Up front props:
1. In the “risk universe” square, I used the “evolving change categorizations” from a Joshua Corman blog post found here.
2. I heard the term “risk ecosystem” from Microsoft’s Mark Curphey in a video related to a risk repository web app they recently released called “Risk Tracker” (either here or here). I found the term to be valuable in the context of this blog post.
3. The approach to the image above was not solely mine, I just embellished and sanitized on someone’s idea here at my employer.
Some terminology declarations:
I am using the word risk in a variety of capacities in this post.
In some cases, it is being used in the context of a threat (storm heading in my direction).
In other cases is being used in the context of a derived value; the probable magnitude and frequency of loss; $.
I am using the term “risk issue” or “risk finding” to mean a documented risk that requires a decision from management to either assume or mitigate.
Finally, in the database symbol titled “Risk Rep.” – that is short for “risk repository”.
I have recently been in a few conversations related to when a “risk” (or threat) becomes a “risk issue”. Most of these conversations have been with information security risk management executives; which implies “philosophying”, evangelizing, white boarding, and of course – excessive use of non-risk management analogies to reflect risk management concepts. In the end, these conversations turned out to be valuable because if forced the group to really understand when a risk (threat) becomes a risk issue in our environment. In other words, what are the various lenses we analyze threats or risk through to determine that we need to document a risk finding?
I will let you noodle the image and underlying concept on your own. However, below are a few parting points I would like to make.
1. There is a difference between grandstanding on risks (threats) that pose no threat to your company versus managing risk issues within your own risk ecosystem. Think “solar storm heading directly to Mars” versus “a storm cell that is 10 miles away with 65 mile per hour winds headed directly towards us”.
2. If a risk (threat) is important enough to grandstand on AND to begin mitigating – then it is no longer a risk, but a risk issue – and should be managed as such.
3. Emerging risks – or threats – somewhat fall in between the two above. You may want to let management know about some potential exposure – but there is nothing that needs to be addressed today.
Feel free to share any thoughts you have!