Risk Work is Stressful

danger_gaugeMy latest column was published today with the above title and I wanted to call out two things with this one. First, since risk drives the selection of priorities, it only follows that its stressful work. Decision making is mentally taxing, so the professionals whose job it is to facilitate that will shoulder that burden as well. Second, take care to ensure that a high priority in your personal life is to appropriately manage the risk associated with my first point. Any job that bears the burden of high stress means that your health is important and requires the requisite attention.

Click here for the full article.

DeVry Charlotte 2014 Commencement Address

On 27 June 2014, I delivered the Commencement Address to the graduating class at DeVry University Charlotte. I was honored to be asked by Dr. Regina Campbell. I didn’t post the address here previously, but I talk about risk so I thought it might be interesting to my followers here. Enjoy!

 

Thank you to Dr. Campbell for inviting me here today and thank you to the faculty, administration, and staff of the DeVry University Charlotte Campus for the warm welcome they have extended to me. Congratulations to all of today’s graduates, their parents, families, spouses, partners, significant others and all the other recalcitrant folk you managed to bring to today’s proceedings. But seriously, we should all be enormously proud of our graduates today. They join an ever-growing body of DeVry alumni across this nation, Canada, the Caribbean, and other parts of the world that have benefited from the uniquely DeVry experience and how it enhances their careers. I know a little something about this group as I have been honored to have been made a DeVry alumnus three times in my life–and my wife a DeVry alumna twice. All of which means that I’ve had the opportunity to sit where you are now several times and as a result, I know there is truth in the old joke about there being two kinds of commencement speeches: short and bad. As for me, I plan for this one to be short, however I’m also sure that no one plans to deliver a boring commencement address, which may very well account for my knowledge of both the masculine and feminine forms of the Latin noun “alumnus” so well (thank you Wikipedia).

There are several time-honored traditions in American commencement address giving that I am obliged to follow. The first I’ll call the Pronouncement of the State of the Real World. It will come as no surprise to you that we live in a rapidly changing world where our lives and fortunes rise and fall with the technological innovations we love and love to hate. Navigating a career in this environment is nothing short of a lifetime commitment. A recent publication by the Business Insider reported on the most in-demand college majors. The four that topped the list (in order) were Business, Computer and Information Sciences, Engineering, and Health Professions, the sum total of which comprised 82% of new demand. If you’ve identified those as majors that DeVry focuses on and has so prepared you for, you get to get a diploma today, or sometimes later in the mail, as the case may be.

Continue reading DeVry Charlotte 2014 Commencement Address

Substituting Risk Tolerances

push-button-receive-baconI hate hand dryers in washrooms. I’m not alone: if Wikipedia is to be believed, 63% of people preferred paper towels over hand dryers in restrooms. I’d wager the other 37% choose what they thought was the right answer. Each time I use them, I always end up with cold, wet hands and if I’m forced to stand in front of them, water all over my clothes. I try to stand to the side and I one time watched the blower fling water all the way across the restroom–no small feat. Surely that wet, slick floor I left behind creates a terrible safety hazard. Heck, there is even a dispute about how much more environmentally friendly they are (if full cost environmental impact accounting is to be believed). My problem stems from the simple fact that they largely fail at their stated purpose, that of drying my hands quickly.

So if they are mostly hated, then why do companies implement them? Well, to put it bluntly it’s not like you are going to shop somewhere else because they have hand dryers there. If studies are to believed then I guess companies can save 99% of the cost of paper towels in a single year.

So what does this have to do with risk? Hand dryers (to me at least) are a clear case of substituting risk tolerances. Allow me to explain. When you are done washing your hands, your primary goal is to dry your hands and get out of there as quickly as you can. You are probably not thinking about saving the world with your hand drying choice or even saving money for the business you are at. Your priority here (I often equate priorities with risk) is in direct conflict with the host company. In fact, if its your employer that has the hand dryer, then it means they’d rather you stand there for some indeterminable time until your hands are dry versus getting back to your post as quickly as possible. Okay so may you save a minute or two (I think most people just give up and wipe their hands on their pants, defeating the purpose), but multiply that by how many trips per day times how many people and its no small investment (I used to work with process engineers that thought about stuff like this all the time).

