//
you're reading...
Information Security, IT & TECHNOLOGY

Avoid Monetizing Safety Risk


ISACA-Logo

Last year I attended an international risk management conference and was quite shocked by one of the sessions I attended. One of the presenters said, “ERM’s job is to protect the balance sheet.” Enterprise risk management (ERM) is a function that must address all types of risk, not just financial risk.
Monetizing risk and normalizing risk are two of the biggest problems risk practitioners face. Monetizing and normalizing risk makes it very easy to report risk exposure and risk treatment cost but obscures the true risk impact. When risk impact is obscured or under valued, it causes decision makers to make very poor decisions. This is especially true for safety risk where poorly managed risk events can lead to loss of life.


How much is human life worth?1

When asked this question, many people’s response will be “Human life is priceless.” Unfortunately, the desire to monetize risk impact has given rise for the need to quantify the value of human life. The international standard for the value of human life is $50,000. The Stanford Graduate School of Business conducted research awhile back that indicates the actual value of human life is $129,000. Anyone who has lost a loved one would likely argue that these values are woefully inadequate.

Monetizing risk impact causes these values to be used by decision makers to make decisions about what safety guards are worthwhile and cost effective. Consider a safety risk event that has a risk impact of $2.5 million and the risk treatment cost is $4.4 million. Many decision makers would simply accept this risk because the treatment cost is nearly twice the potential impact, and it doesn’t make economic sense to spend $4.4 million to save $2.5 million.

There would likely be a very different outcome if this risk event was presented to decision makers as a safety risk event that could cause 50 people to lose their lives and the risk treatment cost is $4.4 million. I would like to think that decision makers would choose to spend the $4.4 million to save 50 lives. Please note, 50 lives multiplied by the international standard value of human life of $50,000 is $2.5 million. As you can see, monetizing risk impact can dramatically change the equation.

ERM’s job should be much broader than simply protecting the balance sheet. ERM’s job is to manage all types of risk including budget risk, schedule risk, quality risk, safety risk, reputation risk and mission risk.

Mayo will present How Culture Affects ERM at EuroCACS 2016 30 May – 1 June in Dublin.

Footnote
1 Kingsbury, K. (2008, May). The Value of a Human Life: $129,000. Time.

Joseph W. Mayo, President, J.W. Mayo Consulting Services

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, SACS, CISM, CCSP, CCSK, GICSP, CASP, CIW-WSP, PCNSE7, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 108,359 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, SACS, CISM, CCSP, CCSK, GICSP, CASP, CIW-WSP, PCNSE7, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 1,709 other followers

Twitter Updates

Archives

April 2016
M T W T F S S
« Mar   May »
 123
45678910
11121314151617
18192021222324
252627282930  
%d bloggers like this: