The risk of okra

“IT Risk is well defined by the ISACA organization in the Risk IT Framework.  It says, “IT risk is business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.” This means that IT Risk is no longer relegated to some back office, but is part of how the company evaluates their place and permanence in the market.  I particularly like their line a bit further down, which states, “IT risk always exists, whether or not it is detected or recognized by an enterprise.”  This is the clarion call for risk management.  Either you understand and control your risks, or they will control your business.

When you think about it, a company is in business because they are willing to take risks that their customer isn’t willing to do.  As an example, think of a grocery store.  You might think that a grocery store doesn’t engage in risky behavior, but I would disagree.  A grocery store stocks okra. 

Okra is a horrible vegetable.  It tastes like slimy green beans.  For a grocery store, okra takes shelf space and represents an investment – hoping that someone will buy it.  Even if you like okra you can recognize that stocking okra represents a risk that many households aren’t willing to take on.  It could rot in the refrigerator or end up as the battleground with finicky children at the dinner table.

The issue of risk isn’t just limited to okra for grocery stores.  They stock perishable food and stock shelves with items that may not sell.  However, these types of risks are aligned with a grocery store’s main objective.  In other words, these risks are on-strategy for a grocery store.  If, on the other hand, customers ask the grocery store to extend credit to pay for their food, that would be a risk that is not aligned, or off-strategy.  For banks, extending and managing credit for their customers is on-strategy. 

It is important for your company to identify the risks that are on-strategy—that you should be taking as part of being in your business.  This insight helps determine which risks are okay to take on, which need to be controlled, and which should always be avoided. 

The main reason it is important to identify good risk and bad risk is because everyone in your company makes decisions each day based on their understanding of the company’s strategy and their acceptance of, or tolerance for, risk.  You help employees make better decisions when you identify the company’s risk acceptance limits and communicate them.  For example, a software developer may be conflicted whether to add error handling or release new code on schedule.  Understanding the company’s tolerance for risk will help in making that decision.

For a more focused discussion, look no farther than your company’s policy toward system and application patching.  When your IT team is looking at the risks/reward tradeoff of applying the latest system patches, they need to get plenty of information to make an informed decision on how asset management provides information to help reduce risk.

Employees also need to understand the organization’s tolerance toward the risk of cyber attacks.  Like so many companies before, if the IT team doesn’t know the risk tolerance toward breaches and loss of customer data, they just might make the wrong decisions.  Clarifying which are acceptable risks versus which risks should be avoided will enable employees to make decisions that consistently move your company in the right direction.