While we might all agree that risk assessment remains an important part of the business continuity planning process, we might also agree that risk assessment is an elusive one for many managers to perfect. And, to that very point, our staff came across a recent article written by David Lacey, where he states, “…I cringe when I hear experienced professionals suggest that risk assessments must be objective and repeatable. Where on earth did they get that impression? Were they taught this in a course? Or did they read it in a standards document? It’s not something that occurs in practice.”
Therein lies perhaps the most important issue surrounding the misguided attempt to represent the risk assessment process to be a “perfect science”. Lacey‘s statement above also focuses on an objectivity element that he wishes to address in his article…i.e. all too often, the intuitive sense is not acknowledged enough as the critical element it needs to be …
To develop his line of reasoning further, Lacey attempts to dispel the following six (6) myths of risk assessment with some of his summarized statements below:
- Risk assessment is objective and repeatable – “….It is neither. Assessments are made by human beings on incomplete information with varying degrees of knowledge, bias and opinion”.
- Security controls should be determined by a risk assessment – “…Not quite. A consideration of risks helps, but all decisions should be based on the richest set of information available, not just on the output of a risk assessment, which is essentially a highly crude reduction of a complex situation to a handful of sentences and a few numbers plucked out of the air.”
- Risks assessments should be focused on assets – “…This is not recommended. Asset-based risk assessment is the most expensive, long-winded and uncertain method available. It’s far simpler to focus on business processes or areas of responsibility, rather than individual assets.”
- Risk assessment prevents you from spending too much money on security – “…Not quite. In fact the only area I’ve seen excessive spending on security is on the risk assessment itself.”
- Risk assessment encourages enterprises to implement security – “…No, it generally operates the other way around.”
- We should aspire to build a “risk culture” across our enterprises – “…Whatever that means it sounds sinister to me. Any culture built on fear is an unhealthy one.”
Hopefully, the summary of Lacey’s reactions to the six myths stated above will encourage you to read his full article.
If applicable, please pass this posting along to those business continuity and risk management team members in your organization.