Ignorance is not a recognised risk mitigation

Risk, the possibility of something happening or not which will affect your business, infrastructure, data, security, work force etc, either negatively or positively. That’s not a classical definition, by any stretch of the imagination from any Risk Management Manuals I’ve ever read, but it’s a definition that holds water in my opinion. It can be shortened further to ‘something that may happen, that will affect your business’.

The management of risk however is ever so slightly more complicated, and it comes into play once you’ve identified that ‘something may happen’ and you feel you want, or need, to do something about it. To that end, what ‘somethings’ can you do?

Before you can do any mitigating activities, you need to have followed three of the five principles of risk management (other risk management methodologies are available);

  • Identifying the risk, what is it, what is the risk, a risk to what, a risk to whom?
  • Analysing the risk; how likely is it, when may it occur, what happens if it does, how much will it cost to the business if it happens, is that cost financial, reputational, supply etc?
  • Plan the mitigation (or treatment) of the risk; what do need we do to lessen the likelihood, or the impact, of that risk occurring?

After that analysis, then the four primary mitigating actions you can take are.

  • You can ‘avoid’ it, you can put in measures, usually very expensive and not guaranteed to actually work, to remove all risk. Identify a risk, and spend whatever is needed to remove it. I can’t think of a single organisation that conducts this mitigation activity.
  • You can tolerate it, accept it, manage it; it may not be that likely to happen, it may, if it does actually happen, not be that serious so you just accept it’s there and tolerate it. It may well be within the organisation’s risk tolerance range.
  • You can ‘transfer’ it, give it to somebody else to look after. The ‘something’ may not be in your control, but it may be in a supplier’s control, transfer the risk management to the supplier.
  • You can ‘treat’ the risk, reduce it, put in measures, put in training, put in anything that may reduce that ‘something’ from either happening, or should it happen, reduce the impact after it has happened.

The one mitigation that isn’t in that bullet list above is ‘ignoring it.’ It isn’t a taught mitigation, it isn’t a valuable mitigation and it certainly isn’t a successful mitigation. In my years as a Management of Risk Practitioner TM, I have seen multiple instances of programme or project managers, even senior responsible owners, identifying a risk, adding it to the risk register, sometimes, not always, conducting the principles of risk mitigation and that’s it; that risk is never looked at again until it happens and then it’s no longer a risk it’s an issue and it’s hurting.

Risks have to be reviewed, at least monthly; depending on severity of the risk (likelihood/impact) then it may need reviewing more often. The review should look at the holistic picture of that risk and review all elements of it; is it still likely, has that likelihood increased, decreased? Is the impact still the same; has it lessened, has it worsened? Have any of the mitigation options worked? Are they still ongoing, what’s the update on them? Is there new mitigation, course of action that can be put in place be attempted, who owns them, who is going to implement them? Do they come with costs, can the business afford those extra costs? Risk management is a live, iterative process and covers many disciplines. It could IT and or OT Security Risks, Programme or Project Management Risk or simply day to day business risk, it doesn’t matter, what does matter is that ignoring your risk is not an act of war.

Within the IT / OT world there is an increasing new dimension of interest; rate of change of risk, often termed ‘risk velocity’.  This seeks to allocate a timeframe against each risk that helps identify how often the risk needs reviewing.  It is particularly applicable within complex systems where the risks associated with manufacturing may be fairly static, whilst the IT risks can be highly dynamic with rapidly changing threats and vulnerabilities.

If you are from an organisation however small, and you would like a more comprehensive conversation with Regency’s business change or security consultants on the subject of risk, whether programme, project, IT or OT, then give us a call on our office number 01242 225699 or email us at enquiries@regencyitc.co.uk