Risk - an introduction to advanced assessment, and the Top-Ten mistakes.

For every difficult risk assessment, there is an answer which is clear, concise, and wrong.

The Root of the word Risk is 'Root' The EU General Data Protection Regulation mentions ‘risk’ 75 times. For a word that has been around and widely used for a long while, there is surprisingly little common understanding of what the term risk really means. Most dictionaries define the English word risk, and also the Italian words risico, risco, rischio, the Spanish word riesgo, Portuguese risco and French risqué, as all deriving from the Latin words resicum, risicum, and riscus which mean cliff or reef.

The Latin words themselves have Greek origins. In book 12 of Homer’s epic tale, Odysseus is blown into unnavigable narrow waters between the six-headed monster Scylla and ever-thirsty whirlpool Charybdis. In the original cliff-hanger story, Odysseus survives by clinging to the roots of a fig tree hanging from one of the cliffs. Such roots were known as rhiza or rhizikon (possibly from Proto-Indo-European words existing about 5,500 years ago). The words rhiza and rhizikon then came to be associated with cliffs, and eventually took on the metaphorical meaning ‘difficulty to avoid in the sea’ as the root symbolised Odysseus’s predicament. 

Over following centuries, the Arabic world adopted the Mediterranean term rhiza as rizk, meaning ‘everything given by God for livelihood’. In other words, something that cannot be totally controlled by mankind. By the time of the European Renaissance, risk had lost its seafaring meaning and the 16th century German business term ‘rysigo’ became ‘to dare, to undertake enterprise, to hope for economic success’.

Some etymologists believe the two Chinese symbols associated with risk are a combination of ‘Danger’ and ‘Opportunity’.

What is Risk? Leap forward to the 21st century and the International Organisation for Standardisation (ISO) 31000:2018 definition of risk is ‘The effect of uncertainty on objectives’. But which effects, what uncertainties, and whose objectives? The objective of shareholders might be to see increased dividend payments, while the customers objective is to pay as little as possible. The ISO definition is simultaneously irrefutable yet also uselessly abstract. If risk is a type of uncertainty, we could at least narrow the scope of risk to ‘uncertainty that matters’.

English is constantly evolving and the meanings of many words have changed over time. If they had not, the verb ‘Test’ would still be a noun meaning ‘small vessel used in assaying precious metals’ or ‘earthen pot’. Risk means many things to many people, but it cannot mean just anything. 

A 2001 survey of risk professionals found 95% agreed that ‘a risk’ is an event. Nevertheless, I would argue that ‘a risk’ is actually an attribute of an uncertain event that matters. If an engine falls off an aeroplane it is an event, one risk attribute of that event is a possible rapid descent causing the loss of life to passengers, another risk attribute would be possible damage to anything or anyone the falling engine lands upon. If risks are considered to be just events, their causes are less connected to their potential consequences, making risks harder to control. 

We might express risks as follows: “As a result of <an event>, <attribute> may occur, which would lead to <negative or positive outcome to someone who matters>”. For example: “As a result of <engine falling off aeroplane>, <rapid descent> may occur, which would lead to <physical harm to passengers and crew>.  

The ISO 31000:2018 standard tells us risk is usually expressed in terms of risk sources, potential events, their consequences, and their likelihood. Those terms are expanded as:

• Risk source - element which alone or in combination has the potential to give rise to risk.
• Event - occurrence or change of a particular set of circumstances. An event can also be something that is expected which does not happen, or something that is not expected which does happen.
• Consequence - outcome of an event affecting objectives, expressed qualitatively or quantitatively.
• Likelihood - chance of something happening: The word ‘likelihood’ is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically, such as a probability or a frequency over a given time period. 

The English term ‘likelihood’ does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, ‘probability’ is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, ‘likelihood’ is used with the intent that it should have the same broad interpretation as the term “probability” has in many languages other than English. 

