GRC Tuesdays: Risk Management and the Butterfly Effect
Have you ever heard about the butterfly effect? Sometimes referred to as the ripple effect, it’s usually defined as the fact that a small change can have drastic consequences. The metaphor that gave its name to this concept is the idea that the flapping of the wings of a butterfly will trigger a tsunami at the other side of the planet. I actually think that this perfectly applies to the risk management discipline. Indeed, a risk rarely— if ever— manifests by itself. It’s a succession of failures that leads to the incident.
A fire can only start if there is combustible somewhere and there is an unprotected source of ignition, right? This means that you could have had two chances of avoiding the risk: removing the combustible or extinguishing the flame. As you can read, one is a preventative measure and the second one a corrective measure.
But how exactly would you know what to do if you hadn’t described the complete chain of events that could have led to the risk?
Many companies still have a reactive approach to risk management and focus on the potential impacts of the risks—the exposure. From there, they decide what measures should be taken. One of them being of course the transfer of the risk to a 3rd party such as an insurance for instance.
But what if you could target specifically the source of the issue?
This would have two advantages:
- Better protection of the tangible and intangible assets of the organization
- All in all, cheaper risk mitigation. An insurance policy will of course help you replace damaged assets and infrastructure, but who will help you regain the business you lost during an interruption or rebuild your customer’s trust?
Let’s take a look at the three steps that could help you counter the butterfly effect in your organization.
1.Document the Complete Risk Chain
This step requires that you de-silo your risk management practice. When you document a new risk or review an existing one, select the other events whose likelihood could be increased by your risk manifesting. Are you reviewing the risk of successful malicious attack on your system? Well, ensure that you link it to the risk of loss of customer private information as this is what it could lead to.
And inversely, you can also describe the risks that could increase the chances of yours occurring. Taking again my example from above of successful malicious attack on your system, this would most likely be increased by the risk of obsolete cyber security.
2.An Ounce of Prevention Is Worth a Pound of Cure
Now that you know what events can trigger your risk, don’t just focus on recovery measures. Yes they will be required, especially for risks that are above your tolerance, but try and design controls that would prevent the underlying risks from occurring. This is not only a cost effective measure, it also means that you are no longer addressing risks on an event-by-event basis, but that you’re designing a global mitigation strategy and therefore rationalizing your actions by making them more tailored to your situation.
3.Be Like a Meerkat Guard
Don’t be taken off guard! Having documented the underlying risks and reducing their probability of occurrence with preventative controls could be sufficient indeed, but what happens if something changes in between control reviews?
Key risk indicators are a great way of keeping an eye on these underlying risks and on their drivers. And if these indicators are automatically updated, it means that they can be regularly compared against thresholds and that you only get a notification in case a negative trend is building up.
What about you? Do you apply a butterfly effect analysis to your risks?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard !