I'm intrigued by the idea that management is risk management, hence today's blog.
Management primarily involves dealing with possibilities and uncertainties, determining objectives and influencing or guiding things in the preferred directions, driving things along unclear paths towards uncertain goals.
Man-management (or, to be politically-correct, personnel or human resources management) is about herding the organization's cats, guiding and motivating people in order to get the best out of them, gaining their loyalty, productivity and creativity - lots of risks and uncertainties there!
Despite the intent of clear management instructions, policies, rules and directives ("Do this" and "Don't do that", or "Make it so!"), there's a degree of vagueness and complexity in how things actually turn out in practice. In particular, the future is inherently uncertain. Things don't always go to plan, but planning is essential.
On that basis, therefore, managers should be familiar with the concepts underpinning risk and risk management. It's not unreasonable to assume they grasp the basics anyway, hence 'information risk management' should not be entirely alien to any manager.
It’s not all plain sailing, though, as there are differences in the terminology, emphasis and approach in different fields:
- Financial risk concerns the upside as well as downside, opportunities to profit as well as the possibility of loss. The common unit of analysis is currency, hence everything gets reduced to dollars and cents. Volatility is an important aspect, along with systemic risk and dependencies;
- Health and safety risk and environmental risk both concern ‘hazards’ i.e. dangerous situations that may cause physical harm, injury or death, either to individual workers or more broadly to the biosphere;
- Strategic risk concerns big-picture stuff affecting the organization’s overall objectives and survival – existential ‘bet the farm’ risks in some cases – over the medium to long term. Again, it's about risk and reward, taking calculated risks, gambling with a loaded deck;
- Commercial risk takes a wider perspective on supply chains/networks including the relationships with competitors, peers, partners, suppliers, customers etc. and their predicted future actions including responses to our moves and vice versa. It involves collaboration as well as competition and factors such as branding and positioning, products and markets, pricing and profitability, quality and price, creativity and innovation, reliability and dependability ...;
- Compliance risk takes account of the probability of being caught out, hence downplaying or even deliberately concealing incidents is a legitimate (if unethical) approach: it's not just about being "fully compliant"!;
- Privacy risk is myopically focused on preventing the inappropriate disclosure or corruption of personal information, while at the same time using (exploiting!) it for business purposes, a delicate balance;
- Engineering risk is mostly about the laws of physics e.g. how far can we go in terms of reducing material strength, weight, thickness, resilience etc. without breaching safety margins or commercial objectives. It includes comparing and contrasting different approaches such as production methods and techniques, evaluating and choosing between designs, optimization of various parameters for continuous improvement and quality assurance.
Q. Are those differences risks or opportunities?
A. No, they are both - risks and opportunities.
Information risk management can benefit from the different emphases, broadening the scope of analysis. Assembling a diverse team of managers to explore information risks, for example may lead to additional insight and novel approaches, beyond what the information risk and security management professionals alone might achieve - identifying additional risks, perhaps, grouping risks in different ways, altering the priorities or plans for risk treatment. A significant advantage derives simply from involving managers from across the organization, with first-hand knowledge of business situations, pressures and concerns, constraints and objectives. At the same time, the various interpretations and approaches for managing risk may be disconcerting for any participants with narrow perspectives based on years of experience in their fields of expertise ... suggesting the value of first raising awareness across the board, clarifying expectations and spending a little time discussing these aspects when organizing information risk workshops.