There’s a pretty big divide between “risk managers” and people who actually take risks about the whole “risk and opportunity management” vibe at the heart of ISO 31000 and everything related to it—including SABSA. We spend time in the Foundation course talking about you need to have a balanced view of risk, and without taking risk, it’s impossible to seize or exploit opportunities.
This is true…as far as the words go, but, like most things:
The devil’s in the details (and the execution).
Every time I hear someone talking about “the upside”, for some reason I’m instantly transported back to the time I first watched Monty Python’s Life of Brian at my friend Kevin’s house when we were kids.
“Some things in life are bad
They can really make you mad
Other things just make you swear and curse.
When you’re chewing on life’s gristle
Don’t grumble, give a whistle
And this’ll help things turn out for the best…
And…always look on the bright side of life…
Always look on the light side of life…”
Don’t forget to whistle indeed.
However, the way people tend to think about the “upside” of risk is normally almost as misguided as singing a jolly old song when you’ve been sentenced to die a slow death by dehydration and starvation while the wind whistles softly through your dry, dust-filled hair.
In the movie, we laugh, because the juxtaposition is the whole point of comedy.
In the real world of risk assessments, getting this wrong gives you a false sense of complacency that could potentially have some pretty dire consequences.
The reality I see in my work with risk and security professionals, in the courses, consulting, mentoring – and even in random conversations over pints – is that most organizations still do a really, really bad job in identifying, quantifying and managing their traditional or downside risks.
I mean, really, really bad.
So, if you come to someone and say, “Look, Johnny, you need to think about both risks and opportunities when you’re doing this, because they’re connected.”
What happens is poor little Johnny’s head explodes, because you’re asking him to do more than he could do originally—further reinforcing any fears of inadequacy and imposter syndrome he already has. And, if this whole COVID thing has taught us anything, it’s that when we’re scared, stressed and anxious…
…it’s pretty damn hard to make good decisions—about risk or whether you’ve already turned off the oven.
The danger with the way “taking a balanced view of risk” is often interpreted is that for every downside risk, you need to find the upside of that downside risk. That there’s a yin and yang kinda vibe going on, so you see things like:
The risk of me jaywalking to get the coffee I mentioned yesterday is that I won’t see the truck coming, and I’ll end up in the hospital.
The opportunity of me jaywalking to get the coffee I mentioned yesterday is that I have the opportunity to see and avoid the truck that ran the red light so I can avoid ending up in the hospital.
Of course, this is a bit contrived, but I have seen this kind of thing before.
So, what’s the problem?
The problem is that if we’re trying to find the “opportunity” in the downside risk, e.g., the threat, then we’re missing the point.
Yes, businesses take risk so they can capitalize or realize opportunities, but those opportunities are – at least from the business perspective – the objectives they had in the first place.
The realization of the opportunity is the objective they want to achieve.
In the example above, getting the coffee is the objective. And that objective is a means to an end of some larger strategy.
How long it takes me to get that coffee may or may not have an impact on the bigger picture objective, so there’s surely an opportunity to be next to certain that I don’t get delayed by 6 weeks being in the hospital because I broke my pelvis (or end up dead) by taking longer to achieve that intermediate objective.
Or, I might want it quicker because I need to make sure I’m both alert and on time for the meeting where we sign the big contract that ensures my organization’s future success.
It’s the context that matters.
True opportunities are a lot more subtle to articulate and relate to the architecture we’ve engineered than it looks on paper, so, heretical as it might sound, I think you can’t really even consider taking the balanced view of risk the way most people understand it…
…until you figure out how to properly understand and deal with “downside” risk, or, as the business executives consider it, “just risk.”
While this may seem to contradict what I said yesterday, you don’t establish context through complicated risk scenarios. You establish context for making risk decisions through understanding the context in which the entities making those decisions operate.
And that, uncoincidentally, leads us back to Principle 2 of The Agile Security System™:
Understand the worlds of your customer.
Because if you don’t have that understanding…and you don’t have it articulated in a way you can communicate, validate and use so you don’t get lost in the complexity of the problem you’re trying to solve…
…then you might as well save your mental CPU cycles for thinking about how you’re going to build Lego spaceships or race cars with your children…
…or what you’re going to cook for dinner…
…or wondering how long it’ll take someone to launch a COVID lockdown version of Big Brother to give people an outlet so they see their current situation isn’t nearly as bad as what they see on TV.
Now, on the other hand, if’n you’d like to figure out how to properly integrate risk into architecture so you build the skills and understanding so you CAN eventually look on the bright side of life without getting your loincloth in a twist, you’ve still a few days to make sure you’re subscribed to the print Security Sanity™ newsletter where I talk about the right way to do it.
Here’s the link:
Apart from everything else I said above, given that most of us are simply confined with our loved ones, friends and family (who may or may not tick all the above boxes) rather than tied to a cross in the middle of nowhere, it’s ok (and absolutely necessary) to “look on the bright side” and appreciate the things you have and can do because you’re healthy and safe—even if you’re ready to get out the duct tape and rope to tie people down so you get some peace and quiet. (Not that this thought has ever crossed my mind…er…nope. Not at all. Ever.)
We all need to do whatever we can to get through this mess and come out the other side. Because it’s pretty clear that there’s gonna be a whole heap of work to do once we’re able to actually go out and do it so we can shape the post-COVID-19 world into whatever we want it to be.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
