2 Comments

Nicely put! I'd add that acceptance is the default treatment for risks that are not both explicitly identified, and effectively treated by other means. There is a possibility of errors and omissions in the risk identification, analysis and treatment activities, hence risk management is itself a risky activity. For example, we typically assume that various controls do what they are supposed to do, and seldom even consider the possibility that they might fail gradually or spectacularly in practice. Consider all forms of cryptography, for instance: when was the last time anyone actually checked a cryptosystem deeply embedded in a bit of software or hardware is, in fact, using truly random keys of the right length, or the relevant number of rounds or whatever? Even the typical assurance measures used to detect and report issues with controls, are themselves fallible controls: issues sometimes get missed, mis-reported, mis-understood and mis-treated, or more often ineptly and reluctantly addressed (nobody relishes acting on adverse audit findings!). Overall, it is challenging to maintain a sense of perspective and priorities, and unwise to assume that we've got everything right ... which means embracing business continuity, recovery, resilience and contingency approaches as well and acknowledging that even they may fail to work out entirely as expected. It's risky all the way down!

Expand full comment

Risk management is indeed a risky business!

Expand full comment