You’ve got to check out this article: “Why don’t risk management programs work?” from Network World. The publication asked two risk management experts to explain why risk management programs don’t seem to work. The result is a fascinating piece full of frank talk that is refreshing, thought-provoking, and (unfortunately) hard to come by.
What follows are a few teaser quotes. Read the article to find out who said them and how they backed them up!
“I look at much of what is called ‘risk management’ and laugh because the only other alternative is to weep.”
“Risk management programs don’t work because our profession doesn’t, in large part, understand risk. And without understanding the problem we’re trying to manage, we’re pretty much guaranteed to fail.”
“I regularly see fundamental terms like threat, vulnerability, and risk being used inconsistently, and if we can’t normalize our terms, then there seems to be little chance that we’ll be able to normalize our data or communicate effectively. After all, if one person’s ‘threat’ is another person’s ‘risk’ and yet another person’s ‘vulnerability’, then we have a big problem. How much credibility would physics have if physicists were inconsistent in their use of fundamental terms like mass, weight and velocity?”
“There is a Catch22 around ROI. Most people won’t invest in risk and metrics until they understand the value (business case). But getting those value statements to make that business case? Well, that requires a strong investment in a risk and metrics program.”