American investor and businessman Warren Buffet once said, “Risk comes from not knowing what you are doing.” I say that risks are a part of nature that is inescapable, especially in Information Technology. Risk avoidance comes from not knowing what you are doing.
When risks are identified at your organization, there are typically four options to choose from. You can accept the risk, mitigate the risk, transfer the risk, or avoid the risk. For clarification, let’s define each:
Accept the Risk – Accepting the risk is a Senior Management decision that should be made by comparing the cost of mitigating the risk to the potential impact if that risk is exploited. For instance, you discover a web vulnerability that could allow a hacker to launch a Denial of Service attack on your system. After researching the issue, you determine the cost to mitigate this risk is $25k and the potential loss if this occurs is nominal. The determination can be made that the cost to mitigate is too expensive compared to what will happen if a DoS attack occurs. Therefore, Senior Management makes the decision to accept the risk.
Mitigate the Risk – Mitigation the risk is the act of lessening, reducing, decreasing, or eliminating the risk. Using our scenario above, imagine the cost to mitigate is $25k and the potential loss is millions of dollars. The best decision will be to spend the $25k and fix the identified risk.
Transfer the Risk – Transferring the risk can occur in two different ways. You can outsource the function or process that is at risk to a third party contractually making them responsible for that risk, or you can choose to get insurance.
Avoid the Risk – Avoiding the risk is the act of doing nothing.
Avoiding the risk, in my opinion, should not even be an option on the list of possible choices. Avoidance is what people do when they are too lazy, too inexperienced, or too stubborn to realize they have a problem and they need a solution. Ignoring the issues does not make them go away. Over time, risks tend to have a snowball effect. It starts out small and manageable, but as it begins to roll down hill, the size and manageability of it becomes to enormous to handle. Now you are left extremely vulnerable and you don’t have the capabilities, resources, or knowledge to fix the problem. The only thing left to do is sit back and pray that you don’t get breached.
In our line of business, we identify risks and offer solutions to our clients. What option they choose is up to them. But avoiding the risks we have identified is not the solution; it only leaves them unsecure and vulnerable. Why anyone would do this to their organization is beyond me.