Wonder Twin Powers Activate…

March 7, 2013

…form of risk professional. I really miss blogging. The last year or so has been a complete gaggle from a relocation and time-management perspective. So naturally, discretionary activities – like blogging – take a back seat. I want to share a few quick thoughts around the topic of transitioning from a pure information technology / information security mindset to a risk management professional mindset.

1. Embrace the Gray Space. Information technology is all about bits, bytes, ones and zeros. Things either work or don’t work; it is either black or white, it is either good or bad – you get the point. In the discipline of risk management we are interested in everything between the two extremes. It is within this space where there is information to allow decision makers to make more well informed decisions.

2. Embrace Uncertainty. Intuitively, the concept of uncertainty is contrary to a lot of information technology concepts. Foundational risk concepts revolve around understanding and managing uncertainty and infusing it into our analysis / conversation with decision makers. There is no reason why this cannot be done within information risk management programs as well.  At first, it may feel awkward as an IT professional to admit to a leader that there is uncertainty inherent within some of the variables included in your analysis. However, what you will find – assuming you can clearly articulate your analysis – is that infusing the topic of uncertainty in your conversations and analysis has indirect benefits. Such an approach implies rigor, maturity and builds confidence with the decision maker.

3. Find New Friends. Notice I did not type find different friends. There is an old adage that goes something to the effect of “you are who you surround yourself with”. Let me change this up: “you are who you are learning from”. You want to learn risk management? Indulge yourself in non-IT risk management knowledge sources, learn centuries old principles of risk management and then begin applying what you have learned to the information technology / information security problem space. Here are just a few places to begin:

a. https://www.societyinforisk.org/
b. Risk Management Magazine
c. The Risk Management Society
d. Property & Casualty  – Enterprise Risk Management

4. Change Your Thinking. This is going to sound heretical but bear with me. Stop thinking like an IT professional and begin thinking like a business and a risk management professional. Identify and follow the money trails for the various risk management problem spaces you are dealing with. Think like a commercial insurer. An entire industry exists to reduce the uncertainty associated with technology-related, operational risk – when bad things happen. Thus, learn how commercial insurers think so you can manage risk more effectively without having to overspend on third party risk financing products – as well as manage risk in such a way that can tie back to the financials – feelings and emotions. This is why I am so on-board with the AICPCU’s Associate in Risk Management (ARM) professional designation. You can also check out the FAIR risk measurement methodology which is also very useful for associating loss forms to adverse events which can also help tell the story around financial consequences.

5. Don’t Die On That Hill. I have to thank my new boss for this advice. Choose your risk management battles wisely and in the heat of the conversation ask yourself if you need to die on this hill. Not all of our conversations with decision makers, leaders or even between ourselves – as dear colleagues – is easy. It is way too easy for passion to get in the way of progress and influencing. Often, if you find yourself “on the hill” asking if you need to die – something has gone terribly wrong. Instead of dying and ruining a long term relationship – take a few steps back, get more information that will help in the situation, regroup and attack again. This is an example of being a quiet professional.

That is all for now. Take care.


The AICPCU ‘Associate in Risk Management’ (ARM)

September 14, 2012

A year or so ago I stumbled upon the ARM designation that is administered through the AICPCU or ‘the Institutes’ for short. What attracted me then to the designation was that it appeared to be a comprehensive approach to performing a risk assessment for scenarios that result in some form of business liability. Unfortunately, I did not start pursuing the designation until July 2012. The base designation consists of passing three tests on the topics of ‘risk assessment’, ‘risk control’ and ‘risk financing’. In addition, there are a few other tests which allows one to extend their designation to include disciplines such as ‘risk management for public entities’ and ‘enterprise risk management’.

I am about two months into my ARM journey and just passed the ARM-54 ‘Risk Assessment’ test. I wanted to share some perspective on the curriculum itself and some differentiators when compared to some other ‘risk assessment’ and ‘risk analysis / risk measurement’ frameworks.

1. Proven Approach. Insurance and risk management practices have been around for centuries. Insurance carriers especially those who write commercial insurance products are very skilled at identifying and understanding the various loss exposures businesses face. Within the information risk management and operational risk management space, many of the loss exposures we care about and look for are the same that insurance carriers may look for when they assess a business for business risk and hazard risk; so they can create a business insurance policy. In other words, the ‘so what’ associated with the bad things we and insurance carriers care about is essentially a business liability that we want to manage. Our problem space / skills and risk treatment options may be slightly different but the goal of our efforts is the same: risk management.

2. Comprehensive. The ARM-54 course alone covers an enormous amount of information. The material easily encompasses the high level learning objectives of six college undergraduate courses I have taken in the last few years:

– Insurance and Risk Management
– Commercial Insurance
– Statistics
– Business Law
– Calculus (Business / Finance Problem Analysis / Calculations)
– Business Finance

The test for ARM-54 was no walk in the park. Even though I passed on the first attempt, I short-changed myself on some of the objectives which caused a little bit of panic on my part. The questions were well written and quite a few of them forced you to understand problem context so you could choose the best answer.

3. ‘Risk Management Value Chain’. Some of the following thoughts are the largest selling points of this designation compared to other IT risk assessment frameworks, IT risk analysis frameworks and IT risk certifications / designations. The ARM curriculum connects the dots between risk assessment activities, risk management decisions and the financial implications of those decisions at various levels of abstraction. This is where existing IT-centric risk assessment / analysis frameworks fall short – they are either to narrow in focus, do not incorporate business context, are not practical to execute or in some cases, not useful at all in helping someone or a business manage risk.

