Objectivity rules

We create opinions from these experiences, amongst other sources. These opinions can sometimes find their way into a risk management program, disguised as facts.

I’ve been guilty of this myself. I always considered myself a reliable driver with a good driving record. I never thought about taking the coverage to replace my windshield — it always seemed like an extra expense that didn’t offer much value. My decision was a personal one, based on my own experiences driving in my home province, and occasionally replacing a windshield. I didn’t conduct any research when I made my decision, I simply declined the extra fee.

Recently, I’ve been using this example in discussions with organizations about risk, and how they perceive the process of assessing risks. When I ask folks who drive if they selected the option for additional windshield coverage for their insurance, I always find some that have, and others that haven’t. The reasons range from not having the money to replace a windshield, to owning a car where the windshield replacement cost would surpass the vehicle’s value! Sometimes, I hear testaments on the way others drive, the horrible road conditions, or the perceived profits of the insurance company.

Whether we’re talking about windshields or organizational risks, it’s difficult to separate ourselves from personal opinions when we begin assessing risks.

Invariably, we find ourselves answering questions from a personal perspective, and not from a business or strategic one. We tend to rely on our own viewpoints when it comes to looking at risks facing our organizations’ key assets: people, property and information. Our goal as security professionals should be an unbiased, objective approach to assessing risks and working with our organizations to develop controls to reduce the impacts if a risk becomes a reality. We need to borrow Joe Friday’s line from Dragnet and focus on “Just the facts, ma’am.”

There are a number of frameworks, methodologies, software packages and international standards that can help. These range from simple checklists that review the current controls in place at an organization, to complex software packages that generate on-demand reports of risks facing an entire organization. The path you select, and the tools you choose, should be unique to your circumstances and organizational requirements.

Regardless of your organization’s size, you need to use some form of objective assessment of risk. The approach needs to take into account the context of your organization and the business environment it operates within, any special legislative or regulatory controls that apply to your organization, and an appreciation of what it does to say in business. Without this critical background information, we may miss key items in a risk assessment or overemphasize one type of control over another.

The most expensive risk management software can’t help if you don’t provide the right information, or insert personal opinions instead of objective facts and data. The old adage “garbage in equals garbage out” applies directly to risk assessments, too. And it doesn’t hurt to have a third party check your assessments regularly.

The organizations we protect rely on our professional expertise to safeguard their assets, and help them review risks facing the organization. We must ensure our recommendations are based on an objective approach to assessing risks and not our own misgivings or personal opinions.

If we are to keep our place at the executive table, one sure way of doing so is to be that quiet, measured voice that others can rely on to be open, honest and unbiased.  

Tim McCreight is a managing consultant at Seccuris (www.seccuris.com).