In this note, I’ll dissect and expose exactly is meant by making a decision among risky alternatives, and what we should expect the management of an organization to be able to do in making these decisions.
In a previous note, I proposed the following definition:
Risk Decision. A decision by the leadership of an organization to accept an option having a given risk function in preference to another, or in preference to taking no action. I assume that competent leadership of any organization worth its pay can make such a decision, at the appropriate level of seniority.
The term is shorthand for a decision between alternatives, at least one of which has a probability of loss. (Usually in cyber risk we are concerned with losses, but all the ideas extend naturally to upside or opportunity risk. Few people and fewer organizations take on risk without some expectation of advantage, if only cost avoidance.)
The definition depends on the idea of a risk function (AKA “the risk” of something) as:
The probability distribution of loss magnitudes for some stated period of time, such as one year. This is what I think most people really mean when they speak of the “risk” of something.
The risk function is exactly the result of a FAIR analysis of a scenario.
I like to think of the risk function in terms of its loss exceedance curve, the probability distribution that a particular loss magnitude will be exceeded, for the given time frame, as a function of the loss magnitude. The nearby graphic illustrates two possible loss exceedance curves for a “before” and “after” assessment of an investment which is supposed to reduce risk.
These curves are the final quantitative result of a risk analysis of a particular scenario. The decision problem is whether to invest in the control or not. (It may be a web application firewall, for instance.) The analysis says, for instance, that investing in the control will reduce the chance of annual loss greater than $40K from 95% to 20%. Sounds pretty good!
Of course there is more to it. Management needs to know how much the control will cost. Costing out a control, including recurring and non-recurring costs, cost of capital, staff support, all in, is a well-established discipline compared to risk analysis, so let’s assume it has been done. Suppose the price tag is $20K. Management has to decide if the reduction in risk is worth the cost.
There has been much agonizing in the literature about how a rational actor can consistently choose among risk functions. The most prominent approach is Von-Neumann-Morgenstern utility. Its main result is that, given any risk function, a rational actor can assign a number with his personal utility function such that more-preferred risk functions always have higher numbers than less-preferred ones. It’s a nifty idea but an impractical result for several reasons. For one thing, it turns out to be hard to estimate a person’s utility function. And if it’s hard for the average person, you will not get many a CEO to sit still for the exercise. For another, risk decisions, especially big ones, are often made jointly by multiple stakeholders, like the CIO, CFO and CEO, for good reasons. Getting a utility function for a committee is even harder. Finally, senior managers have an understandable need to “do a gut check” and personally engage with big decisions. They are not going to delegate the decision to a formula, nor should they.
So I assume that, given two risk functions, leadership can and will know which they prefer. Making risk decisions is what they are paid to do. This is the reason for my definition of a “risk decision.”
The definition has some immediate implications. The first is that through a series of pair-wise comparison leadership can set any set of risk functions in order from most-preferred to least-preferred. On one end, the reaction is, “This is great! Where do I sign?” At the other it’s “Over my dead body.” In between there is a zone of indifference where management thinks “I don’t really care one way or the other.”
Next, having in principle ranked a bunch of risk functions, management will say that there are some I just would not choose if I had the option not to. So there is a notion of “this far and no further” in the pursuit of our goals. This is the basis of the definition of:
Risk Appetite. The worst (least-preferred) set of probability distributions of loss magnitudes that the management of an organization is willing to voluntarily accept in the pursuit of its objectives.
In other words, in our ranking scheme, these are the ones just a little better than unacceptable, if we have a choice.
But what if management doesn’t have a choice? Threats can be discovered that we would not actively accept in the furtherance of our objectives. Some we can live with even if we prefer not to. The worst (least-preferred) risk functions that we are willing tolerate if imposed upon us leads to:
Risk Tolerance. The set of least-preferred probability distributions of loss magnitudes that the management of an organization is willing to accept when presented with them involuntarily.
Risk Tolerance is by definition greater than (includes more probability distributions of losses) than Risk Appetite. The key is involuntariness. (Risk Appetite and Risk Tolerance are often used interchangeably in the literature, but I think the above definitions show a useful distinction.)
So we have three sets of risk functions: those we are willing to choose in pursuing our objectives, those we are willing to accept but not opt for, and those we cannot abide. And within those sets there may well be ones that we have about the same preferences for even if their risk functions differ.
What if a loss exposure (aka risk function for a scenario) is discovered that is worse than our risk tolerance? Well then it is by definition intolerable and we have to do something to mitigate or avoid it. A threat of this nature is almost by definition an existential threat to the organization – it threatens the ability of the organization to achieve its goals or perhaps even survive. But that’s another topic: business continuity planning.
This blog was originally posted on LinkedIn.
