Every risk manager knows that there are 4 ways you can respond to risk (referred to as risk disposition). You can mitigate risk by placing administrative, technical, and/or physical controls in place; you can transfer risk through insurance or third-party; you can avoid it by ceasing the activity that opened the risk, or you can accept the risk.
But what about the 5th, and most common, risk disposition? I promise you that every organization is doing it and probably doesn’t know it nor would believe me if I told them – I know because I have! So what is this mysterious 5th risk response?
The 5 types of risk response
Authors Note: Ignore vs Ignorance
Obviously, there is a significant, though situational, difference between an organization that is ignoring risk and one that remains ignorant of its risks. The former is an overt act, while the latter can either be an overt act or it can be a Rumsfeldian ‘unknown-unknown’. It is beyond the scope of this post to draw those situational distinctions. Rather, this article simply seeks to introduce the concepts behind Risk:Ignore, and save the deep diving distinctions for a later post. Thanks, – Jason
The Inherent Risk That Enables Risk Ignore
As a Cyber Risk & Strategy consultant, I have performed risk and maturity assessments for all types organizations, big and small, across the critical infrastructure landscape. As such, it is easy to see that industry (energy, finance, manufacturing, transportation, etc.) has inherent sector-specific risks that they have become adept at responding to. Electric and gas have weather events, maritime has break/fix and logistics risk, finance has fraud and transactional integrity risk just to name a few.
And for each of these tried-and-true sector risks, there are equally tried-and-true sector responses. Sometimes organizations mitigate them through preventative maintenance, some avoid risky transactions, some insure (transfer) against loses, and others price in (accept) that they will take losses on a certain number of ventures. All of this is classic sector-related ERM – whether they call it that or not.
Most organizations within critical infrastructure have mastered the risks inherent to their sector, but they have failed to apply that risk mastery to cyber risk responses
During an assessment, we will ask an organization to discuss their ERM, business continuity, or disaster recovery. And sure as the sun rises they will sit up tall, grin real big, and speak proudly about how they, as an energy company, have a very robust disaster recovery plan – “we have to,” they say, “weather events are our biggest threat.” Or a finance company will braggingly say, “we have industry-leading fraud prevention capability.” SIGH…
Well, of course, an energy company has remarkable service-based disaster recovery and of course, a credit card company has “industry-leading fraud prevention.” These are, very literally, the price of doing business within that given industry! The issue at hand is how they have applied this ‘very robust’ and ‘industry-leading’ methodology to all their organizational risks – not just their inherent ones.
This is where the 5th risk response comes from: most organizations within critical infrastructure have mastered the risks inherent to their sector, but have utterly failed to apply that risk disposition mastery to cyber risk.
The Hidden Disposition of Risk Ignore
So what is Risk Ignore and how do companies come to apply this hidden disposition?
It can be quick to say that Risk Ignore is like an ostrich with its head in the sand and for some organizations that may be the sad reality. However, in my experiences as a cyber risk & strategy consultant, that is thankfully not the norm.
Risk Ignore has its roots in the organizational difficulty of applying existing ERM practices equally across a complex organization.
It is easy to spot Risk Ignore in action when a critical infrastructure organization does not apply – or hasn’t calculated – their risk appetite for enterprise IT. It is also easy to spot when an organization can determine precisely how much risk any given deal, acquisition, transaction, credit offers, or loan holds, but they stare back quizzically when asked about the RPO (recovery point objective) of that very same data being stored in their datacenter.
They can answer with confidence how many safety gloves, hard hats, and trucks you need to respond to a Cat 5 hurricane, but have not documented the network dependencies for the logistics application those same lineman use.
However, it is not always that easy to spot Risk Ignore. After all, it has remained a hidden part of the 4, now 5, available risk responses. So how do you identify when an organization has wittingly or unwittingly applied this hidden disposition?
4 Questions to Determine the Disposition of Risk Ignore
- Does the organization have an understanding of risk outside of its inherent-sector risk or statutory and regulatory mandate?
- Has the organization defined a common framework for risk threshold, appetite, tolerance, and acceptance?
- Does ‘high risk’ mean the same to finance as it does to IT?
- If asked, could the organization point to any of its critical applications and say, with confidence, how much inherent risk, residual risk, and risk acceptance has been applied to it and its dependencies?
You will be hard-pressed to find any organization who can confidently and truthfully answer yes to all 4 of the above questions. While some questions (items 2-3, for example) are more important than others, remember that, like any risk and its applied disposition, it is not how much Risk Ignore you have, it is that you have identified where you have it and that there are upstream and down-stream compensating controls around it.
As risk managers, we must know the disposition of identified risk, we must determine if risk response is consistent across the organization, and we must understand where the organization is, knowingly or not, ignoring inherent, residual, or aggregated risk.
Lastly, it is important to recognize that, like all risk dispositions, organizations can employ a hybrid approach to Risk Ignore. The two to watch out for are Accept-Ignore and Mitigate-Ignore.
Hybrid Risk: Accept-Ignore
There is a dangerous relationship between Risk Acceptance and Risk Ignore. Don’t get me wrong, as a cyber risk assessor, seeing an institutionalized risk acceptance process can be a tempting heuristic for the overall maturity of an organization.
However, just like the danger of heuristic evaluation, an organization with a mature risk acceptance process can easily overlook the impact of that accepted risk in toto.
By failing to aggregate those accepted risks, an organization can quickly find itself blind (Risk Ignore) to the fact that they have slipped well beyond their tolerance for acceptance and strayed dangerously to close to the cliff that is risk threshold.
Hybrid Risk: Mitigate-Ignore
If Risk Acceptance can run afoul of risk appetite by failing to calculate the total residual risk, the opposite can be said for risk mitigation by remaining ignorant (Ignore) of the residual risk at all!
Inherent Risk * Control Risk = Residual Risk
This is often referred to as ‘Rack and Pray’; put a piece of tech in place and pray it protects you. The false sense of security that comes after a significant capital investment can easily blindside an organization once that now-exploited residual risk breaches its ugly head.
In all candor, it is quite easy for even the most mature of organizations to unwittingly take a hybrid approach to risk response. But the sad truth remains that without a common language around risk and identification, and without a common repository to hold, sort, rank, dispose, and track risks, no organization can accurately gain a full understanding of their true risk posture.
As I am sure you are all well aware, Risk Ignore is not an official risk disposition. Unfortunately, that does not prevent Risk Ignore from playing an all too prevalent, albeit hidden, role in enterprise risk management. However, now that we have an understanding of how Risk Ignore can impact our risk methodology, it is important to identify it, document it, and compensate for it.
About the Author
Jason Tugman is a Cyber Risk & Strategy consultant for Critical Infrastructure with a focus on Finance and Energy. Jason is based out of Washington, D.C.