Blog post

Please Stop Asking Me for a List of Your Top Risks (aka, Everyone Wants a Pony)

By Paul Proctor | October 15, 2013 | 1 Comment

There is no list of risks that is relevant to every organization, but there is a list of risks that is relevant to you.

I always get the question “what are my top risks?” This comes in different flavors like top BYOD risks, top risks in my industry, cloud, social media, data security, etc. but it all amounts to me handing out a simple answer to a question that does not have a simple answer.

I understand why you ask. It would be nice to have a third party confirm the “most important” risks so you have a starting point and a basis around a standard of due care which all aids in defensibility. The problem is, I can give you a list of high level things that you should be worried about, but I haven’t delivered anything of value. Trust me, our clients sense lack of value before I’m even done answering the question.

I’m in a tough situation here (cue the violins). One of the most horrible things I can say to a client is “you’re asking the wrong question.” But you are. No one can tell you your risks, because each organization is unique. This is NOT a cop out by me! Asking the question is a cop out by YOU! You want me to tell you, so you don’t have to do the work to understand your organization. There, I said it.

It all comes back to why we do risk management. Good risk management should influence better business decision making. If it doesn’t, why are you bothering? A generic list of risks, disconnected from your organization, will not influence anything.

How to determine your list of top risks:

Start by identifying your desired business outcomes and the supporting business processes. Then identify supporting operational dependencies and risks that may impact the dependent business processes. Use a formal process and engage business stakeholders because they will better understand impacts on desired business outcomes. The most likely risks with the most impact on desired business outcomes are your top risks. There. Simple.

Example: Saying that sensitive information on a mobile device is a top risk is devoid of value until you integrate it with the business processes that involves both mobile and sensitive information. A hospital that deploys mobile devices with protected health information to manage patient care in select departments is an example of a top risk for this organization.

One way to look at this is that your top risk is that you have no way to identify your top risks.

Here’s the bottom line, I can teach you how to find a pony, but everyone wants me to just give them a pony. When I show clients a picture of a pony, they get upset because they already found that picture on the internet. Plus they already drew a picture of one that wasn’t half bad.


I get it, everyone wants a pony, but this is just one you’re going to have find on your own.

Follow me on Twitter (@peproctor)

Comments are closed

1 Comment

  • Alan Proctor says:

    Whole heartedly agree, but, then again, without first estimating annual losses to defined assets from likely (frequent) threats, “risks” are just what the security hardware/software vendors are currently clamoring. Never spend a dollar to protect a dime..