• Phil Venables

Risk Management is not only about Reducing Risk

It seems most risk and security programs, and instruction on how to run risk and security programs, focus exclusively on assessing risk, to then implement controls or take other actions to reduce that risk.


Once the risk is at an acceptable level the focus is to keep it like that - but essentially do nothing more - except for a periodic or trigger based revisiting of the assessment. However, a big part of the more successful risk & security programs is to never stop there. In fact, achieving the right risk level is merely the very beginning of a more worthwhile journey that improves the way that risks are mitigated. In other words, keep risk flat but improve the efficiency of the controls that mitigate the risk - across multiple dimensions:


  1. Customer experience. Deliver the same risk level but improve the usability of controls - including reducing friction for the customer to sign-up for services or new features. This typically applies in relation to authentication, authorization and fraud prevention.

  2. Cost. Reduce the cost to sustain or upgrade controls and to direct those savings to other improvements - or to other risks where there is still a need to more actively implement new controls to reduce risk.

  3. Efficiency. Optimize the arrangement of controls, or indeed reduce the number of controls implemented for each specific risk, being careful not to impact defense in depth.

  4. Ease of continuous monitoring. Replace controls that are not amenable to continuous performance monitoring, or that don’t emit the right metrics, with ones that do.

  5. Automation. Replace any manual activities progressively with automation to reduce the administrative or other maintenance load.

  6. Adjacent benefits. Develop adjacent benefits for existing controls such as having security logging capture and synthesize more data to assist with performance monitoring, or enhance distributed recovery to not only improve resilience but to increase change windows.

  7. Reduced negative externalities. Enhance controls to reduce impact on other risks, such as improving any trade-offs made between security, resilience and/or performance.

Bottom line : A true mark of a commercially-oriented security program is to be perpetually optimizing control performance even after risk has been reduced to the right levels.

449 views0 comments

Recent Posts

See All

This can be an emotive topic for many people. It is one, I’ve found, colored more by dogma than nuance (as it seems with many things these days) and so it is often hard to have a reasoned debate about

Do analogies actually help us or do they set back our ability to drive change? On the face of it they are a useful explanatory tool, as are metaphors and perhaps even similes. But at what point is the

Defense in depth is a well accepted security principle. Intuitively, it stipulates there should be multiple lines of controls so as to reduce the likelihood of successful attacks even in the presence