Stated and revealed preferences and risk management

Economists make the distinction between “stated” and “revealed” preferences—loosely defined as what we say versus what we do—when analyzing decisions and looking for utility. Luckily, in technology risk management the “what we do” part is readily available. It makes itself known in all our resource allocation decisions. When we determine a mix of activities to perform, we spend people money. When we make purchasing decisions, we spend service or capital investment money. All of these decisions reveal something about the perceived value of the activity relative to other actions.

Risk Appetite Redux

In the “Risk, risk everywhere and not an appetite for it” post I proposed the following spur-of-the-moment-inspiration-through-significant-dose-of-caffeine definitions for risk appetite and risk tolerance: “Risk appetite: This is your general, high level expression of what you are, or aren’t willing to risk in order to reach your goal. Get your goodies. Join the dark side to get your hot little hands on their cookies. Whatever it is that your long term goal is. An example of a risk appetite would be: I’m happy to risk 10% of everything I have in order to get at least 20% profit.

Musings on risk appetite and complex issues

It could be just me, but every time there’s a need to present a complex topic to the executives or business leadership (topic for another musing, methinks) I get the typical looks of “oh no, he’s going to get all lectury again”. And it’s true, I prefer to present complex topics as complex, even if the style of presentation makes them approachable. There’s no way to dumb down something that’s complex without: also sending the message that sure, they may be leaders of the organisation, people that we entrust to make the right decisions, etc.

Intelligence values - also for risk management

I’m reading up on contemporary intelligence as part of my grad course and came across these six intelligence values. So far all I’ve read on intelligence reads very true to information risk management and often risk management as a whole. Have a read, see if the values for intelligence don’t marry neatly with risk management values: Accuracy: All sources and data must be evaluated for the possibility of technical error, misperception, and hostile efforts to mislead. Objectivity: All judgments must be evaluated for the possibility of deliberate distortions and manipulations due to self-interest.

Conventional thinking and risk avoidance

In large, slow-moving bureaucracies, conventional thinking and risk avoidance become paramount, irrespective of how many times a day people at that organization use the word “strategy” or “innovation.” Peak Intel: How So-Called Strategic Intelligence Actually Makes Us Dumber - Atlantic Mobile

Risk management and intelligence

When the intelligence business works, it helps create organizational cultures where empirical evidence and concern for the long-range strategic impact of a decision trump internal politics and short-term expediency. Peak Intel: How So-Called Strategic Intelligence Actually Makes Us Dumber - Atlantic Mobile

iPhone security - Still needs work done

Bernd Marienfeldt uncovered a major security hole in iPhones armour (yes, another one). These risks should be mitigated to acceptable levels. A portable-computing device and -electronic storage media that contains confidential, personal, or sensitive information should use encryption or equally strong measures to protect the data while they are in transit or stored. The Apple iPhone can’t fully satisfy the requirements. People should understand that the iPhone 3GS fails to provide full disk encryption (FDE) which renders useless by how the phone manages the protection of the encryption key and that the authentication model for the FDE is also broken.