Proactive and reactive approach to Risk ….
Everybody is joining the bandwagon of ITGRC or GRC, if you are database Security Company or networking Product Company, all of them have their messaging around compliance. Compliance is small piece of the big picture, in my opinion big picture is RISK which drives G and C.
Risk is what we want to manage and will decide our survival. I may be all compliant, and still have lot of Risk unaddressed or at unacceptable level.
Risk is relatively new concept to IT and CISO/CIO has started understanding this concept but still we are light years behind financial risk managers who has very good understanding of risk and its different models (don’t look at financial stocks right now to prove me wrong ;) !!! )
I am sure you get the point, when financial industry has been using risk since last 100 odd years versus IT has started using risk in last 5 years or may be decade before.
Just like controls risk identification can be proactive or reactive in nature. This is not a debate about which one is better, we need both. By very nature of risk assessment, it is future prediction based on certain parameters which is nothing but “Perceived Risk”. Other is your reactive approach to risk which is backed by hard to refute numbers, for example Anti Virus incidents in last 1 year or emergency change management which can be directly correlated to Network Downtime. Based on these numbers you can associate new risk or change the existing risk and controls mitigating the risk. This is very powerful autonomous system. Perceive Risk is nothing but what you are afraid of and reactive approach will be what you should afraid of !!! This self correcting system will improve over time and will self adjust it self, its not perfect but its very powerful and effective. There is always systemic risk ! Anyone in wall street today knows about this risk , there is always a risk of system failure and no one is saved from that, since you are part of the system unless you change or create your own system, then you have some control over system risk. Like any thing in life this system is also not flawless and has its own risk, but this approach is defnintely better than just risk identification and assessment in board room for few hours.
Question is how to get the reactive risk numbers? Its simple, most of the organization has Security and networking product implemented. Only required thing is product to collect the numbers from these silo solution and provide the trending. Based on trends and threshold one can definitely identify what you should be worried about, again in financial world these people have been doing this for years with VIX index, S&p 500 , Unemployment numbers and so on, some of them are leading indicators of things to come or some of them are lagging indicators .
Apply same concept to IT and you will get similar indices for your environment, which is true only for your environment and business, since business objective for every company is different their risk appetite will obviously be different.
Risk is such a fascinating topic, which involves, imaginations, math( discrete probability in math class remember ? ), Business and strategy !! Haven’t seen any topic covering so much of depth and breath.
Proactive and reactive is just the nomenclature assuming you are identifying risk after something has happened versus you identifying the risk before something !
However continuing from my first blog, business has all the rights to take their chances and accept the risk in order to achieve their business goals as long as Risk is acceptable. Million dollar question is who will decide what is acceptable? And what is acceptable risk ? May be good topic for my next blog….till then ….Keep watching DOW ;) Risk may reduce and then its time to buy :)
