© 2011 by Taylor & Francis Group, LLC
rISk aSSeSSment,
anaLySIS, and ProcedureS
What are your risks? Are your risks primarily with people? In most
cases, people cause risks based on the decisions that they make.
Whether the disclosure of sensitive information was caused by an acci-
dent, a series of accidents, or deliberate actions of a person still means
the information was disclosed. Preventing the disclosure is what we
are trying to do with risk management. Our rst step is to perform
a risk assessment. In any risk assessment, we make assumptions and
deal with constraints. e accuracy of our risk assessment depends on
whether we can trust the information being presented. How much we
can trust that information depends on whether it is fact, calculated,
estimated, or guessed. In most cases today, we do not know how much
trust we can put in the information. is next section deals with some
of that trust and how we can improve on our ability to add more con-
dence into our decision-making processes.
Making Decisions: Fact or Fiction? How Do You Decide?
In their book entitled Hard Facts, Jerey Pfeer and Robert Sutton
(2006) discussed evidence-based management. eir interest in evi-
dence-based management was inspired and guided by evidence-based
medicine management. While evidence-based management is far from
being totally embraced, the newer generation of doctors and teaching
hospitals are adopting this approach and taking these best results to
bedsides. eir research indicated that many successful companies
such as Cisco, Intel, and Harrahs have adopted this approach.
Evidence-based medicine and evidence-based management require a
mind-set with two critical components: rst, willingness to put aside
belief and conventional wisdom—the dangerous half-truths that many
52 PraCtiCal risk ManageMent for the Cio
© 2011 by Taylor & Francis Group, LLC
embraceand instead hear and act on the facts; second, unrelenting
commitment to gather the facts and information necessary to make
more informed and intelligent decisions, and to keep pace with new
evidence and use the new facts to update practices. (Pfeer and Sutton,
Adopting evidence-based management does take a fundamen-
tal shift in thinking because the reality is that many decisions are
made on guesses, opinions, and so-called expert advice. Yet if we
look at getting the wrong information to the wrong person at the
wrong time, we see the potential for liability and poor decisions. So
how do you adopt an approach that will start you in the right direc-
tion? By asking the right questions, Jonathan Koomey, in his book
entitled Turning Numbers into Knowledge, discusses verifying infor-
mation. Chapter 15 in that book describes how guesses can become
facts; where estimation became a fact used by the U.S. Department
of Energy Information Administration. In Chapter 19 he noted that
facts are interpreted by a person’s values and this may distort the facts.
So how do you distinguish between facts, calculations, guesses, and
estimations? How is that aected by the values of the person present-
ing this information?
It was pointed out to me that many decisions are made based on
limited information. We need to recognize that we cannot have all
the information available to make the best decision and that in a given
situation where time is of the essence, we make decisions based on
the information present. ere also may be a personal agenda for the
person providing the information that could reduce the amount of
information and bias the information. One can always point out that
the order to engage in a war with Iraq was based on misinformation
regarding weapons of mass destruction. We do not know why, who,
or any other detail about the individuals agenda for giving this infor-
mation to the president but we know now that it led to a decision to
invade Iraq. Similarly, as a CIO you are given information and you
need to determine if the information is based on facts, calculations,
estimations, or guesses and if there are agendas at play.
An approach that you can deploy is to determine your condence
level in the information being presented to you to make decisions.
is approach provides a way to make informed decisions. When

Get Practical Risk Management for the CIO now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.