Perceptions vs. Reality in Identifying Risk

April 26, 2019  Chad Weinman

One of the stages of a risk management program is Risk Identification – quite self-explanatory in definition. But the challenge comes down to how to do it.

The common risk management standards state it should be systematic, but fall short of providing any actual actionable guidance. For instance, they don’t say how to consistently and analytically collect and identify risk scenarios.

From our view working with dozens of organizations across industries, I can share that risk identification in the real world is hardly systematic.

But here's the thing:  Maybe that’s OK. Let's look at a common use case: The Top 10 List.

Over the past year, this has proven to be the most asked-for approach to present technology risk to key stakeholders (executives, committees, boards). We have worked with many organizations to tackle this assignment.

A funny question we always ask is: "How did you come up with those initial 10 risks?"

The common responses are:

  • Our executives wrote them on a whiteboard and voila!
  • We did a survey across all the IT teams asking what they are concerned about.
  • We looked at what other organizations in our industry have suffered and are measuring those.

Let me be clear: These are not incorrect approaches. In fact, these very well may be the ideal starting place if an existing risk program isn’t formalized.

But none of those methods I believe could be considered systematic. They lend themselves to subjectivity and “perceived” risk.

It is my belief that many items aren't even identified from a true perspective on risk. In other words, they are often focused solely on one of the two sides of risk -- frequency and impact -- and ignore the other.  An example would be looking at a worst case fraud event that has never occurred in the organization or in the industry but is possible. In other words, high impact, no frequency.

What always happens as we begin to measure these provided lists is that a few of these "top risks" will turn out to be surprisingly unsubstantial.

But maybe that’s OK.

The initial list is usually populated based on two things: concerns and perceptions of risk. A risk analyst using a  model like FAIR can help provide a more complete and accurate picture of the true nature of risk.

A FAIR risk analysis leads to consideration of more factors, references available data, applies the data to a model–and looks through “perceived risk” to bring light to reality.