From Theory to Practice: Real-World Risk Management, Starting with Ourselves

Hi there, risk management enthusiasts! I want to dive into how we can apply the concepts from my recent ISACA Journal article, “The Hidden Threat of the Risk Manager”, in our day-to-day roles. Managing risk isn't just about spotting potential pitfalls; sometimes, the most significant risks are the ones we overlook in our own backyard—ourselves.

Understanding the Human Element in Risk Management

We all know the drill: identify, assess, mitigate. But here's the twist – what if we, the risk managers, are part of the equation? It’s like being the chef who accidentally adds too much salt to the soup. Here’s how we can keep ourselves in check:

1. Cognitive Biases: We’ve all got them, and they can really skew our judgment. I was part of a project a few years back where we were excited about moving to a new cloud platform, aiming for cost savings and scalability. But in our enthusiasm, we focused too much on the success stories, ignoring the cybersecurity risks. This was a clear case of confirmation bias where we only saw the benefits, not the potential security pitfalls. It wasn't until we noticed some vulnerabilities that were identified post-migration that we realized we had been overly optimistic. To combat this, one can make a point to seek out information that challenges their current views. We can implement a practice of using “Risk Reversal” workshops, where the focus is on exploring what could go wrong, ensuring a balanced and comprehensive risk assessment.
2. Knowledge Gaps: No one knows everything, right? I’ve found that continuous learning is key. Whether through certifications like CRISC or staying updated with webinars, always be learning. If you're unsure about something, like cybersecurity in healthcare, collaborate with experts or enroll in specialized courses.
3. Communication: Have you ever had that moment where you knew you had a genius idea, but it flopped because you couldn't get it across? I have been there and done that. The trick? Keep it simple, use visuals like dashboards to tell your story, and don’t shy away from practicing how you present. Tools like Tableau and Power BI are like magic; they can transform a mess of data into compelling stories that anyone can get excited about.
4. Resistance to Innovation: Let’s face it, the world moves fast, and if we stick to the old ways, we’re not just staying put; we’re falling behind. I’ve started strategizing and implementing automated tools using Microsoft Power Apps for risk assessment. It’s not about replacing human insight but enhancing it. Encourage your team to explore new technologies and even initiate a 'hackathon' for risk management solutions.
5. Overconfidence: This one’s tricky because who doesn’t like to feel they’re on top of things? But being too confident can blind us to real threats. I’ve found that “scenario planning,” where we intentionally look at what could go wrong, is a great reality check. Also, cultivating a culture where it’s OK to say “I’m not sure” can lead to more robust strategies.
6. Ethical Considerations: Balancing profit with ethics can be tricky. There have been situations where the appetite for quick wins was tempting, like when some banks in 2024 were noted for engaging with crypto-related financial products without thoroughly assessing the risks just to capitalize on market hype. A robust ethical framework, specific training like conflict-of-interest workshops or ethical decision-making seminars, and an open forum for ethical discussions ensure our choices reflect our values and compliance needs.

Practical Steps to Implement:

1. Training and Development: Make this a non-negotiable priority. I advocate for at least one professional development activity per quarter. Whether you’re diving into a workshop that gets you thinking in new ways or you’re chasing down a trending new certification to add to your collection, it’s all about pushing the envelope on what you know. Keep that learning curve steep; it’s the only way to stay ahead in this game.
2. Foster Collaboration: Create cross-functional teams for risk assessments. Different perspectives can catch issues you might miss alone. Set up monthly risk roundtables with business stakeholders, application owners, legal and finance to discuss potential risks from all angles.
3. Quality Checks and Peer Review: Make it a rule to implement the four-eye principle when doing risk assessments. This means before you call it a day on any assessment, get another set of eyes on it for a peer review. It’s like getting a second opinion on your health – sometimes, you’re too close to notice the symptoms. You need that outside perspective to catch what might slip through the cracks. It’s not just about finding errors; it’s about confirming your work stands up to scrutiny from someone who didn’t bake the cake.
4. Embrace Diversity: When I talk about diversity, I think beyond just demographics to include diversity in thought, experience and background. The most innovative and effective risk strategies I’ve encountered come from teams where everyone adds a unique flavor, like spices, to a dish. A team with varied professional experiences, from legal to pharmaceuticals, from engineering to finance, or even from education to cybersecurity, including military veterans with their unique strategic insights, sees risks from every angle, spotting issues in user experience, compliance or beyond that others might miss. I recommend building your team with a similar mix, as it not only makes your risk management more robust but also more creative and forward-thinking. The lesson here? In risk management, diverse perspectives are your best bet to not overlook the critical stuff.

So, these are some practical tips for managing risk from the inside out. The aim isn’t just to avoid risk but to create a robust, flexible approach to risk management. Let’s keep learning, asking questions and, most importantly, staying aware of our own biases, knowledge and communication to protect our organizations.

Happy risk managing!