4. Cost Effective. For between $300-$500 per ARM course – one can get some amazing reference material and pay for the test. Compare that to the cost of six university courses (between $6K – $9K) or the cost of one formal risk measurement course (~$1k). I am convinced that any risk management professional can begin applying learned concepts from the ARM-54 text within hours after having been introduced to the text. So just the cost of the text books alone (~$100 give or take) is justified even if you do not take the test(s).

5. Learn How To Fish. Finally, I think it is worth noting that there is nothing proprietary to the objectives and concepts presented in the ARM-54 ‘Risk Assessment’ curriculum. Any statistical probability calculations or mathematical finance problems are exactly that – good ole math and probability calculations. In addition, there is nothing proprietary about the methods or definitions presented as they relate to risk assessments or risk management proper. This is an important selling point to me because there are many information risk management practitioners that are begging for curricula or training such as ARM where they can begin applying what they are learning and not be dependent on proprietary tools, proprietary calculations or pay for the license to use a proprietary framework.

In closing, the ARM-54 curriculum is a very comprehensive risk management curriculum that establishes business context, introduces proven risk assessment methods, and reinforces sound risk management principals. In my opinion, it is very practical for the information / operational risk management professional – especially those that are new to risk management or looking for a non-IT or non-security biased approach to risk management – regardless of the industry you work in.

So there you have it. I am really psyched about this designation and the benefits I am already realizing in my job as a Sr. Risk Advisor for a Fortune 200 financial services firm. I wish I would have pursued this designation two years ago but I am optimistic that I will make for lost time and tangible business value very quickly.


Assurance vs. Risk Management

August 29, 2012

One of my current hot button is the over-emphasis of assurance with regards to risk management. I recently was given visibility to a risk management framework where ‘management assurance’ was listed as the goal of the framework. However, the framework did not allow for management to actually manage risk.

Recently at BSidesLA I attempted to reduce the definitions of risk and ‘risk management’ down to fundamental attributes because there are so many different – and in a lot of cases contextually valid – definitions of risk.

Risk: Something that can happen that can result in loss. It is about the frequency of events that can have an adverse impact to our time, resources and of course our money.

Risk Management: Activities that allow us to reduce our uncertainty about risk(s) so we can make good trade off decisions.

So how does this tie into assurance? The shortcoming with an assurance-centric approach to risk management is that assurance IMPLIES 100% certainty that all risks are known and that all identified controls are comprehensive and effective. An assurance-centric approach also implies that a control gap, control failure or some other issue HAS to be mitigated so management can have FULL assurance regarding their risk management posture.

Where risk management comes into play is when management does not require with having 100% assurance because there may not be adequate benefit to their span of control or the organization proper. Thus, robust risk management frameworks need to have a management response process – i.e. risk treatment decisions – when issues or gaps are identified. A management response and risk treatment decision process has a few benefits:

1. It promotes transparency and accountability of management’s decisions regarding their risk management mindset (tolerance, appetite, etc.).

2. It empowers management to make the best business decision (think trade-off) given the information (containing elements of uncertainty) provided to them.

3. It potentially allows organizations to better understand the ‘total cost of risk’ (TCoR) relative to other operational costs associated with the business.

So here are the take-aways:

1. Assurance does always not equate to effective risk management.

2. Effective risk management can facilitate levels of assurance, confidence as well one’s understanding of uncertainty regarding loss exposures they are faced with.

3. Empowering and enabling management to make effective risk treatment decisions can provide management a level of assurance that they are running their business they way they deem fit.


What’s Your Target?

May 19, 2011

Been awhile since I publicly blogged. Between family, work, school, podcasting, helping run the Society of Information Risk Analysts (SIRA) and some public speaking – time has been limited. I want to briefly write about targets today.

I have had the privilege to speak twice in the month of May. The first engagement was at Secure360, an awesome regional information security conference based out of St. Paul, Minnesota. Mr. Jack Jones and I partnered up to give a talk about having a ‘seat at the table’. Specifically, speaking in a language that our IT and business leaders understand, establishing perspective, gaining influence, and providing value to our leaders so they can effectively manage risk. The talk appeared to be well received and there have been a few follow-up conversations with some information security professionals that want to up their game – which was the point to begin with.

Earlier this week I had the privilege to speak about IT risk management – specifically IT risk quantification – as part of the ‘CIO Practicum’ series at the University of Kentucky. The theme of this particular event was “Security for Grown-Ups”. I found myself in a room of IT and business executives who came to get a glimpse of how information risk management functions can begin adding value to the business or organization. My take-away from the event was that IT and business executives are craving value-add from information risk management functions (security, continuity management, compliance, etc.). Let me repeat in bold capital letters: IT AND BUSINESS EXECUTIVES ARE CRAVING VALUE FROM INFORMATION RISK MANAGEMENT FUNCTIONS.

So here is the dilemma. Information risk management professionals want to add value and our IT and business executives want [expect] value. How can we achieve goodness?

In order to achieve goodness, you and your leadership have to define it for your organization – you have to have a vision or a target to direct your efforts toward. It requires relationship building with your leadership and executives to develop a sense of mutual trust, perspective and shared understanding about why the organization exists, how the information risk management function fits into the organization as well as how the information risk management function contributes to helping the organization reach its goals and fulfill its strategy.

If you are an information risk practitioner, security, continuity management or compliance professional – what is the target that the outcomes of your efforts are directed towards? If you don’t know – figure it out quickly. Better yet – if your manager or other leaders cannot tell you then be proactive and work with your leadership to help define it.

If you are an IT or business executive that happened to stumble on this blog post – let me ask you a question. Have you established a vision or target for your information risk management function(s) to direct their efforts toward? If so – how is it working out? Is value being added? If a vision or target has not been established, why not?

Thoughts?