Investigators
- Edward Glantz, Penn State University (Principal Investigator)
Description
Risk management, including risk analysis and risk control, is core to the concepts of the College if IST, as well as the world we now live in. The guiding question for Integrative Risk Management research is “what should decision-makers do about risk?” The answer, of course, depends on how great the likelihood and impact of the risk to the organization might be, and the value of the exposed assets. The background for this work is the belief that risk management can be improved. The four basic ISO/IEC (2009) or NIST (2012) steps in risk analysis are so straightforward they can also create a false sense of security. Often times, despite best efforts, luck and probability is mistaken for preparation and defense.
Ironically, managing risk is an ongoing problem that should begin by admitting “failure.” Kaplan & Garrick (1981) long ago advocated appending “N+1” to lists of identified risks to represent all the risks not yet identified. Including “N+1” communicates to stakeholders an ongoing need for risk analysis. Risk identification is the first step in risk management. Unfortunately, traditional approaches are often incomplete and haphazard. Whereas obvious risks are readily identified, it is more complex to identify all known risks. As such, Integrative Risk Identification chains together protector-views and narrow scopes to overcome traditional superficial approaches.
Another irony is that risk identification is also required prior to implementing treatments for known risks. “Heterogeneity” refers to pesky differences between risk treatment plans, and practice (Kammen & Hassenzahl, 2009). In some cases, risk treatments create new risks. In other cases, risk treatments cannot be implemented as planned. Either way, unexamined risk treatments can create a false sense of security that become newsworthy when they fail, such as the 2014 armed intruder at the White House, the 2015 Germanwings pilot murder/suicide, the 1986 Space Shuttle Challenger disaster, or the 2015 TSA breach fails.
References:
ISO/IEC. (2009). Risk management – Principles and guidelines ISO 31000:2009 (pp. 36). Geneva, Switzerland: ISO International Standard.
Kammen, D., Hassenzahl, D. (1999). Should we risk it? Exploring environmental, health, and technological problem solving. Princeton, N.J.: Princeton University Press.
Kaplan, S., Garrick, B. J. (1981). On the quantitative definition of risk. Risk Analysis, 1(1), 18.
NIST. (2012). Guide for conducting risk assessments Special Publication 800-30 (pp. 95). Washington D.C.: National Institute of Standards and Technology