Sammy Migues over at the “Justice League” blog from Cigital has written an interesting article on “risk management”. Basically, he’s saying that we can have too much of a good thing. Too much risk management creates too many controls.

Except that it doesn’t.

Not the way we look at it at least.

THAT WORD AGAIN, “RISK MANAGEMENT”

First, I’d argue that our concept of risk management is a little more focused than his use. In fact, we don’t even know what “risk” means to him. Not to get caught up in terminology, but basically he’s dealing with some aspect of issue management. There’s a problem (a vulnerability, a policy exception to be discussed, whatever) and what smart people do is view the “problem” through the lense of risk (the probable frequency and probable magnitude of loss), via risk analysis and in the context of the risk tolerance of the data owner.

You see, that last part is important. If your definition of risk is correct, and if your analysis is good, then all that is left is for the decision maker to figure out how willing they are to lose money. Because you’re giving them the information they need to make a decision, unless you’re just absolutely loopy - you can’t overspend because of risk decisions. You will spend exactly enough*. There is no “fixation on or over-thinking of each and every security issue” because the data owner expends only the amount of resources they are willing to allocate to reduce probabilities to their acceptable level. That’s it.

If anything, “risk aware” organizations can be thought of as spending less than their counterparts because they’re not adhering blindly to “common practices” (of course, prescriptive regulatory environments prevent that efficiency by artificially inflating the amount of probable loss, but we’ve already talked about that plenty). I tend to think that risk aware organizations don’t necessarily spend less, they spend better.

So this all depends on what Samuel means when he says “risk” and “risk management”, but I have to respectfully diagree - when done properly, it is impossible improbable for risk management to create inefficiencies.

* it’s that whole Bayesian Rationalist thing. In theory the use of scientific method, logic and the right Bayesian network mean that any choice other than the conclusion(s) of good risk analysis are irrational.

** UPDATE:  Chris Hoff has written a very similar thought over at his blog and reality TV show, Survivor:  Corporate Risk Management Island or whatever he’s calling it these days (I kid because I love).

Posted on October 30