What Is Risk Management?

What do you think of when you hear the word “risk?” 

YOLO leveraged bets into companies without a competitive moat or healthy balance sheet?

Squirrel suit base jumpers with a death wish?

I think of Star Wars and the mighty but vulnerable Death Star.

As that story illustrates, humans struggle with vast, nuanced data, making risk management challenging. As Nicolas Taleb explains it, we're often "fooled by randomness," leading to suboptimal strategic decisions.

What Star Wars Teaches Us About Risk Management

Know Your Weakness: The Mighty but Vulnerable Death Star

The Death Star: a colossal asset with the power to obliterate entire planets and bring the rebellion to its knees, but it was not without its Achilles' heel - a seemingly insignificant thermal exhaust port.

An analysis of the plans provided to the Rebellion by Princess Leia demonstrated a weakness in the battle station … only two meters wide, [there] was a small thermal exhaust port, right below the main port. AND ... the shaft led directly to the reactor system.

This obscure vulnerability, when overlooked, spelled immense disaster for the Empire.

As you recall, this is the three-part story of how the saga played out (Threat, Control, and Exploit):

The Rebellion had a brand new X-Wing pilot who used to bullseye < 2 meter length womprats in his T16 back on his home planet of Tatooine.

But Upper management in the Empire, led by Tarkin, with the help of his GRC team had designed and implemented controls to neutralize threats like X-WIngs.
Vulnerability? Prime for exploitation. Force-driven Proton Torpedos, making impossible bends resulting in a severe threat incident.

Bad Risk Management Has Consequences

It’s a poignant reminder for us that ignoring even the smallest of risks can have monumental repercussions.

Just for fun, if we were to quantify the loss in Star Wars currency, it would be an eye-watering 92 sextillion intergalactic planetary credits!

That’s called a catastrophic event.

An incalculable loss in a galaxy far far away that someone on the internet actually calculated for us. The internet has an answer for anything.

The Three Pillars of Risk Management

Effective risk management is anchored by three foundational elements:

1- Inherent Risk

Both the inherent likelihood and the inherent impact of a threat exploiting a vulnerability without any controls in place.

2- Risk Treatment

Strategies that encompass modifying and refining processes, as well as sharing, transferring, or directly embracing risks.

  • Mitigate: Minimize the risk with controls and/or enhancements.
  • Share: Divide risk via partnerships and/or collaborations.
  • Transfer: Delegate risk using insurance and/or outsourcing.
  • Accept: Recognize risk, a deliberate decision, and implement no control.
  • Avoid: Don’t proceed with or discontinue activity.

3- Residual Risk

Both the inherent likelihood and the inherent impact of a threat exploiting a vulnerability with controls in place.

Qualitative vs. Quantitative Risk Assessment

While qualitative assessments are beneficial for a bird's-eye view, they might lack the intricacy needed for precision. I've always believed that a mere label like "high" or "low" might not always encapsulate the entire story.

This is where quantitative assessments come into play, diving deeper and harnessing data to get a clearer picture of risks. Here's a useful formula:

Risk Impact (R) = threat (t) × vulnerability (v) × assets impacted (a) × probability (p)

By applying this, we can glean invaluable insights, which in turn can guide us to reassess and refine our risk strategies.

Risk assessments are not meant to be precise. We are trying to get an idea of the relative importance of certain risks, so that we can be wise stewards of the resources we've been given. 

The Galactic Lessons on Risk

The Death Star, with its vast power, had a seemingly minuscule yet fatal vulnerability: a tiny thermal exhaust port.

This oversight teaches us that in risk assessment, it’s crucial to recognize all vulnerabilities, no matter how small. It emphasizes the importance of combining broad qualitative assessments with detailed quantitative evaluations to ensure no threat, regardless of its size, goes unnoticed. 

The Future of Risk Assessment

The best risk managers in the future will look and perform a lot like the best risk managers of today.

In risk management, experience will always matter. Data will always matter.

So we'll continue to use a mix of qualitative and quantitative risk assessment. Though, AI will likely give each risk manager their very own C-3PO.

Learn More About Risk Management

Proactive measures are essential in safeguarding against potential threats. This point is starkly underscored by Kaspersky's 2021 Incident Response report, which reveals that unpatched vulnerabilities top the list as the primary vector for attacks.

Such vulnerabilities pose a critical risk that organizations must manage. Ensuring that your systems are regularly updated and that patches are applied promptly, especially to internet-facing devices, is not just good practice – it's a crucial defense strategy.

→ For a deeper dive into the significance of these findings and to learn how your organization can prioritize and address vulnerabilities effectively, read the Debra Baker's detailed insights from the 2021 Kaspersky State of the Cyber Incidents Report.

→ For additional reading on risk management, check out our article about why security measures fail.

Improve Your Security Plan with Paramify

The best security starts with the best strategy – after all, a math equation that starts wrong, stays wrong. Start with great security by using Paramify – the only automated security planning and documentation generation software.

Get your fast, high-quality gap assessment and automatically generated compliance documentation, so you can put your focus on creating the excellent security your customers deserve.

Want to see it in action? Schedule a free, live demo or sign up below to request a video demo straight to your inbox.

Watch More: 

How Risk Solutions improve your security posture:

Kenny Scott
Oct 2024
Related posts

Paramify blog

Interviews, tips, guides, industry best practices, and news.
No items found.