As practitioners, we talk about understanding and incorporating risk (including opportunities) into management practices, both strategic and tactical.
But do we practice what we preach?
Let me take three different groups:
- Risk officers (which would include safety, InfoSec and cyber risk practitioners, and so on)
- Internal auditors
- Board members
Risk officers
Risk is our job, but do we practice it?
Do we identify, assess, evaluate, and respond to these sources of risk to our effectiveness?
- We are risk-averse, focusing only on reducing or mitigating risk instead of knowing when it should be taken.
- We fail to gain and maintain the respect (and time and attention) of management as their partners.
- We don’t listen to management, but instead see ourselves as better at understanding the business and related risk than they are.
- New or changed sources of risk are not identified.
- Changes in risk are not assessed sufficiently promptly.
- Risk assessments are not kept current and used by those who need them on a timely basis.
- Risk assessments are inaccurate.
- The wrong people assess and address sources of risk.
- Risk assessments are not used, are not understood, or are not used properly by the right people.
- Risk models have errors or omissions.
- Risk management is not considered of value by management, who therefore invest…