Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Home>Introduction>Real World

Risk in the Real World

Most of us developed our ability to navigate the risks that life has thrown at us through a trial and error process, not rational, objective analysis. Likely we were programmed that way from the start. Early man survived better against the elements by using reflexive, instantaneous reactions to threats as opposed to a time consuming reasoning process. Consider snakes. Most of us react instantaneously when we come across a snake in our yard. We immediately retreat. But most snakes are not poisonous and even the ones that are can be avoided by reacting in a calm, deliberate manner. Regardless, most of us over-react to an encounter and quickly flee. We can likely blame our distant ancestors for implanting this conditioned response.

Risk also has a strong relationship with our emotions, especially fear. A little fear is a good thing, but too much fear often leaves us paralyzed, unable to deal with the risk. Psychologists refer to one of the states of fear overload as "learned helplessness" or a state where we perceive that we have no control over the risk and, instead of taking action, do nothing. A parent fears that their teenager is using drugs, but decides not to confront their child because they are reluctant to deal with the associated emotional issues and because they believe the child will refuse to change. By delaying the confrontation, the parent is likely only increasing the level of risk. In addition, the decision to not confront the child is based on the perception that the parent has no control. The teenager may actually be receptive to intervention, but without a clear understanding of what the parent can control, the parent resorts to doing nothing.

One of the primary challenges in assessing Operation Risk is that far too many people take their emotional, haphazard, experience-based risk expertise and apply it in the business environment. We think we are instant experts. We still think we are dealing with snakes even when we walk into the office. Examples:

  • As a security officer you may recommend to the manager of Technology that the business should encrypt the data on all company laptops to ensure customer data is not lost. The manager, already under extreme pressure to deploy a myriad of other technology solutions and to keep expenses under control, may conclude that the deployment of encryption software would require the overhaul or replacement of most of the existing laptops - an expense the CEO would never approve. Unable to control the risk of losing customer data, the manager may fall back on a variation of learned helplessness and reject your request by stating that the risk is not as significant as you make it out to be.
  • An HR employee may need to send a large box of personnel records to the home office using overnight mail. Since every piece of overnight mail that the employee has previously sent has reached its destination, the employee concludes there is minimal risk in just taping up the box, slapping on a shipping label and dropping it off at the mailroom. The reality is that somewhere between one in 50,000 to 100,000 overnight packages are lost or destroyed. If you ship only ten or twenty packages a year, the probability of loss is not significant and may lead to a false perception of reliability. But if you are part of a large corporation where thousands of packages are shipped each day, the probability of package loss becomes a very meaningful number. There is a high probability that at least one shipment will be lost on any given day. If the loss of that shipment could cause a significant embarrassment to the business or other form of loss, then every overnight mailing posses a meaningful risk to the company and it needs to ensure the employee takes additional steps to mitigate this risk.

How do we address these types of complex risk decisions so that our caveman DNA and fickle emotions do not overwhelm objective reasoning? First we need to understand risk and then simplify it down to its basic elements. As our understanding of risk improves our sense of control increases and learned helplessness becomes less of a factor in the decision making process.

So - Simplify... Simplify...