I have spent my day in a forum dedicated to the security of classified information. Individuals attending are facility security officers, defense security service employees, and others caught in the orbit of U.S. Government classified information. One of the speakers made a comment that made me immediately jump to post something on Twitter:
"I want you to walk away from this presentation with one thing you can do to prevent risk." <- I don't think you understand risk.
— Peter Hesse (@pmhesse) March 14, 2014
Why did I say that the esteemed gentlemen who was presenting didn’t understand risk? Let’s break it down.
The Definition of Risk
Risk can be either a noun or a verb. Consider these definitions found by a Google search:
(n) a situation involving exposure to danger.
“flouting the law was too much of a risk”
(v) expose (someone or something valued) to danger, harm, or loss.
“he risked his life to save his dog”
The way that the presenter phrased it, he was definitely using it in the form of a noun, indicating a situation that exposes one to danger. This is a common usage in the information security industry. We discuss the risks to information, personnel, and physical assets on a regular basis.
So what was wrong?
The unfortunate reality is that risk is not something that can be prevented.
We will always be presented with situations that expose us to danger. When I walk outside of this hotel, I have the risk of being attacked by a mugger. When I get into my car, I have the risk that my car won’t start and I’ll be stranded. Once I start driving home, I have the risk of getting into an accident and becoming injured.
How can I prevent these risks? I cannot. I can stay in bed all day, but then I run other risks – health risks of laying down all day, financial risks of not showing up to work, etc.
There is no situation that can prevent risk.
Risk is something that needs to be managed, or mitigated. In order to manage the risk of being mugged I will walk in well-lit areas and keep aware of my surroundings. To manage the risk of my car not starting, I have it regularly serviced. To manage the risk of injury in a car accident, I wear a seatbelt, drive defensively, and keep my phone out of my hands while driving.
The next time you are thinking about risk, don’t think about preventing it. Think about understanding risk and the measures you can take to reduce, manage, or mitigate your exposure to danger.
Risk is necessary. A business without risk is a business without opportunity. Understanding risk, and talking about it properly, is the first step.