From Tom Scholtz’s presentation at Gartner Security & Risk Summit 2013 on lessons learned in IT Risk Management:
- Understand that there is a limited appetite for risk management as a topic by business users (ie, don’t overdo it)
- Ideally, risk assessment is performed on business processes (vs IT assets or services)
- Risk interpretation is personal — there is no correct answer
- Don’t try to use only one risk assessment method for all assessment scenarios — one size does not fit all
- Don’t use security & risk operational metrics when communicating risk to leadership — convert them to business objectives
- Risk affinity for individuals and organizations changes over time
- In many IT risk cases, quantitative risk analysis is impossible (because of lack of relevant actuarial data)
- In the quest to simplify, don’t try to roll up multiple independent risks into one metric
- Always link risk management activities to business objectives
- Focus on risks that we can do something about
Finally, while possibly an unpopular sentiment amongst some practitioners, risk should be treated more like an art than science, where the focus is on gaining and documenting experience* and continuous improvement. *(See my post Inverting Sun Tzu).