Ramon Bosch brings more than 15+ years of technical and strategical knowledge in value engineering and risk and compliance to his role at Microsoft.
Ramon helps business and technology decision makers identify, calculate and communicate the return on large capital expenditures. He has an extensive track record in Europe, the Americas, Africa and the Middle East, guiding organizations in their pursuit of digital transformation, with a special focus on total cost of risk and business agility.
As a Value Engineering Executive with Microsoft’s Global Enterprise organization, Ramon works with chief financial, procurement, security and privacy officers, aligning their information technology and risk management strategies to business imperatives, whilst limiting their exposure.
In the following Q&A, Ramon deep-dives into risk quantification and how regulatory changes affect this.
Q. What do we mean when we talk about risk quantification?
Ramon Bosch (RB)
Theoretically, all things are inherently quantifiable. If something is not quantified, then it would be reasonable to state that it doesn’t qualify as a thing to begin with. Risk, insofar as it refers to the probability that harm might be experienced because of exposure to a hazard, is not only a thing, but arguably one of the most important things one could strive to quantify.
Risk quantification, broadly speaking, is the assessment of the probability and impact of harm. In short, what is the expectation of something bad happening, and when it eventually does, how acute might the pain be?
Organizations concern themselves with risk – all types of risk, as it cannot be decoupled from the pursuit of opportunities. The developments that have led to information being the most valuable asset any organisation owns, as well as digital being the realm of their endeavours, have put the spotlight of concern on information risk, specifically.
Risk quantification, in this context, is the process of evaluating all the possible ways in which bad things could happen to an organization, as a result any of the many things that could go wrong when processing information and, crucially, determining how much damage might have to be endured.
Q. Why is accurately quantifying risk important for businesses? And how do you convince boards and executives that it is important?
Edwards Snowden once said: “If you’re trying to eliminate all risks from your life, what you’re actually doing is eliminating all possibility from your life.”
Indeed, to the degree that doing anything, necessarily involves risk, businesses should want to get exposed to risk. To determine whether the risk taken on is commensurate with the potential of their opportunity, is the hard part. That’s why quantifying information risk, as accurately as possible, is so important. Not that quantifying the opportunities brought about by digital transformation is any less hard, of course.
As far as I can tell, boards and executives very much subscribe to this notion, and base their decision making on it. I am more concerned about how I see technology practitioners grapple with risk, however. It would seem that, more often than not, they are on risk prevention mission, rather than enabling their organization to take risks, and therefore enable business itself.
Q. In what ways can it be difficult to quantify risk?
It is incredibly hard, in all the ways in which hard things are. That’s why actuaries are paid so much. This is not a flippant observation – it’s simply a matter of fact. Yet, when it comes to assessing information risk, it is not uncommon to see organization put the burden on their information technology teams, whom – needless to say, are not equipped to deal with actuarial science.
Most boards and executives would not deal with business risk in such a way, yet after a period of digital transformation, involving specialists to accurately assess information risk is still not an established practice.
Q. What mistakes do businesses commonly make in this area?
I would refer to in in terms of missed opportunity, rather than error.
Regardless of information risk having been quantified (most organizations would make an informed guess in the absence of a formal process), few technology practitioners have outfitted their information risk management strategy with the means to establish a connection between risk controls and quantified risk. That is to say, they are not able to determine by how much risk would decrease with the enablement of a specific control.
Where technology is concerned, this leads to situations where the business case can’t be satisfied for investing in technical controls by way of acquiring and deploying new solutions. Few organizations would invest without a clear articulation of expected returns.
As I noted earlier, the goal shouldn’t be to decrease risk for the sake of it, but rather to keep it within an acceptable envelop so that the organization may take increasing risks. Lacking the controls for it, due to an inability to justify their cost, ultimately inhibits the mission of the organization.
While no recognized approach exists to determine causality between controls, their enabling technologies, and quantified risk, the basic tools have been available to practitioners for quite some time.
Most organizations follow the prescriptions of risk management frameworks such as ISO 27001 or NIST 800-53. It is possible to score the weight of those prescriptions (the controls), relative to the whole of the information risk, which the framework is designed to address. Describing the technologies that enable each of the prescriptions and using the score of those as a proxy for quantified risk, should yield an understanding of the value – absolute and relative, of each technology solution.
Albeit imperfect, applying a method towards measuring the impact on quantified risk of any given technology, would allow practitioners to better serve their organizations in the pursuit of risk taking, and business itself.
Q. How have regulatory changes affected the quantification of risk?
To some extent, increased regulation of information processing activities has contributed to driving upwards the magnitude of impact as well as exposure.
There are now more ways in which bad things could happen to an organization, as a result of a growing list of things that a regulator would consider unacceptable. The potential damage resulting from regulatory action, including fines, is also considerably higher. One could argue that this is commensurate with the opportunity of digital transformation.
Whereas probability and impact of harm might have gone up, it is also worth noting that, from a quantification perspective, and especially considering the approach I described earlier predicated on ascribing value to technologies by virtue of mapping them to the prescriptions of a framework, the introduction of new, more precise regulations, has also led to more options for practitioners to assess the merits of their investments.
To the degree that the ability to do business and take risks is a function of making the right investments in information risk management technologies, more and better regulations are a positive development.