Friday, February 10, 2017

Don't Do That!

My CFO’s words still echo after 15 years.  I’ve long forgotten why he said it on any of multiple occasions. But with reflection and more experience, it’s become clear that he was managing risk.

Of the four common ways to treat risk – mitigating, transferring, accepting, and avoiding -- avoiding is often the most neglected.  Yet it may be the simplest, fastest, cheapest, and is undoubtedly the safest. 

There are a few ways to avoid risk.  One is to decide not to engage at all in some activity that exposes you (your critical assets, that is) to risk, especially if there is no upside.  Workplace safety rules are full of risk-avoidance ideas.  Management should consider carefully whether the potential returns of a new venture or strategy are worth the risks.  That requires having a deep and clear understanding of what those risks are.  Many financial institutions that over-invested in credit default swaps learned that lesson the hard way in 2008.  In the field of information security, your business does not need to have, or benefit from having, personally identifiable information, don’t collect it. 

Other ways to avoid risk are to limit the scope or the time duration of the exposure to the threat.  If you must have PII, or there is a big benefit to it, minimize the amount you have.  Minimize the number and diversity of environments in which you keep it.  Keep it out of development and test networks.  Get rid of it as soon as you can. 

Another way to avoid risk sometimes looks like transferring it to another party.  Risk transfer usually takes the form of buying insurance or other contractual arrangements.  In these, there is often a clear price for the transfer of risk.  But it is also possible to avoid risk entirely by defining your business process in a way that specialists handle certain parts of it.  You avoid the risk of having credit card data by integrating your e-commerce site to a payments processor, like PayPal.  That’s their business.  As a consumer, you avoid some kinds of identity theft risks by using a credit card or cash instead of a debit card. 

A great way to start the risk decision-making process is to ask, Do I need to take that risk at all?  The answer may well be, Don’t do that!
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)