Let me be somewhere in the middle of the long line of bloggers to welcome Chris Hayes to the Risk-o-Drome. I’m sure he’ll be an interesting part of the neverending conversation on risk.
He’s started off first of all with the age-old question, “What is Risk?”
But it wouldn’t be an interesting blog post if I didn’t find something to take issue with, so here it is:
A loss form needs to be quantifiable in the form of money if you want to justify the cost to mitigate it.
I’m not sure that’s necessarily true. Oh, it is if you’re trying to emulate a financial institution, where quants are the nerdy but nevertheless STuDly backbone of the risk management department, but I tend to believe that many executives’ eyes glaze over when you’re trying to walk them through the contortions needed to squeeze some quantifiable numbers out of what started out as a qualitative IT security assessment.
Yes, I remember Jack Jones’s canonical story about being asked by a CFO, “How much risk do we have?” But that was a CFO (IIRC—right, Jack?), and they’ve got a big hammer that they’re used to using, so of course they want you to bring them nails. And it did prompt Jack to develop this lovely risk assessment taxonomy and model that can get you awfully close to using lots of pretty numbers. But I’m just sitting here, imagining trying to hold a FAIR conversation with anyone else on my executive team that was, say, longer than two slides, and I suspect I’d lose them. They might think about financial risk that way, but they don’t think about security risk that way. And I’m not sure that they should have to.
How do you put a price tag on a bunch of primary or secondary loss events, only a few of which actually translate into dollars? You can estimate productivity loss, replacement costs, legal costs, and fines. You might think you could do stock price, but if you could guess which way the wind EVER blows on that one, you’d already be rich. If the studies are to be believed, you can’t even count on losing customers in the wake of a security breach. Once you get into the realm of how much your boss will hate to see his name in the papers, you really can’t get back to quant-land from there, and neither can he.
What’s more, people using slides tend to focus on the “someone breaks in and steals SSNs” scenario, which is easier to cost out in terms of loss than other types of breaches. You’ve also got scenarios like the mayor’s steamy text messages being published, which everyone would agree is bad enough to want to avoid, but everyone will assign it a different amount of badness relative to what they personally are willing to spend to avoid it. And what they are willing to spend to avoid it varies widely based on how much money they have to start with. I just don’t think this is an equation that can be worked out.
Because real-life risk decisions are based on the culture in your organization, the risk appetite and tolerance of your leaders, the industry, the spending patterns, and even whether you’re public or private sector. I’ll be willing to bet a lot of Patron that if you gathered a bunch of organization heads and gave them the same odds of a particular loss event, gave them the same dollar estimates for the quantifiable loss, and asked them whether they’d be willing to spend the same $100,000 to reduce the risk to the same number—I’ll bet they would give you different answers, ranging from “Sure, here’s a check” to “Are you crazy?”
If organization A is only willing to spend up to $10,000 to avoid the same loss that organization B is willing to spend $100,000 to avoid, then do these numbers really have any meaning any more? Especially if the loss is in face? I just don’t think you can call it a tradeoff—spending one number to avoid losing another number. (Okay, okay, as the first number approaches the second, you’re going to see a dropoff in willingness in any case. But again, that’s assuming your second number really quantifies all the loss.)
So I don’t think it’s always necessary to quantify a loss in order to justify spending to mitigate it. We don’t quantify our pleasure in a new car to justify spending money on it. We don’t quantify our fear of having our child flunk out of school to justify spending money on a tutor. There is a wide world of loss out there that can’t be quantified, and I’m cool with that. What matters is the building blocks your executive wants to use to make his risk decisions, and whether they’re dollar figures, colors, or Venn diagrams, you’ll need to make an effort to supply them. Otherwise you won’t have the communication that is so necessary between you and your bosses—and you sure won’t get your spending money.