What It Means to Accept a Risk

There are four legitimate ways to treat a risk, and one illegitimate way.  The illegitimate way is to close your eyes, block your ears, and ignore it.  The legitimate ways are to avoid it, transfer it to someone else, mitigate it, and accept it.  Of the myriad risks we all face every day, most of the time we accept them.  Canadians accept the risk of earthquake and hurricane.  Tunisians accept the risk of sandstorm and blizzard.  We all accept the risk of spilling our coffee on the way out of the coffee shop. Accepting a risk can be both understandable and acceptable to stakeholders for various reasons:

• the chance of occurrence is too low to worry about (hurricane in Canada)
• the likely impact if the threat occurs is low or affordable (spilling the coffee)
• the cost of taking the next-best alternative is too high or not worth the reduction in risk (a Tunisian cannot afford sandstorm insurance, if there is such a thing, and anyway what good would it do?).

In the context of operational risk in organization, be it cyber security, disaster, or business continuity, it may be mightily tempting for the risk executive to simply assert to the auditor, “Well, we accept that risk.” 

At which point the auditor (or somebody else who must be taken seriously, like a Board member or a regulator) may reply with some pointed questions, like:

• Who is “we”?  Has this risk been accepted by persons authorized to make that decision? Is there any doubt about that authority?
• Do you really understand the risk you are accepting? Have you considered the likely impact on the organization if the risk were to materialize?  Have you considered how likely that risk is to be realized over some definite planning horizon? What evidence is there that you’ve considered these things?
• Have you considered the alternatives to accepting the risk, what they would cost, and what degree of reduction in risk they would give you?
• When was this decision made? (Not just now, hopefully!)
• Has this decision been documented, so that there is a record that people can consult later as to the limits of what was accepted, and so it’s clear that this is a conscious, considered and authorized decision?  

In other words, the auditor is saying, “Convince me that you really understand the risk you are accepting, and give me enough evidence to evaluate, on behalf of the organization I represent, whether it is reasonable to accept it.” Depending on what is at stake, the support expected for the decision may range from a simple statement in the minutes of an executive meeting to a careful and documented analysis of the risk and the alternatives to accepting it. 

Accepting a risk is a legitimate way to treat it, but it is not a free pass.  Your stakeholders may disagree, and then you will need some ammunition to persuade them that your decision is reasonable, or at least to have a productive discussion.

The Many Ways to Transfer Risk

There are four legitimate ways to treat risk: avoid it, accept it, mitigate it, and transfer it.  If “transferring risk” is thought of at all in cyber security, it is usually about buying an insurance policy.  And in fact cyber insurance is a rapidly growing market, although one with teething problems.  Exactly what losses will be covered, and how will the extent of loss be determined?  Will there be favorable pricing for firms that have a good security program in place, and if so who will determine the effectiveness of the program a firm claims to have?  What about the moral hazard problem:  will insured parties have incentive to be lax about or misrepresent their security programs?  How will rates be determined, given the carriers’ relative lack of loss data, compared to other insured hazards?

Nevertheless, insurance carriers are keen to the opportunity and are developing packages of services that bundle legal advice and incident response with traditional insurance.

There are other ways to transfer risk, some of which look like “buying insurance” in a different guise, and some that look totally different.  Financial institutions and other investors can hedge their investment positions by buying options or other derivative instruments.  Credit default swaps (CDS) can insure a lender against default by a borrower – assuming the seller of the swap has the financial capacity to cover the default. (Overuse and underestimating the risk of CDS’s contributed significantly to the 2008 financial crisis.)

A firm can also transfer risk, either partially or totally, to other firms through normal commercial contracts – other than insurance policies.  Many business-to-business contracts include service level agreements or other assurances of a minimum level of quality, sometimes with financial penalties for non-performance.  The seller may have some ability to negotiate service level terms, depending on its market power relative to the buyer.  I will likely not be successful in demanding a 99% on-time delivery guarantee from Amazon, but Amazon may get one with UPS.