You may be thinking that I’m neurotic about this, and you may be right, but when you think about risk constantly like me you start to see it everywhere. And the hand dryer scenario is not unique. While waiting in line at IKEA at closing time one night, someone in our party asked why they didn’t open up more lanes. The answer is simple–what’s the odds that after spending the last couple hours shopping and schlepping your purchases to the sole closing-time cashier that you would abandon them and sacrifice the last few hours of your life. Slim to none I’d say. Here too is a risk-based decision. They are accepting marginal dissatisfaction in order to save some money on a second or third cashier.

These sorts of trade-offs happen all the time and we hardly notice them. Usually they involve discounting the value of time–yours and mine–in favor of cost avoidance. I try and make these scenarios plain in my mind. I want to know when the value of my time has been discounted. I have less personal tolerance for my time being wasting and I often seek out scenarios where I pay a premium to have more personal time in my life.

How often has your personal risk tolerances been violated without your explicit knowledge? Perhaps its time to manage your resources better…

Thus Wastes Man

A discussion on priority-making, risk, and the nature of humanity

I’m always interested in examples where we make implicit risk decisions. It happens naturally all the time, mostly because we lack the resources (time, skills) to properly evaluate the scenario. Despite being good at keeping us immediately out of harm’s way, this quick decision-making skill set (our “gut” reaction) tends to be wrong very often about long-term risk. Nowhere is this more prevalent than in our own health decisions.

The FAIR risk-assessment framework discusses and flowcharts the reasons for failure to comply with policy; however it is equally applicable to failures in decision making. At a high level, the flow chart goes like this: awareness, resources, motivation (evil, dumb, priorities). It’s usually the priorities that throw us for a loop: after I know what needs done, have the tools to do it, I have to want to do it. Since we’re not often evil or dumb (thank goodness), I have to make it a higher priority than the other things I care about. It’s the same reason that although I see the nail pop in my one wall all the time, I’m unlikely to ever really do anything about it (after all, I’m really busy with this blog and everything…).

It’s through these lenses (implicit decision making and the compliance flowchart) that I would like to discuss the following chart:

This is a chart provided by the FAIR Foundation on their website (no relation to the risk analysis method called FAIR). This chart details the US funding priorities for various disease (mostly -all?- NIH funding). I care about many of these diseases personally, as I’m sure many of you do. It’s because of this personal attachment (my gut reaction), that I’m immediately appalled at the funding priorities that exist. If we are being rationale about our resource allocation, then clearly the diseases that cause the most deaths need the highest levels of funding. On closer evaluation however, there is more to diseases than just death; many diseases substantially limit one or more of the major life activities (to borrow a phrase from the US American’s with Disabilities Act of 1990). Diabetes (especially Type 1) robs you of normal eating habits for the rest of your life, Alzheimer’s takes your mental faculties, and Parkinson’s the steals ability to move regularly (to just name a few – there are many horrible outcomes for many of these diseases).

So if we are all rationale humans, then why are these funding priorities what they are?

There’s a certain amount of complexity associated with these decisions. There is a system of systems responsible for these funding decisions, not the least of which is popularity (there are countless discussions like this happening all over the web). However, the reality is that all rubrics for funding will leave some people’s concerns out of the running. There just aren’t enough resources to go around.

I don’t have the right answers for this problem, but I wanted to use these chart as a mirror for our own IT Risk and Security funding priorities. There are doubtless many pet projects that will garner the most funding in your organization that will not have rationale support from a risk perspective. Fighting this gut-level decision making is the work of IT Risk professionals today. The same as the medical communities that argue for a risk-based approach to research funding, you too should be spending your time and efforts advocating for the reduction of risk in the scenarios that effect your organizations.

Given that you will never work for an organization that has in infinite budget for security (or anything really), nor will you have all the time needed to address every concern, you must prioritize efforts to ensure the best results. Priority-making is inherently a risk-based activity. This is the essence of modern risk management.