There are three primary categories of risk organisations face:
- Death Line risk
- Asymmetric risk
- Uncontrollable risk
Death Line risk
Death Line risks are those risks that could kill or severely damage the organization.
Asymmetric risks are those risks for which the potential downside is much bigger than the potential upside.
Uncontrollable are risks that expose the organisation to forces and events that it has little ability to manage or control.
Any decision or situation in a organisation might involve more than one form of risk.
Classic example of Death Line Risk
In previous articles, I told the story of the 1996 Everest disaster that led to the death of some climbers.
That story is a classic example of a situation where the three types of risks were at play.
Rob’s decision to abandon the turnaround time to help his client reach the summit, dramatically increased the risk of being caught in the dark and running out of oxygen—that was an unnecessary Death Line risk.
David was faced with a similar difficult decision.
He had to decide whether to let a Japanese team mate scale the summit or break her heart by ordering the descend.
Climbing Everest takes months, sometimes years of preparation.
Therefore, to refuse someone the opportunity to scale the mountain when they are a couple of miles from the summit is heartbreaking.
Those are the types of tough decision leaders are sometimes confronted with.
David knew continuing to climb was a death Line Risk.
Classic Example of Asymmetric Risk
Rob’s decision to bring just enough oxygen canisters for a single summit attempt posed an asymmetric risk to his team.
Oxygen canisters are heavy and expensive, but a failed expedition is more expensive and loss of lives proved to be even more expensive.
Rob’s decision to take extra oxygen canisters mitigated the asymmetric risk to his team even though he knew the difficulties associated with carrying the extra oxygen canisters.
Classic Example of Uncontrollable Risk
Rob’s decision to climb on May 8 after a failed attempt to agree different climbing times with other teams increased the possibilities of uncontrollable risk to his team.
David, in contrast, realizing he could not control the date and time other teams were scaling the summit, decided to abandon this attempt when he noticed the mountain was getting overcrowded, minimizing his teams’ uncontrollable risk.
Sometimes, the difference between life and death comes down to a split-second decision.
There are times that acting too fast increases risk.
In the same token, there are times when acting slowly increases risk.
The brilliance is in being able to know the difference and the ability to know when your risk profile changes.
It could be seconds, minutes, hours, weeks or months, years or decades.
The difficulty lies not in answering the question but in asking the right question.
How Prepared is Your Organisation for Cyber attack?
In these series of articles, I have alluded to the fact that every organisation that is of any value stands the risk of experiencing cyber attack.
Hackers are constantly scanning their horizon looking for targets to attack.
Your organisation could come into their radar at any time.
This means that the risk profile of your organisation as it relates to cyber attack could change at any time.
Your organisation could be a day, a week, a month or a year away from experiencing a cyber attack.
Whatever that timeframe, will depend on the moment hackers decide your organisation is worth attacking.
You as the leader of your organisation is left with two options.
Option one: you wait to be attacked before you react.
Option two: you take proactive action by engaging penetration testers.
Penetration testing help organisations identify vulnerabilities in their network before they are spotted by hackers.
The current vulnerabilities in your network will be spotted.
The question is whether it will be spotted by a penetration tester working on your behalf or a hacker.