Much credit must go to Alton Brown for his great suggestions. He opened my eyes to brining and the wonders of sauce and not jelly. He has a website of his own at Altonbrown.com. I will be trying something different this year though with just salting instead of a brine. Some interesting new information has come out about why brining helps so we’ll see how it goes.
We started last week with a simple example of the overall process and description of risk management. In the prior example I gave you the risk that we wanted to focus on, but never went through the process of identifying all the risks that would be associated with the task (or mission or project).
This may seem obvious, but knowing the mission makes a big difference in the risks you will ultimately evaluate. Focusing on the wrong goals will waste time and could lead to mitigating the wrong risks. In addition, the task will help to identify the your stakeholders.
Stakeholder is a big word for who cares about task. This could be as minor as an individual or a large group numbering in the hundreds. Stakeholders will be useful in identifying risks as they will be impacted by failure of the task.
In our running example, the obvious stakeholders are you and your boss. Beyond those you might want to expand the circle a bit. Maybe include your family, coworkers, clients. If you expand the circle extremely wide you could include your fellow commuters. At some point you do need to decide which of the infinite number of possible stake holders actually have enough of a reason to care as you won’t be able to track them all.
By this point, you’re probably wondering what all this has to do with Identifying risks. These first two pieces are important in bringing the right people together to help out. Identifying risks works better when you have multiple minds involved. Everyone has their own biases as to what counts as a risk and how severe it is. The intent with involving multiple participants is to average out these biases and help develop a consensus view.
Next time we’ll look at some of the techniques you might use in these groups to facilitate risk identification.
The first thing I want to stress is that risk management is something that we all do every day of our lives. There are varying degrees of this process and some are not even aware of this process. The most obvious example that most of you are familiar with is purchasing insurance. Insurance is actually a method of risk transference but we will get to that later. The amount of coverage you get, your deductible, and various restrictions are all risk management decisions that you make. Effectively what I am mostly doing in the office is this on a larger, formalized scale.
Everything we do, every day, has some measure of risk in it. How we respond to every risk is different. What we want to try to do is gather the information related to each risk and come to some agreement as to the response. This is usually a simple exercise for yourself. Even on a family level the decisions are not usually that fraught with difficulty. Expand this with an organization, involving thousands of stakeholders, it becomes more like herding cats.
Let’s start with a scenario that commuters are familiar with. Your boss wants you at work by 9am. You live about 30 minutes away. When do you leave the house? I’m sure we all make these decisions quite readily and without putting a lot of thought into it. But for this exercise let’s break it down by asking a few questions.
What is the impact if you’re late? Basically, what’s the penalty? The answer probably depends on your boss, your schedule, and how late. If you had a meeting scheduled first thing that would probably be a bigger problem than if you had a one hour buffer.
In a given month (20 working days) how many times are you late? Is there generally a lot of traffic so the commute takes longer? Maybe you take the train and it is almost always on time. Even when the train is late you never end up more than 10 minutes late.
Next we are asking about what you can do to not be late. We call this a mitigation strategy. The obvious one is to leave earlier. But let’s think broader. Maybe you could move closer, or change the mode of transportation you use (helicopter?). Could you adjust your expected arrival time?
The last question is extremely important. For the options you come up with above what is the cost of doing it? Leaving earlier probably doesn’t cost much, but think about the value you place on time, or maybe taking an earlier train costs more because of peak pricing. Renting a helicopter could be really expensive, but maybe moving closer is ultimately cheaper (less gas, lower taxes …). I would also consider the opportunity cost of leaving earlier or buying a helicopter. Leaving sufficiently early may mean you can’t eat breakfast, or take your kids to school.
After you go through and look at each of these questions you can now compare the cost of being late to the cost of being on time. This is a very important point about why we do this. There is a cost associated with any option you choose. Ideally you are now able to balance the cost of being late and the costs of being on time and decide on the best time to leave the house or potentially completely change the options you have. You could choose a short-term plan and a long-term solution as well.
This example probably took a lot longer to come up with an answer than you use every single day. But effectively this is what we do when evaluating risk and trying to manage it. Most of what I do is managing risk related to IT infrastructure, but again, the concepts here can extend to just about any other field.
Something I do want to clarify before finishing out today, is that risk management is not the same as compliance auditing. In my opinion compliance auditing is a mindset and a process born from our desire to make checklists to reduce deviation. This is a well-intentioned process, and is very effective in some situations. When we overuse checklists we often stop thinking about the reason for the rules. When something goes wrong we blame the checklist. Taking away flexibility, the ability to think keeps us from creating effective, efficient solutions; sub-optimal results. This is why I focus on risk management and not just pure compliance. Risk management allows adults to make decisions based on a variety of factors.
Over the years I have tried to work on ways to explain to people what I do at my job and my blog seemed like a good avenue to carry out a number of goals that I have for myself. One obvious goal is to communicate better. I’ve never been a great writer, but from everything I’ve seen, the only way to get better at writing is to do it, and have people critique you. So, I’m going to put these up and maybe some of you who are better writers can help me get better.
Another goal is to get better at explaining things in common language. People in my industry and every other industry have a habit of communicating with everyone the same way. We expect everyone to understand our jargon, use the same language, or think the same way. Obviously that doesn’t work. Even some people in the same field can have differing terms for the same thing. I cannot even count the number of disagreements I have had with team members that resulted from differing definitions of the same terminology.
Finally this is also a learning tool for me. I have always found it easier to learn something when I am ultimately required to teach it. If I have to teach about these topics in this forum, there is a hope that I will better understand what I need to know to begin with and get better at my job. So since my primary job is currently focused on managing a team of security analysts, I am going to focus these posts on Security and Risk Management. Most of my examples will come from the information technology or information assurance field, but apply to other areas such as physical security, finance, and personal decision-making.
Today’s post is just an introduction for my plans. I am hoping to keep to a plan of posting something new every week. If no one ever reads this stuff and recommends topics I’ll just use whatever random topic comes up that week. Who knows how long I will keep this up, but if I can get 25 solid posts in the next year I’ll be pretty happy. So the planned first topic for next week will be an Introduction to Risk Management, where we will go into some basic terms and concepts to set the groundwork. The intro may end up spanning two or three posts. After that I definitely want to talk a little about the book on security convergence that I’m reading now.
When you allow reader interaction on a blog or forum you will inevitably have SPAM comments. On WordPress I am using a plugin called Akismet that does a pretty good job catching the SPAM. I read through them once in a while and thought it would be funny to include some of the comments. It’s amazing how ridiculous some of them are while others are pretty well crafted.
No one has ever said my writing is elegant and graceful.
Your artical is simple however retains a little elegance and also grace. And using the options and also customization you’ve got enabled, I’m sure it will eventually appeal to a lot of bloggers. It’s rather commendable that you are interested in let individuals, the people, to employ a wide range of themes for the blogs. Keep these individuals coming!
This one is spot on. His site has nothing to do with what I said.
[...]I’m so impressed with how well this article was gathered and put together. It’s well formatted and written. Quality work like this is a rarity. I appreciate the information and I agree with the author. Although unrelated to my blog, worth linking …
This one actually tried to write something intelligable but his site doesn’t even use WordPress.
Your artical is simple however retains a little elegance and also grace. And using the options and also customization you’ve got enabled, I’m sure it will eventually appeal to a lot of bloggers. It’s rather commendable that you are interested in let individuals, the people, to employ a wide range of themes for the blogs. Keep these individuals coming!