Systematic Risk Management Blog

Proactive vs. Reactive Risk Management: A Case Study

Posted by Vernon Grose on Thu, Jan 30, 2014 @ 16:01 PM

The topic of Risk Management has been all over the news lately.  Let me direct you to two very highly publicized examples that highlight the importance of Proactive management of risk:

The first involves the hacking of customer databases at Target.  In that case, over one hundred million customers had their account information compromised.  Target acted quickly to minimize the breach by shutting down remote access to two websites used by employees and suppliers.  Then they worked to locate and close the hole in their system that allowed the breach in the first place. They also worked quickly to manage the public relations aspect of the incident, and to help customers mitigate the impact of the breach on them personally.  And this process is ongoing.

It’s obvious, based on their quick and ongoing response, that Target has some sort of proactive risk management strategy in place that has enabled them to maintain control of the situation. describe the imageHowever, one could correctly argue that a more proactive approach to their cyber-security risk might have enabled Target to identify the potential breach in advance, and take the necessary steps to avoid it.

The second example involves the National Security Agency’s (NSA) collection of telephone metadata.  Recently, President Obama gave a speech at the Justice Department where he outlined the steps his administration would take to balance national security with individual privacy relative to NSA activities.  The steps he outlined were the result of several months of analysis by a panel he appointed to study the issue and make recommendations. All this was an effort to mitigate the effects of the metadata gathering program being made public by Edward Snowden.

What makes this story germane to the topic of controlling risk is that the government clearly didn’t plan in advance for the possibility of that information being made public.  If they had, the President would have been much better prepared to address the issue, and he could have done so much sooner.  describe the imageSo, rather than maintaining control of the issue, they're forced to react to criticism and demands from Congress, the media, and the public at large.

This reactive approach to risk management has painted the administration into a corner and resulted in a policy and political controversy that shows no sign of dying down anytime soon. These are both examples of very large organizations that face a variety of risks on an ongoing basis.  While both stories continue to play out, it's clear that Target had a more proactive response to a loss than the NSA did.  More importantly though, a more proactive approach to anticipating and controlling risk would have greatly benefited both Target and the NSA.Free eBook: How to Systematically Prevent Accidents

For expert help in developing and implementing a comprehensive risk control strategy for your organization or company, contact us online or call 703-892-1905.

Topics: ERM, prevention, political risk, disaster, excuses, security breach