Enterprise Miracle Management

Can't Enterprise Risk Management guarantee against failure?

It's like asking why there are still fires now that we've hired firefighters. ERM could use a good portion of expectation management. If someone believes that nothing could ever go wrong since we have an ERM function, they need a reality check.

Not all existing risk will be discovered.
Not all discovered risk will be mitigated.
Not all mitigated risk will be eliminated.

Be sure to equip your firefighters but don't go expecting miracles.

Read more about Risk Management Failures at Sonia Jaspal's RiskBoard.  


guided by risk

How is the risk paradigm relevant during a breach?

If the breach relates to risks previously documented, we know risk level, vulnerabilities and assets involved. Incident Management is also informed in another way. We will have to pick strategies for containment and recovery. Each strategy carries risk. How do we choose? By swiftly assessing risk. (The incident doesn't wait.)

So - just like incidents inform future risk management, impromptu risk assessments can guide ongoing incident handling.


a useless paradigm?

Some argue that risk is a useless paradigm when a breach has occurred. It is happening, probability 100%, why theorize further?

To me, this analysis is surprisingly shallow.

Being under attack is not a binary thing, it is not about an enterprise losing its virginity once and for all. Sure, we must deal urgently with the current incident. But there's a host of potential events awaiting tomorrow which need to be foreseen and prevented.

Today's incident enlightens us in assessing current risk.