Commercial contracts commonly have disclaimers, representations and warranties that protect suppliers from claims by customers. Whether such clauses can be used to protect a firm from cyber security risks depends on who has the market power, but also what is customary and reasonable.  A service provider may get a customer to agree that it is responsible to protect its users’ passwords and network connection points.  More generally, SSAE16 audit reports contain a section on the controls that the service provider relies on the customer to implement.  In other words, “don’t blame me if the controls fail because of something you did.”

Transferring risk using contracts has its limits.  The extent of risk transfer is often limited, either in scope (kind of risk or conditions) or in amount (amount of loss, number of occurrences).  Even if the risk is legally transferred, it may not be practically transferred.  The other party may not have the capacity, financial or otherwise, to absorb the risk.  And even if it does, your firm may experience some degree of loss.  We may agree that you are responsible to protect your passwords, but if an attacker penetrates my network due to your negligence, I still have an incident to manage.  Finally, recognize the difference between the probability that a loss may occur, and the amount of loss if it does occur.  A conventional insurance policy protects the holder against some portion of the loss amount, whereas a supplier’s commitment to a robust security program should reduce the likelihood that a loss will occur at all.

Among the four recognized types of risk treatment, transferring the risk to a counterparty is one that is often overlooked as a management option.  Transferring risk is the sibling of avoiding risk, and a strategy well worth considering.  It is easy to fall into the trap of ignoring these two options if cybersecurity is over-delegated to IT engineers.

Of Clocks and Systems and Risk Decisions

You probably have had the somewhat jarring experience of glancing at a digital clock and a clock with hands one after another.  The feeling can be a little unsettling, if not mildly irritating.  There’s a good reason why, and it tells us something important about how we make decisions.  What’s going on here?

Suppose a digital clock says the time is 2:42. You probably do a quick mental calculation and think “OK, I have about 20 minutes until my 3 o’clock appointment.”  But if you look at an analog clock, you probably don’t even bother with the minute-level of precision because you immediately have an intuition of how much time is left until 3.   The digital readout demands just a little bit of cognitive effort, while the analog readout is immediately intuitive.  Some analog clocks don’t even have numbers.

Psychologists have discovered that people have two ways of making decisions, called System 1 and System 2.  System 1 depends on experience and intuition.  It is relatively fast, comfortable, and effortless.  System 2 is more like the scientific method. It relies on data gathering, logic, analysis, and cognitive work.  A lot of people do not like System 2 thinking because it is more work.  “I’m not a math person; I go with my gut.”

There is a time for System 1 and a time for System 2.  System 1 is what you want if you are being chased by a bear. You don’t have time for analysis and you have plenty of hormonal intuition about fight or flight. Forget the analysis, run! 

But System 1 can get you into a lot of trouble.  They are bad for investment decisions and bad for deciding when to go to war.  That’s when you need System 2.  Facts, data, analysis, logic, formal models.

In making risk decisions, when should we use System 1 vs System 2?  If the consequences of being wrong are small, and we have good intuition, or we must make an immediate decision, System 1 is probably the ticket.  Otherwise, the effort of System 2 will likely have a good payoff. 

But using System 2 is not necessarily hugely burdensome.  Sometimes a quick back-of-the-envelope analysis, or a moment of reflection, is all you need.  After all, that is what you did in reading the digital clock. You can train for it.

For more on Systems 1 and 2, there is no better source than Thinking, Fast and Slow, by Daniel Kahneman.

Don't Do That!

My CFO’s words still echo after 15 years.  I’ve long forgotten why he said it on any of multiple occasions. But with reflection and more experience, it’s become clear that he was managing risk.

Of the four common ways to treat risk – mitigating, transferring, accepting, and avoiding -- avoiding is often the most neglected.  Yet it may be the simplest, fastest, cheapest, and is undoubtedly the safest. 

