With everything going on in today’s world, each one of us makes multiple assessments of risk every day. We might not be aware that is what we are doing, which leads to different evaluations and, in some cases, conflict. What I’m going to discuss in this blog is a standard way to look at risk, demonstrated by a (definitely) non-technical example.
The back story: When our children were younger, our two sons shared a bedroom. Every school day, particularly in winter, I would go to their room to wake them up. I’d turn on the hall light and walk-in their room without turning on the overhead light. As in most boy’s bedrooms, there were always surprises on the carpet I would step on. Most frequently, it was a lego block that would dig into my barefoot. On those days, my sons would definitely know it was time to get up, as the message came through loudly with some colorful language. While it wasn’t a great way to start my day, there was no long-term damage.
During those years, my wife and I tried to get away once a year. One of those trips took us on a Caribbean cruise. Like all good parents, we reduced the guilt we felt about leaving the kids with grandma by bringing back some excellent souvenirs. After some shopping, I found the perfect gift for one of the boys; It was a set of real shark jaws, complete with teeth! How cool is that? I walked away with a medium-size set; confident I had found an excellent gift.
Fast forward about six months, I was doing my “wake the boys up” routine when I stepped on something that I can only describe from the pain as being a bear trap. I looked down, and much to my surprise, I found that I had been bitten by a shark in the middle of Wisconsin, in the winter. What are the odds…… wait…? let’s check it out!
The most basic risk analysis uses two factors. The first is, “What is the probability of this risk happening?” The second is, “If the event happens, what will be the magnitude of the impact?” Typically, we can plot this on a two-axis graph. A point in the upper right means there is a high probability of the incident happening, and if it does, the impact will be significant. A point in the lower left means the chances of the event happening are very low, and if it does, the impact will be minimal. Upper right is something you should address immediately; lower left is something that can wait.
The first scenario is stepping on a Lego. Since it happened often, the probability is at least a seven. And since I get to rate it, I’d call stepping on a sharp Lego with bare feet at least a seven on the pain scale. When we plot it, it looks something like this. Since the point falls in the high area, we should probably mediate the risk. (maybe by teach Dad to wear his slippers)
The second scenario is stepping on a set of open, sharp shark teeth. Since it never happened before and probably won’t again, the probability is at least about a one. And since I get to rate it, I’d call stepping on a sharp set of shark teeth (which drew blood) with bare feet a least a nine on the pain scale. When we plot it, it looks something like this. Since the point falls near the green area, if we decide to mediate the risk, it can wait.
Having a standard reference, to use when discussing risk will help your credit union communicate clearly. Many risk decisions indeed need to analyze other factors such as cost, time to fix, regulatory concerns, etc. This method, while simple, will help separate the significant issues from the small, and shorten the time to develop an overall risk mitigation strategy.
Stay healthy and avoid shark bites!
About the Author: Gene Fredriksen is the Principal Cybersecurity Consultant from Pure IT CUSO, where he has been serving credit unions of all sizes and was named one of the top three cyber executives in the last 30 years. Gene brings candid experience to the service mission with strong technical and business analysis. He has expertise in information security, risk management, strategic planning, security and compliance unit development, project management, and system engineering strategy.
Want to read more from Gene? https://blog.pureitcuso.com/