Friday, March 3, 2017

What It Means to Accept a Risk



There are four legitimate ways to treat a risk, and one illegitimate way.  The illegitimate way is to close your eyes, block your ears, and ignore it.  The legitimate ways are to avoid it, transfer it to someone else, mitigate it, and accept it.  Of the myriad risks we all face every day, most of the time we accept them.  Canadians accept the risk of earthquake and hurricane.  Tunisians accept the risk of sandstorm and blizzard.  We all accept the risk of spilling our coffee on the way out of the coffee shop. Accepting a risk can be both understandable and acceptable to stakeholders for various reasons:
  • the chance of occurrence is too low to worry about (hurricane in Canada)
  • the likely impact if the threat occurs is low or affordable (spilling the coffee)
  • the cost of taking the next-best alternative is too high or not worth the reduction in risk (a Tunisian cannot afford sandstorm insurance, if there is such a thing, and anyway what good would it do?).

In the context of operational risk in organization, be it cyber security, disaster, or business continuity, it may be mightily tempting for the risk executive to simply assert to the auditor, “Well, we accept that risk.” 

At which point the auditor (or somebody else who must be taken seriously, like a Board member or a regulator) may reply with some pointed questions, like:
  • Who is “we”?  Has this risk been accepted by persons authorized to make that decision? Is there any doubt about that authority?
  • Do you really understand the risk you are accepting? Have you considered the likely impact on the organization if the risk were to materialize?  Have you considered how likely that risk is to be realized over some definite planning horizon? What evidence is there that you’ve considered these things?
  • Have you considered the alternatives to accepting the risk, what they would cost, and what degree of reduction in risk they would give you?
  • When was this decision made? (Not just now, hopefully!)
  • Has this decision been documented, so that there is a record that people can consult later as to the limits of what was accepted, and so it’s clear that this is a conscious, considered and authorized decision?  

In other words, the auditor is saying, “Convince me that you really understand the risk you are accepting, and give me enough evidence to evaluate, on behalf of the organization I represent, whether it is reasonable to accept it.” Depending on what is at stake, the support expected for the decision may range from a simple statement in the minutes of an executive meeting to a careful and documented analysis of the risk and the alternatives to accepting it. 

Accepting a risk is a legitimate way to treat it, but it is not a free pass.  Your stakeholders may disagree, and then you will need some ammunition to persuade them that your decision is reasonable, or at least to have a productive discussion.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)