Accepting the risk requires more than doing nothing

Whether you are an information security or audit professional, you belong to a community that focuses on risk. You’ve developed this risk focus because for most of you, your profession requires you to protect assets for which you probably do not have enough resources for. In many if not most situations, a risk assessment is performed that compares perceived threats to actual controls to identify gaps that result in some type of residual risk. You then decide whether to insure against the risk, implement additional controls to reduce the risk, or do nothing and accept the risk.

Reasons for accepting the risk and doing nothing vary

There are many reasons for accepting the risk and doing nothing. Some of these reasons are grounded in solid business decision making. Unfortunately, other reasons result from ignorance. Frequent causes that I’ve observed during my 35-year career of working with all types of organizations, for doing nothing and thereby accepting the risk include:

• It never happened yet – Perhaps the hardest argument is to convince someone that they need to prepare for something even though it hasn’t happened yet in their organization.
• It will never happen here – The organization is too small, unknown, or spends a lot of money already on other solutions.
• Ignorance by business stakeholder – This is a variation of the frequently quoted “ignorance is bliss,” and usually includes some form of the failure of the business stakeholder to understand and appreciate the risk and therefore it gets ignored.
• Ignorance by risk professional – As information security evolves into a profession and takes its rightful place alongside other professionals, “the profession” needs to ensure that its practitioners are up to date on the latest threats and are using recognized approaches to provide guidance to their stakeholders.
• Don’t have the resources or time – This can go both ways and includes both traditional expenditures and soft dollars. Many times organizations and their security practitioners seek to resolve the risk. Yet sometimes, due to their inefficiencies performing their jobs, resources are deployed to lessor risks or activities.
• Organizational silos – There are some very valid reasons why business stakeholders should protect their data. However, sometimes the motivation results more from organizational “turf battles” than actual care for the information. Although we need to respect organizational boundaries, we need to remind those charged with governance that criminals and hackers to not take a siloed approach to their work – rather they integrate what they need to do to accomplish their objectives.
• It’s not cost beneficial – This can be a very valid reason. Generally the cost of the control should not exceed the impact of the risk actually occurring.
• Can’t quantify the return on investment (ROI) – Unfortunately resources for most organizations are scarce, and in some it is hard to obtain needed resources unless the requestor can quantify the potential benefits and costs. Unfortunately many in the profession do not have access to the data that would enable them to provide the requisite information to their stakeholders.

Expectations for rationalizing risk acceptance continue to increase

Both financial and industry regulators continue to enhance their expectations on how organizations accept the risk. For financial reporting purposes (and Sarbanes-Oxley compliance), you will need to document an alternative control or reason why the risk will not materially impact the financial statements (although a complex accounting process, for our purposes think of materiality as impacting the decision making of the financial statement user – e.g., shareholder, regulator, creditor, customer or employee).

For a regulated organization, accepting the risk gets a little more complicated.  Organizations will need to determine if the risk impacts a regulatory requirement (e.g., a law or something else that must be done) or if the risk impacts regulatory guidance (e.g., a best or other recommended practice). In either case, the organization may (and will) probably need to justify their decision to do nothing to some type of outside auditor or regulator.

Accepting the risk requires more than doing nothing from risk professionals

It has been frequently said that business plans derive their benefits not because they are a written document but rather because they force “tough” thinking and conversations that are the pre-requisites to developing the plan itself. Despite the efforts involved in documenting the risk acceptance decision, organizations, their risk management professionals and business executives should be able to realize similar benefits to formalizing the risk acceptance decision. 

Taking the next step and documenting the risk acceptance decision need not be complex or administratively burdensome. An understanding of the threat and either mitigating (e.g., why the risk level can be reduced to an acceptable level) or compensating (other factors that when considered together reduce the risk level) should be clearly explained. When available the ability to quantify potential impacts can further justify causes. Other information such as probabilities of occurrence and value at risk can provide a more fuller rationalization as to why no action was taken to address the risk.

You can’t do nothing until they agree with you

The risk is not accepted until all key stakeholders agree and physically sign a risk acceptance document noting their agreement that no further action will be taken.  During the decision-making process, the business stakeholder is typically the greatest advocate for accepting the risk and placing undue pressure on risk management and auditing professionals to concur. After a risk (or threat is exploited) fingers unfortunately point to these professionals. Having everyone’s signature evidencing why we all accepted the risks provides the shared accountability for doing nothing – just in case we are asked about it in the future.