Thursday, January 31, 2008

Risk Management: Denial, the strategy that isn't a strategy

One of the short courses I enjoy teaching is a basic back of the napkin risk assessment process. It gives people a bit of leverage as well as a better understanding of the risks involved in their projects, designs, and systems. One part of that training is to talk about risk management once risks have been identified.

Most security professionals will tell you that there are four basic methods of risk management:

  • Acceptance or retention - accepting the loss when it occurs. Self insurance is often used as the standard example of risk acceptance.
  • Avoidance - not performing the activity that creates the risk. If exposing your services to the outside world creates a risk, you can avoid it by not exposing them. This is often possible for some, but not all risks.
  • Transferral - insurance is an excellent example of risk transferral. A lower payment insures that losses can be recouped, thus transferring the bulk of the risk to another organization.
  • Mitigation or reduction - taking action to reduce the risk. This is often paired with avoidance by avoiding as many risks as possible, then mitigating the remaining necessary risks.

There's a super secret fifth option that isn't really an option - but which is quite common. Every time I teach someone asks about it, because it shows up in almost every organization at some level when assessing risk.


While it isn't a valid strategy, often management and staff will not want to face a problem, or admit that a risk exists. I've seen this happen with the most senior management in organizations and at every level down to entry level staff, and once it starts, it often becomes an organizational assumption. It usually isn't due to ignorance, but rather due to a simple blind spot - the risk just doesn't seem real or possible.

There is a possible win in instances of denial though - if you can crack through that carefully built armor and get someone to admit that there is a risk, the entire organization's attitude can quickly change. In one case, the most senior person on a team I worked with paused halfway through a risk assessment in which we had identified a risk that senior staffers were highly trusted with no internal checks.

The light had turned on.

She noted that if she herself decided to cause problems that the organization could face a significant risk. Once she admitted that she herself could be a risk, the rest of the team quickly chimed in with the risks and vulnerabilities that their positions faced. Denial had shifted to awareness, and that let us address their risks through valid risk management techniques - with the full support of management.

Denial. It isn't a valid risk management strategy, but it is real - develop a strategy to deal with it as part of your risk assessment process, and you'll reap the benefits.

Creative Commons licensed photo credit Flickr user shawnzlea

No comments: