balancing speed and precision in risk management
Frederik Borup Helweg-Larsen
Cyber Sikkerhedsr?dgiver | Risikostyring | Kriseledelse | Beredskab | Procesautomatisering | Beredskabs?velser | R?dgivning af bestyrelser | Datadrevet sikkerhedsoverblik | Kaptajn og Forbindelsesofficer for Cyber
Identifying, assessing and deciding on risk in information systems is a challenge for most organizations. Risk Management frameworks like NIST (2018) provide guidance for the basic process and are widely used in government and private organizations.
The commonly used method is to calculate the risk by multiplying likelyhood and consequense, and displaying the results in a 5 by 5 matrix.
While the process is generally sensible and provides a good workflow, the decision process involving people, and their often-limited knowledge of the likelihood of a risk, creates a huge challenge. The questions asked in most risk assessments are very difficult to answer a often assumes a level on insight that is not available.
This is where people start guessing - and we are terrible at guessing on risks.
The psychology
The psychology of decision making and behavioral economics, as described by Kahneman (2018) and Ariely (2009), document the irrationality that takes place when people have to make complicated decisions with little time available. To ensure that the data in risk management are valid and usable, it is essential that the psychology of decision making is taken into account and incorporated in the workflow. Some individuals should make quick and simple decision with focus on speed and other should make rational decisions focused on precision.
Kahneman (2018) describes the very poor abilities to determine risks and potential outcomes, even by skilled professionals, and one should be careful when calculation and aggregating risks based on very uncertain assessments.
Simplicity, decision and actions should be essential ingredients in risk management. All humans have an urge to control uncertainty, but we should recognize the fact that we sometimes have no idea about the materialization of a risk. “I don’t know” is term that is rarely used in risk management, but one that can be very accurate.
Digitalization and automation
Digitalization and automation of risk management processes in order to create a smoother workflow that can involve stakeholders in different ways without using massive resources on communication and exchanging spreadsheets over e-mail.
The transparency and efficiency that workflow systems can provide is in itself an important tool for risk management, as it can help you balance speed and precision in your process. These workflow systems are often referred to as Enterprise Service Management and are available in most larger organizational, often used for incident management in it department. However, the use of systems like these are evolving rapidly.
When you combine the theory of Kahnemans (2018) system 1 and system 2 thinking, the irrationality in the way we make decision described by Ariely (2009) and the practical use of these theories in risk management, supported by technology, you get a very simple and operational approach.
This article is written to encourage you to reflect on this approach and challenge the main stream way of evaluating and processing risks. Let me know what you think...
References
- Kahneman, D. (2018), Thinking, Fast & Slow, Farrar, Straus & Giroux Inc, New York, United States
- Taleb, N. (2010) The Black Swan, Random House Trade, New York, United States
- Ariely, D. (2009), Predictably Irrational, HarperCollins Publishers, London, United Kingdom
- Joint Task Force (2018), Risk Management Framework for Information Systems and Organizations, National Institute for Standards and Technology, Maryland, USA