Monday, March 1, 2010

Risk Management: YOU Are a risk manager!

Risk management. Assessment, Vulnerabilities, threats, and impact. Mitigation, assignment, acceptance. If you don’t do security for a living, or do it as a purely technical activity, these can sound like terms from some arcane art practiced by Wizards, Sorcerers, Actuaries, and Mutual Fund managers. Today we start taking the mystique out of it and showing that it’s something nearly everyone does every day. Let’s start talking about risk assessment by defining some terms:

A threat is a bad thing that can happen. It’s measured as a percent chance per unit time (if you’re likely to lock yourself out of your car once every 10 years, it’s a 10% per year threat, or “.1 threat” for short. If you do it every 6 months, it’s a “2 threat”.)
Impact is the cost of the threat happening. It’s usually measured in dollars or time – and time is money. (If it costs you $100 to have locksmith key you into your car, it’s a $100 impact.) I say usually because not every impact is measurable. If you lock yourself out of your car and your Significant Other is annoyed because now you’ll be late, how much money is that annoyance?

Vulnerability is how likely you are to be affected by the threat. (If your Significant Other also has a car key, you’re only locked out if you forget your key when they’re not around. If you’re only with them half the time, you’re 50% vulnerable.)

Risk is the product of those three numbers: threat x vulnerability x impact. In our example:
Risk = .1 (10% threat) x .5 (50% vulnerability) x $100 = $5 Risk. On the other hand, if you forget your keys twice a year, it’s a $100 risk. ( 2 x .5 x 100).

That’s it! If you can figure out the numbers for a threat, its impact, and your vulnerability to it, you’ve assessed the risk. The biggest trick to this is figuring out what all the threats are ahead of time.

Of course, there’s math involved. For some reason, lots of people have been taught that math is hard, much too hard for them to do, and that can make this look daunting. Don’t be daunted, or if you’re finding yourself daunted, let me help you get past that – fear of numbers is part of the tears we're doing away.

The nice thing about the numbers in the risk assessment most people have to do in our lives is that we don’t have to be very precise. Does it really matter if I lose my car keys once every 9 years or 10? Does it really matter if the locksmith will charge me $100 or $99.95 plus tax? Rarely. If it’s hard to get exact figures, round it off. If it’s even hard to get precise figures, define your notions of small, medium, and large for threat, impact, and vulnerability, and use ‘1’ for small, ‘2’ for medium, and ‘3’ for large, which will give you risk rankings from 0-9. Trust me – lots of multi-billion dollar businesses do it this way. I know of at least two that define “small” risk as a multi-million dollars per year, and think of spending time doing risk analysis on a mere hundred-thousand-dollar per year risks as a threat in and of itself.

If you've ever asked yourself "What are the odds?" you've assessed risk.

What are some of the threats in your life? As I said, the hardest part of this is figuring out what they are, so perhaps we can all come away with something if we pool notes on what’s out there.

Next time, I’ll write about risk mitigation, which is how you reduce your risk – usually by reducing your vulnerability, but not always.