- Security TWENTY
- Women in Security
Author Daniel Wagner and Dante Disparte
ISBN No 978-1-349-94860-4
Review date 19/06/2019
No of pages 415
Publisher URL http://www.palgrave.com/gb/book/9781349948598
Year of publication 24/04/2017
Global Risk Agility and Decision Making: Organizational Resilience in the Era of Man-Made Risk
Reasons to read a book don't come much better than those claimed for a hefty new work about risk, writes Mark Rowe.
The preface to Global Risk Agility and Decision-Making sets it out as bluntly as can be; it's a book about survival. "Having the ability to discern between perception and reality can make the difference between making the right moves on the global business chessboard and moving forward, or making a critical mistake." In one sentence, then, the authors make the case for risk management as not something nice to have or easily pushed aside by managers doing the real work, but crucial to staying in business, or even alive; because besides managing risk letting you take advantage of events, not acting on risk means consequences. For example, thanks to cyber, the 'sprawling surface area of global enterprises makes for millions of points of vulnerability', making the cyber risk manager's task thankless, and indeed sleepless.
To take the example of aviation: cockpit doors are secured, to mitigate against the risk of suicide hijackers storming the cockpit and crashing the aircraft on purpose - as happened on 9-11; the mitigation came after the catastrophe. And the authors argue that all the cash and inconvenience at the airport has only 'created the illusion of effective airport security'; and here they point to the 2015 bomb in the Russian jet that flew from Sharm El-Sheik in Egypt. For all the screening of passengers, the (less visible) screening of airport employees and cargo left commercial aviation vulnerable, as events showed. As the authors point out, risk is never 'managed' out of existence, but merely tamed, and unanticipated threats can emerge.
The authors early on make neat points about the difference between unforeseen and unknown (you might have known of the risk of unscreened cargo workers planting a bomb in an aircraft's hold, but it wasn't anticipated). Hence the difference between risk and uncertainty: risk can be measured, and generally understood, and uncertainty cannot.
The authors take us through risk management (as a process, for example) and then into what they call the 'global risk labryinth', taking the examples of terrorism, 'economic and resource nationalism', climate change and cyber, and corporate social responsibility. Whether you are a corporate manager wanting to gain ideas, or a security or risk specialist, let alone a cyber-security specialist, there are chapters or all of this book well worth the cover price.
The authors wrap up with 'effective decision making', in terms of managing specifics, anticipating, and governance. They make a case for humanity having a habit of making 'ill-fated collective choices'; in other words, getting it right or wrong is about 'soft skills' (being cautious and humble; and getting over the 'fear of failure' to report bad news to an organisation) as much as analysis and technicalities. Risk is dynamic - to repeat, managing it is a process, not something you get right once and for all - and believing that you've got a risk 'covered' is, the authors warn, 'often more dangerous than the risk itself'. And compliance, 'which in some cases is merely the act of grudgingly ticking boxes', is not enough for the 21st century.
Being adaptable and agile has always been, in the authors' phrase, 'the secret survival mechanism of the fittest'. Yet as the authors set out all too well, it appears to be hard-wired into us, or organisations set up badly or too complex, to avoid bad news in the hope that it goes away. The authors argue that 'agile risk managers should be embedded in front-line teams', rather than risk managers being the proverbial 'gloomiest people in the room'. In an era of systemic cyber risk, they suggest, having nothing to hide, and having a reputation based on that, may well be the best cyber defence.
Managing risk is not easy. You have to stay up to date with the news, but work out what in the headlines, if anything, will have an impact on your sector, or company. Yes, worry about high-profile or even spectacular events such as acts of terrorism or kidnappings; yet risks that make it harder to do business in a place - and are beyond insuring, even - are 'insidious by nature'. Hence the 'importance of unvarnished opinions', not only of the risk manager himself, but of country managers: "The challenge is to be able to identify the correct trigger point for when to pull the plug." Unusually, to be frank, for a book by Americans, this one - it does after all have 'global' in the title - is at home outside North America, and draws on examples and case studies beyond the USA.
And the authors rightly wind up by pointing to the speed with which things can fall apart. The age of globalising information 'will show no remorse for the risk-averse', they say. That's one of many pithy remarks; another is that insurance is 'not a substitute for risk management, but merely a mechanism for financing losses'. In any case, cyber risk is hard to put a price on. If you are going to find a weakness in the book, it's that - to take cyber as an example - it points the way ahead, without giving detailed answers, though in fairness who can. For instance, as Wagner and Disparte say: "Creating a global information system that equips security services, organisations and consumers alike with safety, security and transparency, while protecting privacy, has proven to be one of the most difficult challenges of our times."
They rather spoil their final paragraph by including that vague phrase 'common sense' (isn't their book all about showing that good sense is far from common, as otherwise the 'new normal' would not be so dangerous?!). That apart, this book is outstanding and thought-provoking, and highly readable - far more readable than it could have been - about topics so important that any security and risk manager, and anyone in business, and indeed in the business of life, can read with profit.
Separately; a study released by BSI, with Cranfield School of Management, finds that business leaders are struggling to balance risk with opportunity, threatening the long-term survival of their firms. The report, “Organizational Resilience: A summary of academic evidence, business insights and new thinking by BSI and Cranfield School of Management”, assesses half a century’s accepted wisdom on best-practice management: visit https://www.bsigroup.com/en-GB/our-services/Organizational-Resilience/.