Down to Risk-Business

Remember, risks are simply defined as the probability of harmful events. Looking at it another way, risk is a wager, like playing Blackjack. You have to calculate the odds, knowing when to raise your bet or when to fold.

Risk management programs ask these questions:

• What are the odds that a critical incident will happen?

• What is the worst that can happen?

• What are the odds that partial or total asset destruction will happen?

• How will that event affect my ability to continue profitably?

Of course, there is a corollary that should be weighing on every senior manager's mind: "will my business survive these harmful events?"

A general theme repeated throughout this chapter is that "an ounce of prevention is worth a pound of cure." Addressing risks proactively is often a business requirement, not an elective, as laws and regulations mandate safeguards. It is more economical to identify and address risks before they happen than to deal with postincident chaos and ensuing financial losses. Regardless of the strength of an organization's risk management plan, there are going to be points of vulnerability. However, it is wise to expect that despite the best preventive efforts, disasters happen. In managing risks, there are no perfect solutions. Accept this idea and plan accordingly.

If risk management were tight enough to address every vulnerability, it would be so tight employees could not do their jobs. There is such a thing as "acceptable" risk, although balance is defined by functional protection.

Risks are not distributed evenly throughout the enterprise; risks must be considered in the light of their specific impact on each critical asset. Assets must be prioritized relative to their criticality in continuing profitable operations after a harmful event. An example of this is the server where engineers test Web page designs. Exploiting vulnerabilities on this server has a lower critical asset impact than unauthorized entry to the file server holding the company's client list. For this reason, the safeguards protecting the test server are significantly less than those surrounding the client list.

Professional due diligence involves assuring adequate controls and processes are in place to protect an organization's systems. The responsibility for due diligence starts at the top of an organization, with the senior managers, and filters downward. These same managers are responsible for seeing that their employees understand what is expected of them in protecting the organization's assets and that employee performance is directed to that end. Developing these processes can seem daunting but "eating an elephant is a process begun one bite at a time." As with all endeavors, we need to devise a plan.