Quick question. Can you think of a good example where your risk management efforts thwarted a high impact loss?
I know, it's a hard question since you can't say for certain if the impact would have been material because it didn't happen. However we point to examples all the time when someone else gets hit. Leveraging evidence from peer groups is a must-have tactic e.g. the public goog hack, recall strike while the iron's hot. Plus, we leverage our own incidents to justify immediate and future control improvements.
That got me thinking, the best moments in my career were after significant incidents. We had the evidence needed to mature, measure, improve, and show the value in building a transparent and accountable IT service.
Confession to make, this post was inspired by an article about the BP disaster. The premise was how much better the government and oil company's preparedness will be in preventing and responding to catastrophic spills.
Fortunately we don't have to wait for a huge loss to act. We can (must) distill the evidence we have from peers and smaller incidents to assist in spending wisely through improved response and preventative controls. That's what I love about risk management, evaluate past and current evidence to help business leaders allocate resources. If we're wrong, at least our peers will benefit