Preparing for the Assessment

Before you begin the process of assessing the risks within your business, you first need to take several steps to prepare:

  1. Follow the Process - Make sure you are familiar with the overall principles, methodology and tools for conducting a risk assessment discussed in the previous section. As is stated frequently on this site, Information Security needs to become a science - a predictable, objective process. So you first need to be familiar with the overall framework and the tools.
  2. Management Support - An effective risk assessment takes time and resources and demands the full involvement of its participants. Many employees will likely see the risk assessment as a waste of their time and will not appreciate the long term benefits from the process. You can either spend years convincing these employees of the value of an effective risk assessment or you can enlist senior management in supporting the process. Your job will become a lot easier if the management of operational risk is treated as a fundamental component of doing business.
  3. Assemble Team - Something is very wrong if you find yourself conducting a risk assessment on your own. There is no conceivable way one individual could have the experience and training to be familiar with the marketing, sales, operations, technology, legal and risk functions within a business. Even if you were to find such an individual, he or she would not be capable of giving an objective risk appraisal of each of the functions, since they would have limited or no accountability for the results. The assessment must be done by a team.
  4. Inventory - Few, if any, controls are efficient or effective if they do not meet the demands of the business and its overall risk profile. To identify effective controls you need a thorough inventory of the people, processes and technology used by the business.

These are the formal, objective steps that need to be followed for a successful risk assessment. But there is an additional, subjective element to this process - Operational Risk assessment is an imperfect science. You will be predicting the future and that prediction will be rest primarily on whether humans will act as expected. Donald Rumsfeld as the US Secretary of Defense stated, "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know." As the War in Iraq demonstrated there were aspects of the invasion of that country that involved crucial facts that "we don't know we don't know" and those facts lead, in part, to Rumsfeld's downfall. The same dilemma was presented in the recent financial crisis where several banking institutions failed to properly recognize the concentration and liquidity risks related to packaging sub-prime mortgages. It is important to note that these major blunders were not actually based on what "we don't know we don't know." In actuality, they were caused by the decision to ignore or underweight the known risks. There was an abundance of evidence before the invasion that Iraq would be thrown into sectarian violence without the presence of a repressive central government. Similarly, past financial bubbles provided ample evidence that markets will tumble and when they do minimizing concentration and liquidity risk is crucial to how well the financial institution will survive. But if the evidence is there, why do we choose to ignore it? Why did Chuck Prince, the CEO of Citigroup, state in July of 2007 (before the sub-prime crash), "When the music stops, in terms of liquidity, things will be complicated. But as long as the music is playing, you’ve got to get up and dance. We’re still dancing." The answer lies in the imperfection of humans. Not only is it difficult to predict how humans will act in the future, the prediction is made by an equally imperfect human. As part of the risk assessment you will likely be confronted with difficult, uncomfortable issues. You may discover a crucial flaw in the controls around a process that is central to a new business initiative, an initiative that the CEO of your company is pushing forward so forcefully that he or she will not listen to any negative comments. Similarly you may find a technology head who refuses to acknowledge a risk, not because the risk is insignificant, but because there is currently no viable solution available. While this site can not provide help in how to navigate this political minefield, you need to at least acknowledge that you are in a denial dilemma and find a means of avoiding the repression of the evidence of the control failure. And that is where the true art of risk assessments comes in. The challenge in predicting the future is not so much in using the crystal ball as in finding a way to tell your customer that the future may not look as rosy as they would like.

You can jump to the next section on the Risk Assessment Process or click "Next" below to go through more details on how to prepare for the Assessment.

©2009 ISRMC, LLC