Accepting risk is the third thing you can do with risk, after mitigating and transferring it. The final session of the 7th Annual Virtual Cybersecurity Conference for Executives, hosted by Ankura and Johns Hopkins University Information Security Institute, took up how to know when acceptance is the best policy.
When to accept risk: the 7th Annual Virtual Cybersecurity Conference for Executives.
Tom Quinn, CISO at T. Rowe Price, discussed how and when to accept risk. He began with an analogy. Quinn noted that construction codes are generally a result of past experiences such as major fires, floods, deaths, et cetera, that have helped people refine the safety codes over time. One of the challenges of cybersecurity is that people might not have such visual examples to help them understand what “good” looks like.
Train people to recognize risk and sound the alert.
Quinn added that organizations should ensure that employees are trained and motivated to raise alerts associated with risk. He compared this to fighting a fire: the first thing you should do is pull the alarm.
“One of the things I often find is that you can over-rely upon an individual person to not only find the risk, escalate a risk, write up a risk, find solutions for a risk and different kinds of mitigations to maybe even accept it,” he said. “I think in some of those cases, there could be a disincentive – even in the best kind of culture, there could be a disincentive if all that work was required just to raise one hand and let them know something was wrong.”
Accepting risk isn't a final decision, but rather one you revisit regularly.
Quinn explained that one aspect of accepting risk is that it doesn’t have to be a permanent decision, and organizations should track the risks over time and reevaluate when the risk comes up again.
“One thing I tell my team as we go through these risk acceptance processes, is why don’t you just fix it?” he said. “What’s stopping you from fixing it? And I think understanding those reasons is key, because whether you’re able to make a change in the moment, it’s important to capture those variables because trending over time matters, and if you see the same thing over and over that this risk acceptance was there and the reason was we just didn’t have capable people to do the work that’s expected. That should also lead to part of the sustaining processes around risk management, which is, what are you going to do about this so this doesn’t have to come up over and over?”