Managing risk: The options available to manage risks are:

1. Avoid the risk by deciding not to start or continue with the activity that gives rise to the risk;
2. Accepting or increasing the risk in order to pursue an opportunity;
3. Removing the risk source;
4. Sharing the risk with another party or parties (including contracts and risk financing or insurance);
5. Retaining the risk by informed decision; 
6. Changing the likelihood;
7. Changing the consequences.

Testing is clearly connected to options six and seven. By providing relevant and timely information, testing helps monitor the effectiveness of actions taken to control risks. Testing also helps identify risks to support all potential options. Testing alone is not equivalent to risk management.

Problems with risk assessments. On the face of it, risk management might appear a straightforward by-the-numbers business. Nevertheless, whether risk assessments are approached with a bottom-up component-focused methodology (e.g. ISO 27005), or a top-down system-focused holistic method (e.g. Attack Trees), it is important to recognise there are many limitations in all known approaches to risk. For readers interested in taking a more professional approach to risk advice by reducing over-confidence and ‘one size fits all’ thinking, I have created a ‘Top Ten’ flaws in risk assessments.

1)  Misidentifying risks. Having no clear understanding of Risk is likely to result in failures to identify real risks, and mistakenly identifying matters that are not risks. Some risk related events are binary (they happen or they don’t), while others have multiple discreet events that vary across a range and not necessarily in an intuitively determinable way. 

While risk is a type of uncertainty, not all uncertainties are risks. For example, a possible change of Government in India is unlikely to affect an offshore IT project in China. Conversely, a change of currency exchange rate could have a positive or negative outcome for an offshore project, depending upon which side of the transaction you sit. A risk management process could use financial derivatives such as options or futures contracts to manage exchange rate risk over the timescale of the project, or the risk could be accepted in order to pursue currency speculation. If the focus is on ‘usual suspects’, opportunities may be missed while real risks are unmanaged and left to chance.

When the identification step mis-identifies risks, subsequent stages are doomed to failure. Resources will be wasted managing irrelevant ideas and the credibility of risk management will suffer. 

A note of caution here: Genuine risks are frequently identified and managed, but do not occur during an arbitrary time period. Over time, scepticism may lead to a mindset that such risks should be excluded from the risk management process. As Richard Feynman observed during the space shuttle Challenger explosion enquiry: “Much of the reasoning about risk at NASA effectively took the form that if disaster hadn't happened yet, it probably wouldn't happen next time either”. 

2) Masking uncertainty. Unlike spatial distances between objects, we do not perceive time through a conventional sense, yet we notice time through the perception of other things. In humans, the subjective perception of time passing alters with increasing age and varies between individuals. Within five milliseconds (thousandths of a second) intervals, we perceive visual events to be simultaneous. Apart from when we look up into deep space and see the distant past, everything we experience as present time has occurred in the recent past and is therefore unreal. Our eyes only contribute around 10% of what we see. The other 90% is constructed by our brains because we cannot process all of reality. Instead we see ‘meaning’.  

The finite speeds of light and sound, plus the movement of signals from our senses through our minds create a delay between reality and our sense of the present. These considerations may seem irrelevant since light in a vacuum travels approximately one metre every 3.34 nanoseconds (billionths of a second). However, at the time of writing, Bitcoin miners are testing 47 billion hashes per nanosecond and the rate is increasing exponentially. Time, and time complexity are too poorly understood to appear in conventional risk assessments and are therefore simplified to the extreme. 

The past may influence the future, but the future cannot influence the past. We have mental mechanisms for recalling memories of past events (not entirely accurately), but we cannot sense the future. Despite these obvious truths, almost all risk assessments include a prediction of the future in the form of a ‘likelihood’ factor. 

Every risk calculation that contains ‘likelihood’ in the expression airbrushes over the practical difficulty of predicting the future. The more formulated the risk assessment, the more convincing the outputs become that it is actually possible to predict the causes and effects of all risks with a degree of certainty. It is implied that the same inputs will always lead to the same outputs (determinism). But because we are dealing with the interaction of people and technology we should not assume all interactions are predictable. There will always be some level of uncertainty about the outputs from any risk assessment technique.

