ICYMI: Organizational Signals for Changing Risk Appetite

I was inspired to write this article by a change in the speed limit that happened on a local Interstate. It was a good jumping off point to illustrate the parallels between speed limits and risk appetite and what it takes to change each.

You can read the article on the FAIR Institute website here.

The Dose Makes the Poison

My latest @ISACA article posted today. I was really pleased with this one as it uses an easily understandable metaphor to call out the often experienced desire of people to live life without risk (as evidenced by statements such as “We don’t accept any risk…”). Take a look and let me know what you think.

 

Be the person on the phone

So I purchased some of those curly cue light bulbs (CFLs), but as I am prone to do, I got the wrong ones (the base wasn’t right). Also like I always do, I bought the giant big box store pack, so it made sense for me to return them. So my family and I roll up to the <big box warehouse store> and I head for the customer service desk. I make pleasantries with the Lady Behind the Counter and inform her of my desire to return these bulbs for a refund. She takes the package, looks it over, and asks where the Sticker is. Its at this moment, were this an 80s high school movie, that some DJ somewhere would cause the record to scratch. For you see, I had no such Sticker on my packaging. I so informed her, and she was exasperated. The greeter at the door was to interrupt my ingress, inquire about the returned merchandise in my hand, tag it with the Sticker and direct me to the customer service desk. Not having done so, there was no way they could possibly know that I didn’t take this off the shelf and walk directly to the desk to perpetrate some fraud.

“We’ll have to check the videotape,” she said.

At this point, I too was exasperated. I attempted to explain that I purchased this and showed her my receipt. She waved over the greeter who was unable to recognize me from the myriad throngs of people that had been so “greeted.” The Lady Behind the Counter began making calls up the ranks. My wife asks if I would like her and my daughter to wait.

“Oh yes,” I say, “having my family nearby makes me look less like a criminal.”

I hear the half conversation over the phone where the Lady Behind the Counter says, “Uh, $16. Oh, okay,” and then hangs up. “We’ll accept it this time, but next time…”

I’ve turned this exchange over in my head countless times since. How could they have authenticated me better? What sort of losses from this threat vector have they incurred that caused them to implement this program? I never had to get a sticker on my returns from the <big box warehouse store> back in Central Ohio…

I’ve used this story several times since as an illustration of the distinction between auditors and risk professionals. It is absolutely critical that somebody be in charge of checking tickets. You need a ticket to get into the show, or in my case a Sticker. The policy says you need a Sticker, so a Sticker is what’s required. It’s also critical that the person at the door check incoming merchandise and apply a Sticker. The former is the auditor the latter is more akin to IT operations. But what of the person on the phone? Ah! They were the risk manager you see. They understood that a policy violation occurred despite my having a valid receipt and a relatively honest looking face. They could have checked my purchase history to see that I spend A LOT of money at their establishment. Sure, they had video of the incident, but for $16, everyone had better things to do. That is a risk-based decision. That’s just being a human being in a room otherwise full of automatons and making a judgement call that there are better things to spent our finite resources on than less than $20 worth of light bulbs that I likely really did purchase.

This is why the notion of something called a “risk-based audit” is somewhat anathema to me. Sure, please do check controls in areas where there is risk in the business, but that will quickly give rise to the causality dilemma commonly referred to as a chicken or the egg scenario: if the audit is meant to reveal high risk areas, then how could we possibly use risk as in input to scoping the audit (which is the premise of the risk-based audit)?

To bring this back home, let me say that I absolutely want and need somebody issuing and checking tickets at the door. But I’d never mistake them for risk managers. And if you wish to progress in your careers as IT risk professionals, try being the person on the other end of that phone call, and stop sweating the small stuff because somebody’s probably trying to run off with a new TV while your squabbling over light bulbs.

Knuckle Busters

Where I live, we have been experiencing a lot of severe weather and with it, power outages. Its always fascinating to students of risk to watch how organizations behave in these scenarios. Especially interesting are how retail establishments deal with payment issues.

I entered an office supply store the other day to purchase some equipment I needed. Its important to note that there were NO power outages this day. As I entered, I was told that they were unable to accept credit cards and could only take cash. Immediately, I asked why they don’t just use the “knuckle busters” to imprint the cards. They said they couldn’t do authorization. I gestured as if turning over the imaginary credit card in my hand and told them to call the number of the back. They repeated their lines and added that it was “company-wide.” I realized I wasn’t going to get through to them (nor could they make such decisions at the store level anyways), so I left to go to another store to purchase my wares.

We live in society that is increasingly going without cash. The latest IEEE Spectrum magazine spent an entire issue discussing the move to a cashless society. Its for this reason that not being able to accept payment cards during an outage seems entirely unreasonable. In fact, given the proliferation of cards and dearth of cash, one might not say “accept payment cards” and just say “accept payment.” Especially at the establishment I was at where most transactions wouldn’t be completed with the change and few bills I had on me.

So why then do so many places not have backup payment using a knuckle buster?

It’s likely just lack of planning, but lets assume a risk-based decision making model. We own the store and probably have numbers on how many transaction we do on a given day and for how much. If we add some information about how often the power/server/etc. goes out, we can come to an average amount of money that we think we would loose not accepting credit cards during an outage. But don’t stop there: we also have to work on the threat side as well. Consider how many people we think are going to defraud us during this time. It would seem to me (but I’m willing to be wrong) that there are not “knuckle buster” fraud rings waiting for outages to swoop in and buy up lots of office supplies with fraudulent credit cards that can’t be authorized in real-time.

A risk-based appraoch would establish some ceiling amount – say $250 – that the company was willing to accept card imprints for and move you on your way. After that, they’d have someone call the number to verify funds (during my visit the store was full of bored employees pushing brooms that could have esaily picked up a phone to call in the authoriztion for any amount, but I digress). I know that a well-known fast food restaurant that you’ve likely eaten at established a threshold for payment card transactions under which they don’t worry about online authorization. During the lunch rush, they try for online auth at all times, but if they don’t get it in a time they set, they don’t worry about it. Take your #5 and move on, we’ll deal with it later. And if you defrauded them, they agreed to eat cost (pun intended). This always seemed like a very reasonable approach to me and shows that they understand they stand to gain much more from a faster line, than from strict adherence to online authorization.

So about those storms and power outages? I bought a whole-house generator about 5 years ago. That tells you a little about our risk tolerance I guess :-)