In an earlier post, we addressed a potential catch-22 with risk assessments:

The organization’s stakeholders (e.g., business process owners and systems owners) must recognize, adopt, and address the threats and mitigation plans detailed in the risk assessment. If they don’t, then what was the point of the risk assessment?

Before conducting a risk assessment, an organization (usually) has a sense that they need a risk assessment. And that’s a very important part of the problem- realizing that a problem may exist. Whether trying to hide insufficiencies from management or not accepting the fact that something actually could be wrong, people tend to be bashful and even threatened to identify, recognize, and (of course) take responsibility for areas of risk within the organization.

So what’s the message? Check the ego at the door. The information and benefits gleaned from a thorough risk assessment outweigh any short-term gains from covering up the problem. Be proactive. Be concerned. Hopefully your systems will be more secure, your processes more streamlined, and who knows… maybe you’ll get a raise or promotion. When that happens, contact us - drinks are on you.