It’s often said that IT risk is just another type of business risk, not different than the risk of hiring a new person, or the risk of a new product or a new acquisition.
I recently listened to the audiobook “The Undoing Project”, which is the story of Amos Tversky and Daniel Kahneman and their development of the foundational concepts of behavioral economics. The book is a great read for anyone familiar with their work, though it does not bring any new insight if you’ve already read “Thinking Fast and Slow” and works by Dan Ariely. On this listen, though, something clicked in me when the author recapped discussions about how people value bets. Consider this scenario:
You are given two options:
- A $500 payment
- A 50% chance of a $1000 payment, and a 50% chance of nothing.
Most people given this choice will take the $500 sure thing option. We require the amount to be a significantly higher in option b to take that bet, even though they stand to make double the money.
Now consider this scenario:
You are given two options:
- A $500 fine that you must pay
- A 50% chance of a $1000 fine that you must pay, and a 50% chance that you pay nothing
In this scenario, most people become risk seeking and chose option B, even though it may cost them twice as much. We require the potential loss in option b to be significantly higher to select option a.
How does this relate to business risk? First, businesses are led by people, and those people have the same bias as above. I contend that there are (at least) two distinct types of business risk that we need to keep separate in our minds:
First, investment risk. This is the risk arising from investing in some new “thing” that has the promise of generating more money. That “thing” could be a new employee, a new product line, an acquisition, and so on. There is a chance that the venture fails, and the money is lost, but a (hopefully) much larger promise of increasing revenue and/or profits. This very likely explains why many companies won’t take major bets, often opting for something closer to a “sure thing” payoff.
Second, risk of loss. This is the risk arising from things like theft, fire, flood, data breaches, and so on. It’s all downside risk. This is the second scenario above. To what extent do business leaders avoid a sure thing loss (the $500 fine) in the form of increased spending on IT security, because they do not full comprehend the actual potential loss?