« Return to Blog Listing

If Personal Financial Management Were More Like Common Risk Management

by Jack Jones on Aug 2, 2016 7:30:00 AM

If_Personal_Financial_Management_Were_More_Like_Common_Risk_Management.jpgImagine that you need to manage your personal finances, but there are two constraints in how you’re able to go about it, specifically:

  • You can only measure income and spending using qualitative values (e.g., High, Medium-High, Medium, Medium-Low, and Low). There are no monetary figures involved.
  • You can only set the financial objective you’re aiming for using a qualitative value.

With this as the setting, let’s look at some specifics regarding your financial management situation:

  • You currently earn what your boss tells you is a Medium-sized paycheck every two weeks. You’re not so sure though -- it feels more like Medium-Low to you.
  • Your spouse’s paycheck is also Medium. When you put the two of them together you’re not sure whether they add up to a Medium-High income or just a higher level of Medium.
  • Monthly expenses are typically what you would call Medium-ish, but repairs to the basement felt very Medium-High last spring when the sump pump failed.  
  • You and your spouse want to retire with a Medium-High amount of retirement savings so that you can travel and maybe buy that motorhome the two of you have been talking about for years. 
  • With that in mind, and as your financial advisor suggests, you try to put a Low amount of money into a retirement account every payday. You’ve been doing that for years now, but your financial advisor says market conditions knocked your savings from Medium-Low to Low over the last couple of years. She’s not able to tell you though, whether it’s at the low end of Low or the high end of Low.
  • You’re also going to have to either trade in your car in the next year or so, or put a Medium amount of money into some major repairs. The payments on a new car are likely to be in the Medium-Low range.

The bottom line is that, in general, you and your spouse try to be smart about your finances. You work hard, are reasonably careful with your spending, and you seek financial advice from professionals. These actions mean that you’re more likely to be in a better place financially when it comes to retirement than if you quit your job and spent money like a drunken sailor. In other words, your intelligent actions imply a better outcome than if you were less intelligent about it, but you aren’t able to measure progress (or lack thereof) explicitly toward a goal that isn’t explicitly defined.  

Implicit financial management like this isn’t necessarily bad. Certainly it’s better than taking actions that increase the odds of a poor outcome. But assumptions abound regarding whether you’re doing enough or too much. You’re essentially ungrounded – a ship sailing without a compass or a view of the night sky.

Besides the obvious challenges of not really knowing where your finances stand relative to your objective (or even what your objective really looks like), did you catch the other more subtle problem? The same qualitative values are used for discrete transactions (e.g., paychecks and expenses) and for big picture conditions (e.g., the amount in savings and the retirement goal). Clearly however, a Medium paycheck is not the same thing as having a Medium amount in your savings account.

Given the above, I doubt there’s much more I need to say about what this means from a risk management perspective. Suffice it to say that following what are perceived to be intelligent risk management practices increases the odds that your organization will be in a better place risk-wise than if you didn’t. The limitations of this approach are, however, glaringly obvious. Managing risk explicitly using quantitative measurements can provide a much clearer understanding of your organization’s objectives,where it stands relative to those objectives, and how specific decisions affect attaining its objectives.

Learn more about quantifying risk using FAIR 

An Introduction to the FAIR Ontology
This post was written by Jack Jones

Jack Jones is the EVP of R&D and a Founder of RiskLens. He has worked in technology for over 30 years, the past 28 years in information security and risk management. He has a decade of experience as a Chief Information Security Officer (CISO) with three different companies, including a Fortune 100 financial services company. His work there was recognized in 2006 when he received the Information Systems Security Association (ISSA) Excellence in the Field of Security Practices award. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012, he was honored with the CSO Compass Award for leadership in risk management. Jones, who lives in Spokane, Washington, has served on the ISACA CRISC Certification Committee and RiskIT Task Force, as well as the ISC2 Ethics Committee. He is the author and creator of the Factor Analysis of Information Risk (FAIR) framework. He writes about that system in his book Measuring and Managing Information Risk: A FAIR Approach, which was inducted into the Cyber Security Canon in 2016, as a must-read in the profession.

Connect with Jack