To understand risk on both a strategic and tactical basis, it is crucial that the right elements of risk be considered. After all, basing decisions on scant information does not provide the solid foundation that an organization needs to exercise good judgment.
The factors that go into a risk evaluation basically fall into two camps: the benefits or opportunities on one side versus the possibility of failure, and the cost of that failure, on the other. Ultimately, risk evaluation is the balancing of pros and cons, where both sides are adjusted by the level of acceptance of probabilities within an organization.
Another dimension is provided by the depth of data that is used to build an understanding of those pros and cons. In many cases in which SIL has been involved, multimillion dollar decisions have been based on a risk profile that was built with anecdotal or personal information. In some cases, that experiential base has been less than five projects. This simply does not provide a strong enough statistical base on which to do an analysis. The variance between projects tends to be large when considering just a few situations. Only when a large number of data points are used as the basis for decisions can the random vagrancies of individual project situations be filtered out.
The possible scenarios need to be viewed with both costs and risk associated, since many times the lowest cost may imply higher risk exposure. Risk occurs in different facets of cyber business since so much of its source stems from cyber attacks. To account for the different profiles, SIL examines operational and security risk separately. Those profiles have different contributions and dimensions that help clarify the business decisions that must be made.
SIL defines risk in three main venues for operational risk:
This type of risk centers on the ability of the organization to run its business in its normal operational mode, endangered by demands on capacity, equipment failure, etc. It does not account for an active adverse attack, such as is presented by hackers, criminals, and others interested in the destruction of data, theft of intellectual property, or other incursions.
Security risk analysis incorporates and considers the active warfare aspects of risk. The factors and components of this exposure can be grouped into three main aspects, but differ significantly from operational risk. The security component classes are:
The risk analysis incorporates those contributions that are associated with each option, including the current strategy at a specific client. The comparison to baseline is crucial since many organizations forget that their existing path also contains uncertainty. Therefore, risk evaluation needs to compare the new possibilities with the current reality.
SIL normally sweeps in information from a large experiential pool that spans at least the last 24 calendar months for each option. This focused, moving window of comparison provides the optimal view on a rapidly changing market and technology base.
Operational Risk Rating – Option-Specific
Totals - direct only
Possibility of component failure
Possibility of overrun
Possible scope of overrun
Total risk factor
The relative operational risk ratings can be visually summarized as shown in the following chart.
Operational Risk Rating Summary
The security risk profiles have significantly different footprints. The ratings in this area are complex assessments of the proven vendor response in the security arena and are comprised of best practices, underlying architectures, and many other factors.
Security Risk Rating – Option-Specific
Totals - direct only
Possibility of protection failure
Possible scope of revenue impact
Possible scope of customer remediation
Total risk factor
The relative security risk ratings can be visually summarized as shown in the following chart.
Security Risk Rating Summary
A consolidated risk profile shows the accumulated picture of the risk that balances off any possible expense reduction. Since it is an increasingly common tactic to set aside funds to cushion possible incursion costs, the risk profile should be seen as an indicator of the size of such an offset.
Composite Risk Summary
There are no organizations that operate without risk. Risk is an ever-present specter that haunts executive’s dreams and brings indigestion to security personnel worldwide. Determining how large that risk is, how wide the exposure, is changing quickly as more organizations move a significant portion of their business to cyberspace.
The drive to compete is overwhelming, the need for a change in risk evaluation desperate. Organizations need to understand risk at a business level. Not bits and bytes, no speeds and feeds. Strategic management is focused on how to drive the business, as well as what will help to mitigate any risk identified.
By supporting strategic decisions with substantive data, better choices can be made. These will not be perfect but they will be far better than guesswork and conjecture. The passageway will be smoother and the success rate higher.
Are there significant changes that will radically alter the shape of the risk base? The whole cyberbusiness ecology has been pummeled with incremental advances. Smaller improvements to the market overall, even if some are significant in specific areas of technology, services, and approach. This type of chaotic pattern has been shown again and again to presage a larger, more pervasive paradigm shift.
What will that change be? How far-reaching will it become?
This post will continue with CyberBusiness – Altering the Face of Risk next week.