Gartner Blog Network


Q4 Challenge: Drop “Risk,” Be More Precise

by Ben Tomhave  |  October 2, 2013  |  5 Comments

I’ve decided to try something a little different. Near the beginning of each quarter I’m going to issue a challenge to everyone (colleagues, clients, vendors, etc.) in order to see if we can’t tackle a common obstacle to business and security. We’ll see how it goes, and I hope you’ll both participate and keep me honest throughout the designated timeframe!

For Q4 2013, here’s my challenge: I challenge you to drop the word “risk” from your vernacular in favor of using more precise language. “Risk” is often accurate in a variety of conversations and scenarios, but it’s rarely the best word possible. Instead, we should strive to be more precise in our language; especially since “risk” has become so commonplace in marketing literature the world over.

For example, when you say “risk,” you may be talking about:

  • How to reduce losses, such as from fraud, incidents, or breaches.
  • How to limit the impact of vulnerabilities.
  • How to limit the impact of (specific) threat actors or threat communities.
  • How to improve operational efficiency or effectiveness.
  • How to reduce uncertainty in areas like uptime/availability, data integrity, capacity planning, etc.
  • How to patch systems in a timely fashion.
  • How to respond to audit or security test (such as pentest) findings.
  • How to maximize or optimize data confidentiality
  • How to ensure an appropriate level of trust, particularly of asserted identities.
  • Etc.

Instead of throwing around the nebulous term “risk” in the coming quarter, I urge you to instead choose a word that is more meaningful and less likely to be misunderstood, misconstrued, or outright ignored. For example, if you’re talking about how to reduce financial losses due to fraud, talk about fraud and loss instead of “risk.” Specifically, are you trying to reduce losses, increase efficiency or effectiveness, or do something else? Can you state that in a meaningful manner that the business will understand?

What do you think? Can you go a quarter with minimal use of the term “risk”? Do you think it will help improve communication? Please report back on what you’ve found! :)

Category: risk-management  

Tags: overused  risk  substitute  

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.


Thoughts on Q4 Challenge: Drop “Risk,” Be More Precise


  1. […] Q4 Challenge: Drop "Risk," Be More Precise […]

  2. Jack says:

    Interesting challenge! I’m afraid the nature of what my company does limits my ability to drop “risk” from my vernacular. That said, I do try to use the term “loss exposure” as much as possible to avoid some of the ambiguity you mention.

    From what I’ve seen, “risk” (in a general context) tends to be a poor substitute for these less ambiguous terms:

    * Loss exposure
    * Uncertainty
    * “probability” as in “What’s the risk of that happening?”
    * Concerns or conditions that contribute to loss exposure — e.g., control deficiencies, threats, asset, etc. (“That weak password is a risk.” or “How many risks do we have?”)

    Thanks,
    Jack

  3. Ron W says:

    Fascinating challenge. It’s similar to not using any form of “to be” (is, am, are, was, were, be, being, been). It forces you to think about what you’re saying and employ precision. (Side challenge: avoid using forms of “to be.”) The many formal and informal definitions of risk causes a diffusion of its meaning. My son participates in High School Debate and taught me the importance of defining terms that you use.
    What do you recommend using instead?

  4. […] my ongoing battle against the misuse of the term “risk,” I wanted to spend a little time here […]

  5. […] my ongoing battle against the misuse of the term “risk,” I wanted to spend a little time here pontificating on […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.