The Dos and Don’ts of a Balanced Risk Management Approach

Risk is an unavoidable reality for every organization. It can take many forms—from physical threats to data vulnerabilities—and can disrupt every facet of operations in the worst cases. But while your organization may not be able to dodge risk entirely, there are steps you can take to address it.

The practice of risk management helps prepare organizations to handle harmful situations before they arise. By identifying, assessing, and setting foundations for responding to threats, your organization will be better able to avoid—or at least minimize harm—from things like data breaches, cybersecurity flaws, and more. In this article, learn more about what organization risk is, how to identify and prioritize risks, and ways you can manage them effectively. You’ll also get a cautionary example of how not to manage risk, so you can learn from the mistakes of others.

How to Create a Risk Management Approach

Typically, organizations respond to risk by setting up rules or processes to prevent risky situations from happening. These rules can range from building codes, to physical controls on office access, to complex accounting rules. Regardless of the threat, risk management efforts tend to share common trade-offs and requirements for success. Although there are many variables involved, a solid risk management process can be crafted in two main steps: defining scope and determining approach.

Defining the scope of your risk

The first step in any risk management effort is to clearly identify what risks need to be addressed. It may seem obvious, but failing to define clear goals is a common mistake in many business contexts. Risk management is particularly susceptible to scope problems—possible risk scenarios are countless and include threats that haven’t previously materialized. This presents a need to limit the range of scenarios addressed to something manageable, and also to resist the temptation to lump scenarios together into vague, poorly-characterized threats.  

Your scope of risks should be broad enough to anticipate likely scenarios but narrow enough to ensure the policy isn’t too unfocused to be effective. You can narrow the scope of risks to consider only the highest-impact risks, the highest-probability risks, the risks that are easiest to mitigate, or any combination of these.

Determining your management approach

Once you’ve determined a proper scope for defining risk, it’s time to determine how you will assess and respond to possible scenarios. There are two fundamental ways to make risk management decisions: established protocols and case-by-case assessment. A balance between these two approaches should be tailored to address the specific goals of the risk management process.

Standing rules

When you create an established risk management protocol for your organization, you would first study the problem carefully, make decisions about risk up front, and then capture those decisions in a standing rule. This approach has a few key advantages:

  • One-time investment: while it takes a substantial amount of work to do well, the work only needs be done once. Users may need help interpreting and applying the rules, but there is no need to continually perform new risk analysis.
  • Predictability: once users understand the rules, they provide stability and predictability, which facilitates compliance and reduces transaction costs.
  • Enforcement: in the rule-based model, enforcement costs are typically lower. However, a risk program that seeks to curb or incentivize behavior to avoid risk is only as good as managers’ ability to enforce the behavioral nudge.

The disadvantage is inflexibility—no set of standing rules will ever be perfect, so you will inevitably face cases where a low-risk activity is prohibited by the rules, or a high-risk activity is allowed. You can adjust the rules to minimize the number of low-risk activities that are prohibited, or to minimize the number of high-risk activities that are allowed. However, it’s impossible to do both at once.

An example of this kind of decision-making is vehicle emission standards. Governments consider the environmental and health risks of vehicle exhaust and the economic costs associated with reducing emissions. Then they set a standard that vehicles must adhere to. Vehicle manufacturers, fuel providers, and other regulated stakeholders can—and must—plan to the one standard.

Case-by-case assessment

The other method you could take is approaching each risk through a case-by-case process. This approach also has advantages:

  • Narrowly tailored: because the risk analysis is looking at a single, real situation, you can tailor its analysis to only factors applicable to the individual case.
  • More accurate: your organization can bring in specialized expertise as needed to conduct specialized research. This results in better decision-making—a lower chance that high-risk actions will be incorrectly identified as low-risk and approved, and that low-risk actions will be incorrectly identified as high-risk and disapproved.
  • Continuous learning: risk managers can take lessons from previous cases and immediately apply them to future risk decisions.

The biggest disadvantage of case-by-case methodology is that the process is work-intensive. You will need to conduct a new risk analysis for each circumstance. It also creates unpredictability for those governed by the process since, by definition, no one knows the outcome of a case-by-case decision in advance.

An example of this kind of decision-making is the process of granting political asylum. There are guidelines and processes that asylum officers and immigration judges follow in making these decisions. However, within those guidelines and procedures, each individual asylum request is a new decision made on its own merits.