There are a few ways to avoid risk.  One is to decide not to engage at all in some activity that exposes you (your critical assets, that is) to risk, especially if there is no upside.  Workplace safety rules are full of risk-avoidance ideas.  Management should consider carefully whether the potential returns of a new venture or strategy are worth the risks.  That requires having a deep and clear understanding of what those risks are.  Many financial institutions that over-invested in credit default swaps learned that lesson the hard way in 2008.  In the field of information security, your business does not need to have, or benefit from having, personally identifiable information, don’t collect it. 

Other ways to avoid risk are to limit the scope or the time duration of the exposure to the threat.  If you must have PII, or there is a big benefit to it, minimize the amount you have.  Minimize the number and diversity of environments in which you keep it.  Keep it out of development and test networks.  Get rid of it as soon as you can. 

Another way to avoid risk sometimes looks like transferring it to another party.  Risk transfer usually takes the form of buying insurance or other contractual arrangements.  In these, there is often a clear price for the transfer of risk.  But it is also possible to avoid risk entirely by defining your business process in a way that specialists handle certain parts of it.  You avoid the risk of having credit card data by integrating your e-commerce site to a payments processor, like PayPal.  That’s their business.  As a consumer, you avoid some kinds of identity theft risks by using a credit card or cash instead of a debit card. 

A great way to start the risk decision-making process is to ask, Do I need to take that risk at all?  The answer may well be, Don’t do that!

Ignorance of the Risk Is No Excuse

A previous note offered a quarterly executive risk review as a simple and pragmatic way to start a risk management program.  A risk review fits naturally into the agenda of the quarterly business review, and it lays a good foundation from which to evolve a risk management program of whatever sophistication and at whatever pace is desired.

The first thing that will come out of the risk review is, “What do we do now to manage our top risks?”  A future note will explore the four general methods of treating risk.  But first we’ll look at the pros and cons of willful ignorance.

There may be a strong inclination to turn a blind eye to some risks.  You may feel that there are some things you do not want to “know” – in quotes because of course you are aware, but you do not want evidence to be created that could come back to haunt you.  Somebody could find that document and require you to address the risk, or worse accuse you of negligence, because there is evidence that you knew of a risk, or should have known, and did nothing about it. 

Management can take a willful-ignorance approach.  But let’s look at the balance sheet. 

There are a few points on the plus side. The executive may have plausible deniability for a time, and gain some time to address many other pressing issues first.  She or he may even get away with doing nothing indefinitely.  In a fledgling enterprise, the executive may calculate that it is more important to establish that the business is viable than to manage certain risks.  If there is no business, risk doesn’t matter.

There are more points on the minus side.  The trend in the investment, risk management, and regulatory environments is toward less patience with ignorance of risk.  All risk management frameworks require regular executive review of risk.  It is an important part of corporate governance.  Big customers and regulators will demand a risk management program.  Investors too want to understand their risk before committing funds to your enterprise, and cyber risk is now prominent in everybody’s awareness.  Especially bankers!

Furthermore, it may not make good management sense to ignore a risk.  Most risks do not get better with time, and some can blow up to jeopardize the very existence of the company.  Imagine a breach of confidential data just when you are trying to sign that first marquee customer.  Finally, there is value in being able to sleep at night, and knowing what your problems are is better than worrying about what they may be.

Turning a willful blind eye to a risk -- “rejecting” it -- is not the same as knowingly accepting a risk, which may be the best way to treat it.  It is management’s decision whether to treat or reject a risk, but rejecting is not a winning strategy in the long run.

The Executive Risk Review

If this sounds like Management 101, it is.  It is the same kind of management control system that is used to manage financial metrics.  The only thing that might be new is applying the idea to risk. 

Meeting the demands of key customers and regulators to manage cyber risk is yet another challenge for the executives of small and medium businesses.  As if you needed one more thing to worry about, along with revenue, product, and cash flow!  Yet it is possible to make a credible, practical, and above all useful start on managing cyber risk without breaking the budget or getting mired in endless detail.  A simple way to get started is with a quarterly risk review.  Here is how to go about it -- without buying a Lexus when all you need is a Corolla.  This will work for any organization, whether a business or not, that is big enough to have quarterly business reviews.

