Open Group Podcast on Risk – June 2013

I participated in my second risk management podcast for the Open Group that was published today. I like this one better than my previous one–I tried to talk slower in this one anyways  ;-)

I was happy with the topics that we discussed, most notably that as regulators become more aware of the capabilities of quantitative risk assessment techniques they will begin demanding them from those they are reviewing. Of course, Jack and Jim were great as well and the conversation was expertly moderated by Dana.

Negligence and Compliance

drudgeryCompliance is out of control. Its pervasive in our society now and there is no going back. Allow me to explain.

My kid attends pre-school. They go outside daily to play, so we were asked to provide some sunblock. Makes sense, our family is pale so we are used to that routine. We brought it in, signed a legal release (sigh), and we were good to go.

Or so we thought.

We receive an email later in the day saying that they cannot use an aerosol can and we need to provide sunblock that is a cream. Now this wasn’t communicated to us previously so that’s disappointing  but the real issue is the promulgation of the phrase, “It’s our policy…” The use of this term is quickly becoming a death of a thousand cuts.

How far is this to be taken? Would they have compelled my kid to go outside in the sun to burn, while the unopened sunblock sat idly by, not protecting them from an inappropriate amount of UVA/UVB? Would they have sat self-satisfied that policy boxes were checked while children roasted in the midday sun?

“It’s our policy that we don’t use aerosol cans to apply sunblock. It might get in their eyes.”

Well its not pepper spray; its not meant to be sprayed in the eyes. Everyone knows the trick about spraying it into your hand and then apply it to your face. I’m about ready to build my own set of personal policies (“That’s unfortunate, but its my policy that children not burn in the sun when sunblock is within arm’s reach”), effectively pitting policy against policy in a byzantine Mexican standoff of bureaucracy and drudgery.

Since I see the world through a risk lens, I see this as a failure in risk management. Which would have exposed this organization to greater risk? The remote possibility of face spraying, or the near certitude that skin will burn? In this case, the robotic adherence to policy actually INCREASED risk in the organization by promoting what is effectively negligence.

Thankfully, the outside activity that day took the kids through a shady grove, so no sunburn ensued, but this is a great example of where compliance regimes exceed risk tolerance and that actually increases risk.

Be the person on the phone

So I purchased some of those curly cue light bulbs (CFLs), but as I am prone to do, I got the wrong ones (the base wasn’t right). Also like I always do, I bought the giant big box store pack, so it made sense for me to return them. So my family and I roll up to the <big box warehouse store> and I head for the customer service desk. I make pleasantries with the Lady Behind the Counter and inform her of my desire to return these bulbs for a refund. She takes the package, looks it over, and asks where the Sticker is. Its at this moment, were this an 80s high school movie, that some DJ somewhere would cause the record to scratch. For you see, I had no such Sticker on my packaging. I so informed her, and she was exasperated. The greeter at the door was to interrupt my ingress, inquire about the returned merchandise in my hand, tag it with the Sticker and direct me to the customer service desk. Not having done so, there was no way they could possibly know that I didn’t take this off the shelf and walk directly to the desk to perpetrate some fraud.

“We’ll have to check the videotape,” she said.

At this point, I too was exasperated. I attempted to explain that I purchased this and showed her my receipt. She waved over the greeter who was unable to recognize me from the myriad throngs of people that had been so “greeted.” The Lady Behind the Counter began making calls up the ranks. My wife asks if I would like her and my daughter to wait.

“Oh yes,” I say, “having my family nearby makes me look less like a criminal.”

I hear the half conversation over the phone where the Lady Behind the Counter says, “Uh, $16. Oh, okay,” and then hangs up. “We’ll accept it this time, but next time…”

I’ve turned this exchange over in my head countless times since. How could they have authenticated me better? What sort of losses from this threat vector have they incurred that caused them to implement this program? I never had to get a sticker on my returns from the <big box warehouse store> back in Central Ohio…

I’ve used this story several times since as an illustration of the distinction between auditors and risk professionals. It is absolutely critical that somebody be in charge of checking tickets. You need a ticket to get into the show, or in my case a Sticker. The policy says you need a Sticker, so a Sticker is what’s required. It’s also critical that the person at the door check incoming merchandise and apply a Sticker. The former is the auditor the latter is more akin to IT operations. But what of the person on the phone? Ah! They were the risk manager you see. They understood that a policy violation occurred despite my having a valid receipt and a relatively honest looking face. They could have checked my purchase history to see that I spend A LOT of money at their establishment. Sure, they had video of the incident, but for $16, everyone had better things to do. That is a risk-based decision. That’s just being a human being in a room otherwise full of automatons and making a judgement call that there are better things to spent our finite resources on than less than $20 worth of light bulbs that I likely really did purchase.

This is why the notion of something called a “risk-based audit” is somewhat anathema to me. Sure, please do check controls in areas where there is risk in the business, but that will quickly give rise to the causality dilemma commonly referred to as a chicken or the egg scenario: if the audit is meant to reveal high risk areas, then how could we possibly use risk as in input to scoping the audit (which is the premise of the risk-based audit)?

To bring this back home, let me say that I absolutely want and need somebody issuing and checking tickets at the door. But I’d never mistake them for risk managers. And if you wish to progress in your careers as IT risk professionals, try being the person on the other end of that phone call, and stop sweating the small stuff because somebody’s probably trying to run off with a new TV while your squabbling over light bulbs.