, , , ,

An article received via Bruce Schneier’s blog, one of the most important experts in Security. Although the perspective usually taken in his work is strictly related to Security, both Logic and Physical, this post is so related to the essentials of Risk Management that I think it can be very useful if taken from a Project Management perspective.

The original article was written in 2009, and only 11 pages long, so well worth a quick reading, at least the first 6 pages, as the following ones refer to several case studies. I would highlight the conclusion, that I wouldn’t dare classify as pessimistic but more as realistic and well grounded on daily experience:

We are good at fighting yesterday’s fires. But new risks—avian flu, innovative financial crises, pollutants long ignored, climate change—continuously emerge, and old risks wax and wane. Unfortunately, collectively and individually, we have the penchant for neglecting important elements of risks, including determining which ones are important. For that sin, we suffer both higher risks and higher costs.

From the article, some conclusions and further work has been extracted that are also of interest. In additon to the summary shown in Schneier’s post:

    1. Probability neglect – people sometimes don’t consider the probability of the occurrence of an outcome, but focus on the consequences only.
    2. Consequence neglect – just like probability neglect, sometimes individuals neglect the magnitude of outcomes.
    3. Statistical neglect – instead of subjectively assessing small probabilities and continuously updating them, people choose to use rules-of-thumb (if any heuristics), which can introduce systematic biases in their decisions.
    4. Solution neglect – choosing an optimal solution is not possible when one fails to consider all of the solutions.
    5. External risk neglect – in making decisions, individuals or groups often consider the cost/benefits of decisions only for themselves, without including externalities, sometimes leading to significant negative outcomes for others.

a process has been defined to help overcome these neglects:

    Step 1 Identification and recognition of a near-miss
    Step 2 Disclosure (reporting) of the identified information/incident
    Step 3 Prioritization and classification of information for future actions
    Step 4 Distribution of the information to proper channels
    Step 6 Identifying solutions (remedial actions)
    Step 7 Dissemination of actions to the implementers and general information to a broader group for their knowledge
    Step 8 Resolution of all open actions and review of system checks and balances

The focus of this work is on the basis of the risk pyramid, where impact is lower but the number of events to be considered is larger.

Risk Pyramid