Simply this:  add a risk review to the standing agenda of the quarterly business review.  A risk review addresses three basic questions:

• What are the most important risks facing the company in the next 12 months?
• Are these risks acceptable to management and the owners, given our current circumstances, or should we be doing something to manage those risks better?
• What action should we now take to manage our top risks better, and what progress have we made in actions previously agreed?  Who will take responsibility to do them, and when should they be complete?  How will we know if they have been effective? 

 As management exercises its judgment about what the most important risks are and what to do about them, it is automatically setting risk management priorities.

Despite its simplicity, this approach has much to recommend it.

• It makes management think consciously about risk.  That is the first step in managing it.
• It establishes a recurring and repeatable routine.  That lays the groundwork for bringing almost any risk into acceptable bounds.
• It results in decisions and actions, so it gets things done, in priority order.
• It is a structure that can be matured over time to any level of sophistication.  Soft words like “important risks” can be made more objective and quantified.
• It is very efficient, a good use of scarce executive time, once the cadence is established.
• It shows that management is paying attention to risk.
  

“Paying attention” deserves some elaboration.  Sooner or later a key stakeholder will insist on having assurance that management understands its risks and is managing them.  Stakeholders include the board, current and prospective investors, key customers, regulators, and auditors.  To credibly assert that, “Yes, we do know our risks, we review them regularly, and we take appropriate action to manage them,” you can do a few simple things to create auditable evidence that your stakeholder with expect or insist upon.

• Put “risk review” formally on the agenda of the meeting.  (Every business review should have a written agenda.)
• Prepare a simple two-page “risk report” ahead of the meeting and discuss it.  It can even be an email to the management committee.  The CFO, VP Finance, or CIO might be responsible to prepare it. 
• Document the results of the risk review in the meeting minutes.  (Yes, have minutes!)  This can be as terse as a note that risks were reviewed and certain actions were assigned.  Cite the risk report and say it was reviewed.

The secretary of the meeting, who could be one of the participants or an administrative assistant, should be responsible to collect, organize, and preserve these documents, so that they can be audited later.  All documents should be dated and bear evidence of having been distributed to relevant executives, such as by email.

Another note will get into what a risk report should have.

Overcoming the Cyber Security Hurdle for SMBs

You have a brilliant concept for a new product or service.  You’ve gotten funding and created the core of a great team.  To see you dreams become reality, you willingly pay the price of 80-100 hour work weeks.  But sometimes it seems the rule-makers are doing everything they can to get in the way.  This time it’s cyber security.

Finally, you have your first big customer lined up, and here comes their due-diligence team.  They send you a questionnaire with hundreds of items about cyber security, backups, disaster recovery, encryption, and myriad other arcana. It is a sobering moment.  Your customer takes this seriously because they’ve been whacked by their regulators after a nasty and all-too-public data breach.  The information risk management folks are in no mood to compromise, having gotten the word that if there’s another breach heads will roll. 

What does it take to satisfy IRM and win the business?  All it takes, it seems, is answering Yes to 400 detailed questions like “Do you do background checks on all employees?” and “Do you protect all your critical data with strong encryption?” – most of which you have never thought about before.  On top of that you “must have” certification of your security controls by an independent third party, like a SOC2 or ISO 27000 audit.  Then you learn that the next customer has its own requirements.

It’s enough to drive one mad.

You need a strategy to address this big new business risk, and quick!

In a series of notes like this one, I’ll give the small-medium business executive some practical tips on how to meet these challenges in a rational, businesslike way – without going either broke or crazy.  What is easily lost in the technical minutiae and, lately, the fear, uncertainty, and doubt about cyber security, is that managing cyber risk boils down to the same basic management principles you use in the rest of your business.  My aim is to show you how to apply those principles in a simple and intuitive way, so you can focus on growing your business.

The first step is to know your risks, and that will be the next topic.