As I reported in an earlier column, I had a discussion with a very senior manager from an auto company about risk. He opined that CEOs didn't want to hear about risk. All they want to hear is that the bottom line looks better. I asked for comments from you. I got some. Frankly, I was both pleased and disheartened. We have opted to live with this unhealthy view of information risk. But we don't need to condone it.
Virtually everyone I spoke with on this, and I spoke with people at many levels and in many related positions, agreed that the bottom line is the target. They agreed that vendor hype has softened the impact of the terms "risk analysis" and "risk management." What they did not agree with was that managing risk could not have a positive impact on the bottom line. With one exception, a CFO from an auto-related manufacturer, everyone I spoke with believed that information risk management can boost the bottom line, sometimes, significantly. The CFO told me about their risk management – insurance.
I found the attitude that getting insurance manages risk disheartening. The cynic will say that you have offloaded the risk to a third party and the cost is less than assuming it yourself. Sadly, that's probably true. But it certainly is not the whole story. This approach says, loud and clear: "Managing our business well is not important to us. We'll let the insurers pay up and move on." This is the attitude one might expect from a company that has its car designs stolen in China, watches the Chinese build the car, and then voices the opinion that there's really no problem since the market is big enough for everyone.
We need to rethink the notion of acceptable risk and information risk management. Good risk management protects the viability of most organizations. With the car firm, the notion that an entire market could benefit, unfettered, through theft of intellectual property is so foreign to me that I simply cannot fathom it. But that is the case in many more situations than just cars – think of software, entertainment, books...
The investment in managing information risk is not just something that goes to the bottom line in improved profit – it is an investment in the viability of the organization. We do not have to sit by and accept a wrong-headed view of information risk by management. We have a duty to our organization's viability and to our management to do what we can.