In part 1 of this series I discussed how to deal with unknowns in performing risk analysis. In this post, I’ll cover the problem of “unknowns” from a more strategic point of view. Specifically, evaluating and communicating the importance of overall risk landscape visibility.
A continuum of visibility
Imagine a business environment that includes:
- An application that processes sensitive consumer information
- A database where the data is stored
- Servers and network infrastructure to support all of the above
An environment like this has some amount of inherent risk due to various types of potential adverse events. For the sake of this discussion, we’ll also assume that there are various controls in place to protect the environment from those adverse events.
Now, let’s set up a “continuum of visibility” to draw comparisons between levels of visibility:
- Scenario 1: We don’t know the environment exists
- Scenario 2: We know it exists, but we have poor visibility into one or more risk factors (e.g., control conditions)
- Scenario 3: We know it exists, and we have reasonably good visibility into the relevant risk factors
In each case, the level of actual loss exposure within this environment is what it is. In other words, our level of knowledge/uncertainty about risk doesn’t alter that environment’s current level of risk*. The assets at risk are what they are, the threats are what they are, and the controls are what they are. For the most part, what differs between these scenarios is our ability to do two things:
- Recognize and deal with changes in risk within this environment
- Appropriately prioritize this environment within our broader risk management portfolio
So, although risk within that environment “is what it is” right now, our ability to manage risk effectively — make informed decisions about risk as it changes, and within the portfolio overall — is affected by visibility. This means that our experience of loss over time, due to better or worse risk management, is affected by visibility.
I’m in the process of running some experiments to determine whether there is a tipping point for visibility — i.e., whether at some point in the continuum there are diminishing returns for improved visibility. This could potentially help organizations avoid over-spending on visibility. Stay tuned...
* Actually, a profound lack of visibility can in some cases represent additional loss exposure because of due diligence concerns.