Last week I was writing some documentation that required a risk register table (a.k.a a risk log). The risks for this change were very low probability but would have a very high impact, and it struck me at the time that without being able to calculate the probability with some greater level of accuracy then the value of the entire table was somewhat diminished.
Fast forward a couple of days and I was listening to Risky Business #191 -- Nuclear weapons security and infosec where that exact topic was covered from 2 alternate angles – information security and nuclear weapons.
The discussion is with Brian Snow (a former technical director of information assurance for the NSA in the US) and talks about a recent security review of US Department of Energy Nuclear Weapons Facilities which concluded that Probabilistic Risk Assessment (PRA) is not suited to managing risk in malicious environments. It's great for modelling likely failures of power supplies in data centres, but not so good at modelling attack scenarios.
It’s an interesting discussion which is worth a listen for anyone who deals in risk registers (even more so if you deal in nuclear weapons or information security), and while listening I found myself nodding in agreement as so many of the points discussed mirrored my experiences of a couple of days prior.
It comes down to a simple question - what use is a risk register if high-impact, low-likelihood adverse events can't be reliably quantified?
Sure there’s some value in making sure risks are documented and have at least been discussed so there’s some level of awareness, however if any final decision making or budgeting is done based on the overall risk score then the lack of accuracy in the probability figure throws a lot of that value straight out the window.
Link: Risky Business #191 -- Nuclear weapons security and infosec
Tags: Software Development, Project Management