Posts Tagged ‘Compliance’

Is Risk Management a Flawed Principle ?

May 18, 2009 Leave a comment

After running several complex/sector-wide Risk analysis and assessments for several years now I became totally convinced that whatever method you follow to conduct your Risk Management (Quantitative or Qualitative ) you “at best” will end up with a reasonably good understanding of the actual risks but never a complete,comprehensive understanding.

Its simply because all risk assessment methods have something in common and thats the human beings involved throughout the process (enumerating/evaluating/conducting/checking/auditing..etc), we as humans have our natural shortcomings when it comes to judging Risks because:

– We over-react to immediate threats and under-react to long-term threats.(s1)
– We under-react to changes that occur slowly and over time.(s1)
– People exaggerate spectacular but rare risks and downplay common risks.(s2)
– people overestimate risks that are being talked about and remain an object of public scrutiny.(s2)

Sources: (s1: “Stumbling on Happiness” by Daniel Gilbert, psychology professor at Harvard, and s2: Bruce Schneier’s Beyond Fear (pages 26-27))

So I was quite content when I came across this very insightful podcast (by the CERT coordination Center ) discussing this exact issue.

The podcast argument is simply, RA as we know it is inaccurate and end up causing more problems and overseeing others. and we should go for standards/compliance checking based on accumulative experiences/best practices and bodies of knowledge.

I end by Quoting One analogy that I liked from the Podcast transcript. (the CERT podcasts are also available on iTunes)

” I kept looking for more analogies, analogies where the systems that we needed to measure for safety in the physical world we inhabit are really hard to measure.
And that took me to food safety actually. It took me to thinking about how do you know whether or not it’s okay to eat in a particular restaurant. We’ve got a real measurement problem there because you can’t measure all of the food that comes out of a kitchen, it would be completely impractical. And yet it’s really, really important to know that food is being prepared in a safe way because if you don’t prepare food safely then people can be badly hurt. And so I started thinking about what is the essence of our public health system when it comes to food safety in particular?
Restaurants actually have more similarities to the kinds of business that we encounter in the digital world than you might think. Restaurants are a tough business to be in. There’s a lot of competitive pressure in them and there’s a lot of opportunities to make mistakes. I’ll tell you the thing that people don’t leap to immediately when I give them this analogy is they don’t think about the fact that restaurants are actually constantly under attack.

And they’re under attack by a global threat. And those global threats are diseases and they’re global because our food supply is global. And those diseases are adaptive. They might not adapt quite as quickly as new viruses pop up on the Internet but they do change. And so I started thinking about “Well how do restaurants make sure they’re safe?” And they make sure they’re safe by really checking the processes they use to prepare food. As opposed to trying to measure the end result, they measure the process by which they achieve that result. And I think that’s the same thing we need to do for software. We need to be looking at the processes used and make sure that best practices are used in the preparation of that software. –End Quote