The blended model

Effective risk management requires both methods. You’ll find that even the most rigid rules can have exceptions granted by someone in authority—this is true whether a procedure exists for granting the exception or not. Meanwhile, a case-by-case decision process must be associated with standing rules, if only to define when the case-by-case process will be invoked and who the decision-makers are.

A successful risk management process must strike a balance between standing rules and case-by-case decisions, using each in the circumstances where it is most appropriate. The following principles should help you decide which process to use in which instances:

  • Standing rules: When it is possible to identify clear categories of actions that are almost always low-risk, or almost always high-risk.
  • Case-by-case decisions: When the risk is high-impact. The costs of better decision-making are not justified when the impact of a risk is low. Case-by-case decisions are also best when situations are expected to arise only rarely. Attempting to create standing rules to cover every conceivable eventuality will result in overly complicated and difficult-to-use rules.

You might already recognize the blended model. It is the baseline model found in our Constitution. There are broad standing rules (the Constitution), and rules adopted by Congress (statutes). Both rules can be interpreted or challenged on a case-by-case basis by the judiciary, who, for the most part, incorporate previous cases into improving the rule. The rules are somewhat predictable with an outlet for case-specific risks or situations, and there is a process to revise the rules.

Department of Commerce’s ICTS Regulation: A Risk Management Cautionary Tale

One of the best ways to determine the right approach for your organization is to look at risk management in practice—perhaps especially when the example is a cautionary one. The Department of Commerce’s “Securing the Information and Communications Technology and Services [ICTS] Supply Chain” regulatory program is just such an example.

In late 2019, the Department of Commerce proposed ICTS to address the risk our country’s IT infrastructure faces from foreign adversaries. The regulation was likely sparked by concerns over the potential risks of allowing Chinese companies—particularly firms like ZTE and Huawei—to supply equipment for major portions of U.S. telecommunications infrastructure.

The Department of Commerce, and the United States Government, are concerned that adversarial companies will control or manipulate services critical to our national security. However, despite the well-intentioned and proactive nature of the proposal, it falls short of being effective. ICTS has clear issues both in its scope and in its unbalanced risk management approach.

ICTS’ scope problem

Nearly unlimited scope was one of the most frequent concerns raised by the public comments on the draft ICTS regulation. The regulations seemed to respond to a threat from a single country—China—and its ability, through its economic actors, to penetrate U.S. communications through supplier, customer, and other business relationships. Yet the way the draft regulations are worded, they could apply to any sort of transaction, and any potential actor, within the information technology sector—even a private citizen buying a cell phone made in Europe.

ICTS’ process problem

Commerce’s draft ICTS regulation truly fails in its balance between decision methods. It proposes to use only case-by-case decision-making. When combined with its failure to narrowly define the risks present within the telecommunications space, the result is a regulation that promises a stiff penalty to entities and behaviors that will get defined after the action.

Which transactions will be prohibited and which will not? The regulation tells us only that Commerce will decide on a case-by-case basis. Risk management is a tool to guide proactive behavior—this regulation is reactionary.

Moreover, since the regulation does not allow companies to ask for advisory opinions, the discretion on when to conduct a formal investigation is left strictly to Commerce. In other words, even the decision on when to make a decision is left to a case-by-case process.

If this regulation gets implemented as written, Commerce would need an internal process just to identify possibly-risky transactions and decide whether to bring them to a formal interagency evaluation. And because case-by-case decision-making is labor-intensive, in practice Commerce would only be able to target a small number of transactions out of the huge pool of potentially risky ones, with no clear indication of how they would decide which transactions to focus on.

Given the overwhelmingly negative public reaction to the proposed ICTS regulation, Commerce will likely rethink its approach. Hopefully, a next attempt will employ the principles discussed here to create a more workable risk management system.

When it comes time to determine how your organization will assess and handle risk, be sure to carefully consider the organization’s individual circumstances in order to incorporate the right balance of standing rules and case-by-case assessments. Doing so will save time, reduce headaches, and most importantly, position your organization to navigate risk with minimal disruption to your team, your operations, or your customers.

Want to learn more about risk management and other security-related topics? Get more thoughtful breakdowns like this one delivered right to your inbox by registering for our newsletter.

Get alerted to new job postings, events, and insights by registering for our monthly newsletter.