The anatomy of risk assessment: beneath the flesh

In Information Security ByTeam Acumin / 28th February 2012

If you can recall, the prelude to this post applauded Thom Langford’s inventive approach to risk assessment, focusing on its clever analogy to the human body. We thought it decidedly creative, a style that can and should be used in risk management strategies. This blog, keeping in line with the lexicon used, will thus move on from the exterior to the interior: beneath the flesh so to speak.

Mr Langford, senior manager at Global Security Office, Sapient, explored risk management using body parts as a hook from which to peg various ideas. From the outset, he looked upon the feet as being the foundation of risk assessment, which, any lover of Pablo Neruda’s poetry will know, support the body, and as such, heart and soul.

The feet, he explained during his presentation, are equivalent to purpose. Everything stems from this, questions like what is it you’re doing, why are you doing it, what methodology do you plan to use and what is hoped to be achieved?

From thereon in, he went straight to the brain, polar opposites geographically, but metaphorically linked. This is where ideas begin to take shape – the setting of foundations. Planning and preparation is important, mapping the assessment and beginning to flesh out the questions you generated early on help give weight to your endeavour. As Mr Langford noted during the talk, this is all common knowledge, but it is worth repeating.

You see, without proper planning, you run the risk of a protracted and inefficient process of labour. Take heed from Alan Lakein, the self-help businesses author: “Time equals life, therefore waste your time and waste your life, or master your time and master your life.” Without a brain, we are the walking dead.

The eye – a favourite of Mr Langford – is a tribute to empiricism: it’s all about observation, right from the get go. Like a newborn child soaking up the new landscape of the world, those carrying out a risk assessment need to be greedy for detail and scrutinize every feature going. This isn’t to be mistaken for excessive fastidiousness, but a genuine ‘eye for detail’. It all helps to inform the final conclusions and recommendations.

The ears for us, are a fantastic instrument in risk assessment. Ironically, one of the highlights of the talk was the concept of silence. For example, ‘force’ a silence between yourself and the client when you’re not satisfied with their engagement. How? Well, consider the idea that humans have a penchant for filling in ‘the quiet’. Let a hushed atmosphere descend: nine times out of ten people will say something. It’s fascinating stuff.

In contrast, the mouth is a vessel in which the opposite strategy is deployed. Ask, ask, ask, or as Mr Langford says, ask the ‘stupid questions’. Why? Well, there are no stupid questions, and more importantly, this kind of diminishes the notion that you are there to simply tick boxes: you are actually there to deliver change. This is another brilliant analysis that helps increase the chance of unintended outcomes. The data might be harder to analyse – it’s qualitative after all – but its overriding benefit is its richness.

As the classic saying does decree in all its earnestness, follow your nose. Again, obvious stuff, but worthwhile in how you go about conducting business. For example, if everything is fantastic from organisation, rapport, to the cup of tea you get from your client, the chances are they have good risk management policies. If everything is contrary to this, well, then roll up your sleeves, this is going to get dirty.

We can bypass his reference to lungs, it’s tenuous, but as for hands, these are the ‘bread and butter’ of the game: accessing documents, opening doors, and unlocking computers. Nothing is off limits. Let your hands have liberty of exploration, because, you have to go with your gut – clever link even if we say so ourselves – because you, as an expert, know what feels right and what doesn’t.

Put all of this together and you not only get a fairly comprehensive, albeit non-textbook tract on how to perform a human risk assessment, but an authoritative guide to conducting an audit that produces focused outcomes. As Mr Langford concludes his presentation he mentions that risk assessment shouldn’t be an inconvenience, it should be collaborative, open and constructive, a piece of work that ends with both parties feeling that they got something beneficial out of the exercise. That’s the kind of world we’re striving for.