If I was to say the word ‘risk’ to you, what would you think of? Something to be avoided? Something to be embraced? Something that people hide behind to justify any action? All of the above plus a few more? Or something totally different?
Risk, like information and data, is everywhere and indeed in most things, and like information and data, can be mismanaged resulting in varying levels of understanding and application.
When was the last time you received risk training? Either ‘informally’ from an experienced colleague or ‘formally’ through a course etc?
As DPOs, or even information professionals, we ‘know’ risk as it’s been part of the profession for quite some time. Very few of us though actually get formally trained on the art of risk management. We all have opinions on it, and every organisation does it differently, can you say that you know the basics? And are those actually the basics of managing risk or are they how X person told you how to do it?
Now I’m not saying what you’ve learnt is wrong, far from it, what I see a lot of when I see organisations and professionals is instead a wide range of approaches and some barriers and misconceptions on how it works.
First question to ask yourself is “do you know what risk actually is”? ‘Risk’ has many parts and often the phrase ‘that’s a risk’ is used to highlight something that is actually something else.
According to ISO 31000 (the international standard on ‘risk’), risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. Therefore, risk is made up of 3 parts or ‘ingredients’ (because I do love a good baking metaphor):
- The potential event (the deviation away from what is expected)
- The likelihood of that happening
- The impact of that happening
Therefore, when thinking about Data Protection risks, often we can frame the risk in terms of its impact but often that impact can be obtained via various events or routes. For example, I see the risk statement ‘risk of regulatory action to due inappropriate sharing of personal data’ used quite a lot. That event ‘inappropriate sharing of personal data’, can that just happen 1 way? Does that happen the same way each time? Or are there multiple ways that data could be shared inappropriately. If so, what are they?
Take one of the risks you have recorded for something right now. Take a look it. Does that risk statement, or any of the entry itself, accurately explain to you, the reader, what the event is that is the deviation away from ideal? Why? Is it too vague or even too specific?
Does the risk entry accurately reflect the likelihood of it happening? If so (or not), why does it? Where does that knowledge come from?
Does the risk entry accurately reflect the impact of it happening? If so, to whom is that impact measured? Can you throw impact to multiple types of ‘people’ into 1 risk, or is it better to separate them out? Have you, as many do, captured the impact to the organisation’s compliance but not necessarily impact to the individuals concerned?
Risk is throughout the GDPR, the phrase ‘appropriate’ is used often. Especially with regards to security and wider technical and organisational measures. And the best way of working out what is appropriate to what you’re doing – risk! So we DPOs cannot escape it. As Captain Kirk once said in the film Star Trek Generations when giving a piece of advice to the new Enterprise captain, “Risk is part of the business if you want to sit in that chair”.
One of the only lessons that my time at a large consulting firm taught me was to think outside of the box where risk is concerned. As human beings we ‘do risk’ all the times in our heads. For something like this, we have to get out of our heads to make sure we are being robust enough.
For example, when looking for threats to processing or a piece of Personal Data assume nothing is in place and discount nothing. What possible threats are there to that processing/data? By whom? When? What would have to happen for that to occur? What would not have to happen for that to occur. When working out threats, get it all down first. Then work out the likelihood and impact. It’s great for thinking outside the box and for challenging assumptions on controls.
Risk can be dull and it can be confusing. But we DPOs have to engage with it, and engage with it well if we want to be an effective DPO. If we can’t engage with and promote good risk management then how can we expect the organisations we support to? It’s exactly the same for Information and Records Management. If we can’t practice what we preach, then how can we expect our organisations to do it?
I’m thinking about running a series of Data Protection risk skills workshops. Would these be of interest to you? If so, take a moment to complete the survey below so I can gauge interest? You can also sign up to the mailing list to hear about dates and other offerings via the website.