Stop Settling for Less in Risk Analysis

January 17, 2019  David Musselwhite

The mountain of fabric stood tall before me, arcing over my head like a tidal wave. (Maybe a slight exaggeration, but that’s how it felt.) “I have to finally admit it,” I said to myself. “I’ve accumulated too many clothes.”

Free t-shirts, too-small Oxfords from college, hoodies that still smelled like last year’s bonfires. The knowledge of this bloated collection clawed away at the back of my mind. It stole my focus at work and made me dread driving home knowing it was there to welcome me.

I knew the goal: a reasonably sized wardrobe, and soon. But I had no idea what process I would use to get there. Where would I even start? I felt overwhelmed just looking at it all.

So I accepted a lesser goal. “Today I will choose one shirt to donate.” I congratulated myself for taking action to solve the problem.

Because I didn’t have clarity on how to get to the big goal, I settled for less.

New RiskLens team member David Musselwhite has been a quantitative risk management practitioner for more than five years and led part of the Enterprise Risk Management team at a large, nationwide financial services company.

Do risk management professionals fall victim to this pattern? Of course we do — we’re human!

We know that our big goal is to provide decision-makers with the best possible forecasts of future loss so that loss can be optimally managed, whether through avoidance, acceptance, transfer, or mitigation. And we know that those forecasts need to be in dollars because loss is in dollars.

We know that reporting on risk in forecasted dollars allows leaders to appropriately prioritize scenarios for attention, and allows them to compare the cost of mitigation to the amount of risk reduced to determine a mitigation effort’s value.

We know that our goal should be to confidently stand before the C-level or Board and say, “We’ve mitigated between $x and $y of probable loss, and the cost of the controls we employed was $z.”

We know what the goal should be, but is it so big and scary, like my mountain of clothes, that we settle for less?

“The path to this goal isn’t obvious,” we say. “How do we forecast future losses? What data would we use to make those forecasts? How can we forecast the future — anything could happen!” Instead of exploring these hard questions, we settle for the lesser goal.

Likelihood and impact matrices.

Red, yellow, green ratings.

Yellow x red = orange?

I thought we were talking about loss here — we realize loss in dollars, not colors.

Are these outputs easier to produce? Maybe.

Are they valuable to decision makers? Not really.

Have we met our big goal? Definitely not.

When we settle for the lesser goal of traditional/qualitative risk analysis, we hinder the ability of decision-makers to competently manage risk.

Business leaders want to talk risk in dollars and cents — in potential money out the door if the analyzed scenarios occur. I knew an executive I was working with was ready for quantitative risk analysis when I heard him say in a leadership meeting “Don’t tell me it’s yellow or orange, tell me that over the next year we’re going to lose some money from this, and we think it’s around this much.”

To meet that leader’s need is the big goal risk management professionals should be striving for, and what will ultimately help you protect your organization’s value.

And I’m here to tell you it isn’t as difficult as you think.

Using RiskLens and the Factor Analysis of Information Risk (FAIR) model on which it’s based, you can assess operational and cyber risk in dollars, prioritize mitigations, calculate return on investment in controls, and optimize insurance coverage. You can competently and confidently manage risk. You can reach the real goal and stop settling for less.

I knew I needed help so I turned to popular culture’s cleaning/organization expert du jour Marie Kondo and her book The Life-Changing Magic of Tidying Up. Following her recommendation, I took every item of clothing to the living room and separated the mountain into piles by type. From there I took each type and whittled it down to just what I wanted to keep. It only took a few hours and was actually really enjoyable.

Once I got the proper clarity on how to achieve the big goal, I was motivated to do it and completed it successfully.

RiskLens is here to bring you that clarity when it comes to risk analysis. Reach out to us today for training on FAIR or to schedule a demo of our software. Stop settling for less.

This post was inspired by the first section of Benjamin P. Hardy’s article How To Learn In 2 Days What Normally Takes 6 Months.