Far too many organizations approach their risk management operations using phrases such as “That risk feels high to me...” Since the end result of a risk assessment involves the assignment of a verbal risk label, those not practiced in quantitative risk management focus on the output and not the input--to their detriment.
Such practice makes them more like a “risk therapist” than a risk analyst, giving their opinion of the state of affairs without checking that their biases have been appropriately managed.
In fact, many who practice risk this way will enlist others in their conceit. Risk ratings are justified by statements such as “We discussed it and agreed the risk is high.”
Dr. Jack Freund is Director, Cyber Risk, at TIAA and co-author with Jack Jones of Managing and Managing Information Risk: A FAIR Approach.
According to Psychology Today and TalkSpace, there are some attributes that make one a good or bad psychotherapist. Among the negative traits are a few that stood out to me as applicable to those attempting to practice risk as a “therapist”:
- Not listening or responding
- Judging you
- Telling you what to do,
- Imposing their beliefs, and
- Rushing a diagnosis.
Conversely, good therapists are able to
- Employ a sophisticated set of interpersonal skills,
- Engender trust,
- Provide explanations and adapt as circumstances change,
- Provide consistent treatment plans that adapt to the client’s characteristics, and
- Rely on the best research and evidence.
How often in your experience has risk management teams applied their own view of what is risky to a scenario without being able to support the argument with anything more than their stories from previous companies (a practice I call ‘Risk Palimpsest’)? Such risk managers rush a diagnosis of “risky” by telling you what to do and imposing their belief of what is risky or not onto an organization. Further they employ head shaking, shame, and disbelief when an organization decides not to heed their warnings.
Contrast that with a more quantitative-based approach to risk management using the FAIR model. By articulating risk as a product of probable loss frequency and magnitude, we can surely explain our risk “diagnoses” and even adapt them as circumstances change (such as the application of additional controls or changes in the business landscape). Such results are consistent, defendable, and reproducible; different analysts can review the same set of circumstances and come to the same conclusions. Gone is the “risk management by personality” approach and the chaos that such management style triggers when leadership changes.
The final positive attribute about having and following evidence is a critical one for risk managers. Good data is all around, even when you don’t think you have any. Use this data combined with formal, validated models to build a more mature, trusted risk management program in your firm. As a FAIR practitioner (and I'd encourage you to join the FAIR Institute), you are tapping into the best research and thought leadership around IT and cyber risk management available. With the advent of FAIR, you can still be a risk therapist but no longer one who has to manage risk by feelings. You can evolve your risk management practice into being a trusted partner who aids an organization in resolving its problematic issues through evidence-based management.