In a previous note I proposed the following definition:
Risk Decision. A decision by the leadership of an
organization to accept an option having a given risk function in preference to
another, or in preference to taking no action.
I assume that competent leadership of any organization worth its pay can
make such a decision, at the appropriate level of seniority.
The term is shorthand for a decision between alternatives,
at least one of which has a probability of loss. (Usually in cyber risk we are concerned
with losses, but all the ideas extend naturally to upside or opportunity
risk. Few people and fewer organizations
take on risk without some expectation of advantage, if only cost avoidance.)
The definition depends on the idea of a risk function (AKA “the risk” of something) as:
The probability distribution of loss magnitudes for some
stated period of time, such as one year.
This is what I think most people really mean when they speak of the
“risk” of something.
I like to think of the risk function in terms of its loss exceedance curve, the probability
distribution that a particular loss magnitude will be exceeded, for the given
time frame, as a function of the loss magnitude. The nearby graphic illustrates two possible
loss exceedance curves for a “before” and “after” assessment of an investment
which is supposed to reduce risk.
These curves are the final quantitative result of a risk
analysis of a particular scenario. The
decision problem is whether to invest in the control or not. (It may be a web application firewall, for
instance.) The analysis says, for
instance, that investing in the control will reduce the chance of annual loss
greater than $40K from 95% to 20%. Sounds
pretty good!
Of course there is more to it. Management needs to know how much the control
will cost. Costing out a control,
including recurring and non-recurring costs, cost of capital, staff support,
all in, is a well-established discipline compared to risk analysis, so let’s assume
it has been done. Suppose the price tag
is $20K. Management has to decide if the
reduction in risk is worth the cost.
There has been much agonizing in the literature about how a
rational actor can consistently choose among risk functions. The most prominent approach is Von-Neumann-Morgenstern
utility. Its main result is that, given
any risk function, a rational actor can assign a number with his personal
utility function such that more-preferred risk functions always have higher
numbers than less-preferred ones. It’s a
nifty but impractical result for several reasons. For one thing, it turns out to be hard to
estimate a person’s utility function.
And if it’s hard for the average person, you will not get many a CEO to
sit still for the exercise. For another,
risk decisions, especially big ones, are often made jointly by multiple
stakeholders, like the CIO, CFO and CEO, for good reasons. Getting a utility function for a committee is
even harder. Finally, senior managers
have an understandable need to “do a gut check” and personally engage with big
decisions. They are not going to
delegate the decision to a formula, nor should they.
So I assume that, given two risk functions, leadership can
and will know which they prefer. Making
risk decisions is what they are paid to do.
This is the reason for my definition of a “risk decision.”
The definition has some immediate implications. The first is that through a series of
pair-wise comparison leadership can set any set of risk functions in order from
most-preferred to least-preferred. On
one end, the reaction is, “This is great!
Where do I sign?” At the other it’s
“Over my dead body.” In between there is
a zone of indifference where management thinks “I don’t really care one way or
the other.”
Next, having in principle ranked a bunch of risk functions,
management will say that there are some I just would not choose if I had the
option not to. So there is a notion of
“this far and no further” in the pursuit of our goals. This is the basis of the definition of:
Risk Appetite. The worst (least-preferred) set of
probability distributions of loss magnitudes that the management of an
organization is willing to voluntarily accept in the pursuit of its objectives.
In other words, in our ranking scheme, these are the ones
just a little better than unacceptable, if we have a choice.
But what management doesn’t have a choice? Threats can be discovered that we would not actively
accept in the furtherance of our objectives.
Some we can live with even if we prefer not to. The worst (least-preferred) risk functions
that we are willing tolerate if imposed upon us leads to:
Risk Tolerance. The set of least-preferred probability distributions
of loss magnitudes that the management of an organization is willing to accept
when presented with them involuntarily.
Risk Tolerance is by definition greater than (includes more
probability distributions of losses) than Risk Appetite. The key is involuntariness.
So we have three sets of risk functions: those we are willing to choose in pursuing
our objectives, those we are willing to accept but not opt for, and those we
cannot abide. And within those sets
there may well be ones that we have about the same preferences for even if their
risk functions differ.
What if a loss exposure (aka risk function for a scenario)
is discovered that is worse than our
risk tolerance? Well then it is by
definition intolerable and we have to do something to mitigate or avoid it. A
threat of this nature is almost by definition an existential threat to the
organization – it threatens the ability of the organization to achieve its
goals or perhaps even survive. But
that’s another topic: business
continuity planning.
No comments:
Post a Comment