The complex nature of modern technology systems means risks will often emerge that were not previously anticipated through assessment and analysis techniques. Failing to recognise this uncertainty (and the non-deterministic nature of risk) can lead to complacency and lack of preparation for emergent or changeable risks.

Continuing to use NASA as an example, the space shuttle Challenger inquiry revealed the engineers estimated the chance of disaster as one in one-hundred, while managers thought them to be closer to one in 100,000. Management over-ruled engineering, yet the loss of two shuttles (and 14 astronauts) in 135 flights highlights the inaccuracy of the dominant prediction.  

Past events are not always a good predictor of future events. A statement of probability, (especially when guesses are expressed as percentages) can bias decision makers and lead them to place unfounded confidence in a prediction. Probability assertions should not be read as announcements of surety; they are suggestions to reduce uncertainty in support of risk management decision making. Eradicating uncertainty is unrealistic.

3) Abstraction of reality. Whenever reality is reduced to labels, names, numbers, matrices, or any artificial construction, the subtlety and complexity of risk is often concealed by low resolution. A qualitative label such as ‘High’ is still vague and liable to various subjective interpretations. A quantitative label such as 4% of global turnover conceals the many associated costs and missed opportunities that a loss of that size would incur (e.g. redundancies, plant closure, R&D cutbacks, market retrenchment, reputational damage, loss of confidence, etc) and the impact assessment would be subject to the bias of each decision maker. 

 Numerical labels are often perceived as being more reliable because they give the appearance of rigour. While this is sometimes true, numerical labels can promote bias because they are received with more confidence. For example, a risk labelled as 60% probable, will instil a greater sense of surety in decision makers, than if it were labelled ‘medium-high’. While financial risks are usually best expressed in numerical terms, intangibles such as brand reputation generally translate poorly to quantitative risk assessment.

Using matrices to inform management decisions can hide the complexity of technology and true nature of the associated risks. Outputs are difficult to validate when the function used to combine input components is hidden by the matrix. The use of columns and rows creates an implicit impression that a scale exists, and a false notion that risks exist on a linear scale. For example, a ‘High’ impact appears to be three times worse than a ‘Low’ impact, with ‘Medium’ exactly half-way between the extremes. In reality, the worse-case scenario might be thousands of times more damaging than a ‘Medium’ impact. 

Since there is no demonstrably valid axiom to guide the use of risk labels or matrices, anyone might create a risk matrix quite different from anyone else’s matrix, while assessing the same risks. The greater the abstraction through labelling, the more meaning and context are lost. 

4)  Losing risk signals in the ‘noise’. Normal system operation generates noise in the form of alerts and notifications received through monitoring tools and via customer contact points. The volume of noise makes it difficult to separate acceptable activity from genuine risk signals. The problem can be compounded by situations where corresponding signals imply validation and are then input to risk decisions. 

Noise can be created by misguided risk analysis based upon poor scoping and modelling. In extreme cases, the risk model may only contain noise and no genuine risk signals. This scenario may arise when a regulatory standard reduces the scope of a risk model to compliance alone. Noise can also be generated through bias. The source of the bias may be the latest news headlines regarding a security vulnerability or disaster, causing the focus to be upon the noise while real risk signals are overlooked. 

Filtering out normal system noise and ‘false-positives’ from real risk signals requires skill and good judgement. Too much filtering or modification of signals as they travel through the organisation creates information opacity, followed by loss of understanding. The greater the depth of the workforce information hierarchy and more complicated the signals, the more detached decision makers will become. 

5)  Missing the connections. Typical risk assessments consider each risk in isolation and break down the components into source, event, consequence, and likelihood. This reductionist approach can lead to a fixation on individual parts while missing the risk at large. 

When risks go bad there is seldom a single cause of disaster. Complex interactions between components can create a compounding effect whereby the total risk is greater than the sum of the parts. Using our space shuttle example again, two low risks (distorted re-usable rocket segments & leaks in segment joint insulating putty) combined with a medium risk (reduced rocket segment ‘O’ ring resilience at low temperatures). In isolation, each risk may have been tolerable, but in combination they were fatal. 

