On Saturday, my son-in-law described his passion and interest in the neurosciences of fear. As a black belt martial artist, he is skilled in knowing how to defend and, when necessary, attack. But he explained that there is a real difference between the emotions of worry and fear. The skilled martial artist knows how to avoid fear, in part because they control the way they react to risk—what might be truly fearsome to most of us is, to the trained fighter, merely a worry. Action is required to avoid injury, but the action is not fear-based. There are certainly times when we need to react because we truly fear some outcome—but often the reaction can be ill-considered and, sadly, ineffective at deterring what has made us afraid. How does one evaluate the situation at a particular instance in time and control the fear? This question is his focus—absolutely fascinating.
Then, today I spoke with Jeff Lowder, president of the Society for Information Risk Analysts (SIRA). SIRA exists to improve how we analyze risks to information. In our discussion, we began to explore what it means to manage risk—what is one managing? Where did the idea originate that business management embraces managing risk? Is one managing the objectives of the business, or trying to manage the likelihood of events interfering with those objectives? If we accept that one cannot manage what cannot be measured (the essence of Six Sigma and other enduring management models), what must be measured to gain control of risks, and the likelihood of bad things happening?
These are surprisingly difficult questions to answer. But I wonder if those managing information risk can learn something by working out in the gym with a martial artist. When done well, both benefit from slowing down the passage of time, learning how to assess all of the surrounding circumstances, process and evaluate all of the relevant indicators and evidence, and then make rational, informed decisions. Yet, so often those addressing risk management in business act more on fear than on the actual evidence around them. The professionals develop extensive controls—both offensive and defensive—for responding to risks, but do not really try to calculate the real probabilities and make the controls proportionate to the probabilities.
One dominant method of organizing risk analysis is to grade the risks based on color—red for extreme risk, yellow for moderate risk, green for low risk. But, in a world in which we can measure and automate assessment of so many variables, why are we still relying on a methodology that is not much better than trying to fight with your eyes covered by a blindfold, unable to sense and evaluate all of the variables?
On Friday of last week, my wife was routinely reviewing our bank statement online and saw 12 transactions in four states within the preceding 24 hours. Of course, I had not left our home except to get groceries. Dang it—my debit card had been compromised, something we had suffered through last year when my wife’s card was compromised while we were travelling in France. Twice in one year! We were able to immediately call our bank, report the transactions, cancel the card, and already the credits are being restored. On the one hand, the risks to us were properly managed—and our bank provided terrific support. But it left me wondering—if we have been compromised twice in one year, are the risks being properly managed? Is the fact banks have fraud reporting hotlines some indication that, in martial arts parlance, not enough training is occurring?
Over the next few months, I will be exploring the questions and the answers.