Risk: Neither Process nor Event
Dante Disparte recently posted under the headline “Risk is a Process not an Event“. He got me thinking – which, really, is one purpose for posting, right? I was going to comment but became a little too engaged to stay entirely on point and so thought I’d post instead:
My thoughts from Dante’s sharing (you’d probably best read his post first to make sense of these):
- Dynamic Risk Detection in relation to cyber security is becoming more obvious as a strategic necessity (executive responsibility?) than Static Risk Prevention (firewalls, antivirus and assorted other trench warfare tools). The former did not do Sony (or the NSA et al) a lot of good and when they did detect signs of probing they were either ignored or misinterpreted. Hubris? It’s usually the first precursor of impending doom! Second level of reflection: What relevance does this train of thinking have for other than cyber risks?
- Dante had me thinking about the strategic advantages inherent in “riskoptimisation” versus risk assessment, management or minimization. The greatest rewards with the least pursuers are going to be out there in the asteroid belt of business where risks are high but the nickel is “free”. If we examine our marketplace through the lens of risk optimisation, what strategies would be needed to achieve success in that zone? What would we need to do differently (I’d been reading Kotter’s “Leading Change” earlier and the two articles have resonance – at least, in my mind)?
- I loved Dante’s airline analogy – we saw an instance in Australia this week of insurer Travel Cover being hacked for over 870,000 customer records, sensitive elements of which had apparently been stored in plain text. The company chose not to notify its customers – and still had not done so despite the story being blown last week. That’s akin to QANTAS not bothering with maintenance, and discontinuing pre-flight checks so that risk assessments would cease to irritate management; then crashing; then not notifying passengers’ families and attempting to do “business as usual”. Their entire executive would be under arrest right now and facing the prospect of a long holiday at the expense of the State – IF they had not been lynched beforehand by angry shareholders whose investment would have gone down in flames along with the plane. What is it with data security? Not valuable enough to protect? Not strategic enough? Take a good look at the new Chinese stealth fighter. if it looks remarkably like the US F35 JSF fighter. That may have something to do with the 50 terabytes of data hacked from the US defence contractors (more of Snowden’s revelations!). US R&D investment in the project (so far) is $400 billion. Chinese investment in R&D for their version: ? US investment in cyber security – obviously less than the Chinese! Was/is the project not worth the allocation of a percentage of its overall budget for cyber security, a little preventative maintenance? A little spider-in-the-middle-of-its-web technology that would sense potential threats and immediately mobilise defence, analysis and retaliatory strategies?
Is it time we had both a Data Crash Investigation entity, and did some arachnological thinking about cyber security. Maybe a TV show of the same name as the former to highlight its functions and findings? And a CyberX prize around the latter?
And then, more broadly, and finally returning to my title: I don’t see Risk as either a Process or an Event.
Risk management is certainly a Process; and risk manifestation is most certainly going to be an Event – but Risk itself? What is it?
I don’t have Dante’s focus on risk – he’s a deep specialist; I’m a broad generalist – but Risk, to me, looks to be a “Potential” in the same sense as “potential energy” – a sort of abstract noun; a form of energy as real as electricity, radar or light, or of the energy stored in the position of the elephant that is presently balancing on a broom handle above your head. In fact one definition of “potential energy” is just that: “the energy an object has due to its position in a force field or the relationship of its parts” (in the elephant example, one force field is “gravity”; and some of the relevant relationships are the juxtaposition of the elephant, the broom handle, you, and the ground.
So, is risk potential energy? Can it be built up by the position of parts in a force field (the man on the ledge in the lead-in image is at risk? Why? Can it be built up by the accumulation of imbalances between it’s parts. The same man took energetic step after energetic step, from level ground up, up, and out to the point where he now stands. At that point the energy of every single upward step has accumulated as “distance above ground”, and every outward step has accumulated as “diminishing underlying support”. The risk (the potential consequences of the normalisation of his juxtaposition with the ground from which he first set out) is chillingly obvious, but there is no process inherent in the risk itself (the process lay in creating it) and, as yet, no event.
So, if we think of risk as “potential energy”, does that suggest strategies for managing that? I have a few clients in the field of electrical engineering and contracting – one of them in high voltage electrification. They have pretty robust strategies for managing potential energy – 33,000 volts of it at a time. In fact, they have had to develop robust strategies for optimising that potential energy, because the aim of their game is to ensure that as much of the potential energy at the generation point is able to be released at the consumption point without breaking out of the system designed to convey it, and killing someone or setting the world on fire.
In their industry, the higher the potential energy (voltage) and the less restrictive the energy conduit, the less the energy losses in transmission, and the greater the potential for profit. Too little insulation on the conduit and energy breaks out, and disaster follows. Too much insulation on the conduit and energy is lost through conversion to heat in transmission, consumer revenue drops, insulation melts, energy breaks out, disaster follows. Their art is in ensuring just enough containment – plus a finely calculated safety margin – to balance energy loss against energy break out. Their art is the optimisation of the balance between containment and non-containment.
What might that perspective have to do with risk optimisation in business?
Thanks Dante for getting me thinking!