Every day, as leaders we have to assess risk and make decisions. Some leaders have a higher risk tolerance than others or are willing to take a risk in one circumstance or another. The best leaders get good at calculating risks, evaluating consequences and taking timely action to achieve results.
This is playing out real-time with IT security. It’s all over the headlines and leaders have decisions to make. All organizations need to understand how much potential exposure they may have, recognizing new risks are uncovered almost daily.
How do you assess your team’s tolerance for risk and choose an appropriate path that mitigates exposure while optimizing opportunities? Here are some questions to consider:
- What’s the risk?
This may sound straightforward. But in the case of security, the risks may not be known today. Leaders need to actively anticipate and uncover the risks so they can determine how they want to take action – before they become a victim. So often risks fall into two categories: financial or strategic. Most have a financial impact and require us to act before we get comfortable.
- Who’s all sharing in the risk in the event it fails?
This may be other members of the team, a vendor or even financial partners. This can help put the risk into perspective and gain a broader view of the impact. It usually feels better when you can share the potential risk.
- What’s the financial impact?
Risk magnifies as the dollars increase. We often need to invest money to make a move or be prepared to lose money if we don’t. You don’t always have to spend a lot of money to see a significant improvement and mitigate future financial loss. But it does require understanding the vulnerabilities.
- What else is at risk?
When it comes to risk, the stakes can be quite high and cover more than money, including the risk of:
- Compliance —There may be legal implications to consider, based on government or industry regulations.
- Time — There may be a sense of urgency. Inaction can cost money.
- Focus — When we focus on this, we remove our attention from something else.
- People — This one can be hard to identify, but it is almost always present.
- Positioning — We may gain or lose our position (including your image or reputation) in the marketplace or in our industry.
The key is to make moves that mitigate risk so when the finger pointing starts, you know you did your part. Have you ever noticed that good decisions often go unnoticed; yet bad decisions hang around? Avoidance is never the answer. Make it a habit to evaluate your risks and make calculated moves. The risks will always be there. But if you know what they are, you will make better decisions.
Join the Conversation
Doug recently spoke with Marco's Chief Strategy Officer Trevor Akervik about risk management and how organizations can apply risk tolerance to make decisions to improve their security posture. Listen in here.