Rather than dismiss medium and low risks in the short term, decision makers should seek to identify the relationships between risks and consider how these affect their estimations.

6)  Scope blindness. Once the scope of a risk assessment has been decided, the assessment will inevitably consider risks within this perimeter. Until the 1990’s it was possible for many technology systems to exist in isolation. In the here and now, systems are highly interconnected and increasingly complex. A serious IT failure in one enterprise may affect both suppliers and customers in the supply chain. Small suppliers are particularly vulnerable to problems within their major customer. 

Sony had a well-planned campaign in 2004 to launch the PlayStation 2 before Christmas. Unfortunately, an oil tanker became stuck in the Suez Canal and blocked all ships from China, including those carrying the PlayStation consoles. By the time cargo planes started flying PS2s into Europe it was too late for the Christmas rush, sales were down 90%, gamers were disappointed or switched brands, and retailers were powerless to influence events.  

When UK phone company TalkTalk experienced a serious data breachthe customer compensation scheme did not extend to victims of fraudsters using the stolen data to gain the customers’ confidence and extract funds from their bank accounts. Quantifying the embarrassment of staff and frustration of customers was probably beyond the risk assessment scope, and the record fine was possibly not within the expected range!

The true impact of risk consequences can extend far beyond the scope of an assessment.

7) Time trapped. Estimations made at the outset of risk assessments are not always revisited to consider the effect time is having upon the components. Regrettably, risks tend not to have a constant probability distribution over time.

A system may be considered secure on day one, then a security vulnerability is publicly disclosed on day two. The plan for applying a fix immediately becomes a race between organisational efficiency and attackers developing detection and exploit kits. If the systems are successfully attacked the cost might be correctly anticipated at €1m per day. However, if the attackers cannot be dislodged after 30 days the organisation may totally collapse and the eventual financial costs far exceed the predicted daily rate.  

Risk controls need to adapt in response to changes in, for example, threat, technology and business use. Most existing approaches to mitigation specify the application of a fixed control set which does not consider 'real world' feedback. This feedback is essential for the effective regulation of technology systems. Feedback can inform the amplification of mitigation activities in situations where increased assurance is required, and the dampening of mitigation activities in situations where they are becoming excessive.

Decision makers should ensure assessments are kept current to include the effect of time on risk. 

8)  Meet in the Middle. Sticking one’s neck out and bringing bad news, especially when there is uncertainty, can affect the messengers’ career in a work environment hostile to pessimism. Without solid objectivity it is tempting to resort to safe subjectivity and rank most risks as ‘medium’. 

Unfortunately, a glut of medium risks hinders any attempt to prioritise treatment, assuming the assessment criteria was trustworthy in the first place. Granularity is essential for prioritisation of treatment and to avoid meaningless risk decisions. Effective risk management is less about trying to calculate absolute values for risks and more about determining the optimum priorities when working with a limited budget. To be useful, models of risk must be honest. 

9)   Lop-sided variety. Technology systems are built and delivered with increasing complexity, innovation, and variability. The options for controlling risk tend to evolve slowly and with less variability. The end result can be a lop-sided equation with a limited approach to mitigating risks versus an almost unlimited variety of technology. 

While it may feel safe to stick with a control set recommended by an established risk assessment method, a more effective approach is to employ equivalent variety in risk mitigation as the dynamics of the technology system introducing the risks.

10)  Treatment can create risks. Interventions do not always deliver certain outcomes, sometimes they can have adverse effects of their own. ‘Fixing’ system defects can cause regression. Removing Middle-Eastern tyrants can worsen already bad situations. The risk management policy might set deadlines for security patches to be applied within service level agreements, yet without adequate testing these patches may create new vulnerabilities, perhaps worse than the originals.

Risk assessments do not always consider the possible adverse effects of planned interventions.

Look before you leap!