In part 1 we discussed the implications of answering “as compared to what?” in reference to resource allocation decisions such as:
- Improving existing controls
- Dialing back existing controls
- Business cases for solutions
- Project prioritization plans
- How does this align with our experiences?
- Are our peers experiencing something similar?
- What data did you use?
- Who did you work with?
Ask the philosophical question
I call this the ‘philosophical’ question because sometimes discussing risk is an exercise in apologetics. Results are often defended with statements like these:
- “It feels like a minor problem”
- “I just know this problem will be bigger in the future"
Leverage a rigorous model to enforce critical thinking
Answering the philosophical question amounts to defending our results. The first step toward making risk assessments defensible is employing a logical method (e.g. Factor Analysis of Information Risk [FAIR]). If we fail to approach risk methodically, any of the following problems will drive our assessments off the rails:
- Reliance on mental models
- Cognitive bias
- Action based on untested assumptions
Readying yourself for any question
- Data sources
- The approach taken
Elevate your risk conversations