In a recent article we spoke about a privacy impact assessment (PIA) that did not consider all the risks. The resulting breach occurred, in part, because of the false sense of security created by the PIA.
In a previous article we outlined how a flaw in risk-thinking can increase risk by reducing efficiency and effectiveness.
Those articles might appear to conflict, but do they?
Not quite. They relate to two very different contexts and scenarios.
In the 1st case, data was shared externally.
In the 2nd, the situation was related to internal data access.
Are we saying that we need more control more or less control?
We need to consider both, with the outcome being a balance in control. Lower control in certain areas, frees up time and resources, which creates room for increased control over more important, higher risk areas.
What’s driving the increase in risk?
Poor risk management. In both situations, the “management of risk” created more risk.
To explore this further, let’s look at the two examples, and a new one, to explore how this is happening.
Case 1: The privacy impact assessment
The specific situation resulted from many flaws. The PIA created a false sense of security as privacy appeared to have been adequately considered, when in fact it had not.
The blog that flowed from the investigation said:
“A privacy impact assessment is only as effective as the process, expertise, and analysis that sits behind it. Filling in a form or a template is not a guarantee that privacy has been protected. A check-box compliance approach to privacy is not enough.”
Here “risk management” actually increased risk by making management believe that they had done the right thing, but merely following the defined process was not enough; more thought was needed.
Case 2: The approach to user access
We said that there should be different approaches taken, depending on the risks.
- For systems of record (e.g. accounting systems):
- Access is restricted to maintain integrity in recording transactions.
- This makes sense.
- It is a proven, accepted risk management approach.
- For systems of information and intelligence (e.g. data warehouses):
- Access is restricted for similar reasons, and sometimes also to maintain confidentiality. But this is flawed. It doesn’t manage the risk. Instead, it stifles innovation and productivity.
- Unnecessary restrictions on access to information reduces the ability to make smart decisions. It also makes it more difficult to understand customers.
- Confidentiality can still be maintained, as appropriate, without blanket access restrictions.
Here “risk management” increased risk by blocking legitimate access and creating unnecessary burden.
Case 3: Another example
In this article we looked at how to use the results of audits to reduce risk, rather than just ticking a box.
Consider the issue that was raised along with other related matters, including past transactions, other similar processes and ongoing monitoring. In short, understand and fix the whole problem, not just the specific sample.
Unfortunately, the rigid specific sample fix approach is the norm. Of concern, it creates the impression that progress is being made i.e., that risk management is maturing. This is reported as such to executives and the board, with pats on the back for a job well done.
This complacency is exacerbated by risk teams which accept the closure of the findings without thinking them through. This is often driven by one or more of these:
- artificial remediation deadlines
- a poor understanding of risk
- risk- and control-related targets built into KPIs
- management not taking responsibility
Here “risk management” increases risk by making people believe that risk is being managed. It looks like the control environment is strengthening, so it looks like the level of focus can reduce.
What can we do about this?
Here are a few guidelines:
|1||Think about both upside risks and downside risks: are we stifling innovation and/or productivity?||e.g., Does the practice make it difficult to understand our customers & improve customer service?|
|2||If a risk can’t be eliminated, think about whether the activity that is generating the risk is worth doing. Does the benefit outweigh the risk?||e.g., Do we really need to share that potentially identifiable data with that external organisation?|
|3||Consider the level of diversity in risk teams. Do they all have the same background?||e.g., If all legal professionals, do we expect more than a legal and compliance focused approach?|
|4||Be aware that control remediation is not the same as risk reduction; in some cases, control remediation leads to increased risk.||e.g., Will fixing that particular control mean we can reduce our focus on the risk?|
|5||Be cautious when we feel a sense of security; it may very well be false.||e.g., If a risk assessment is not completed properly.|
If these sound like common sense, it’s because they are, but we need to remind ourselves of this from time to time.
It is very easy to get swept up in “risk management” mumbo jumbo. We’ve all been there.
Are you thinking about risk and actively managing it, or are you constrained by a formulaic “risk process”?