Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 43

People normally assume that “risk” means the likelihood that something catastrophic is going to happen. In a manufacturing setting, it could mean that an error causes a major recall. From a safety perspective, it could mean that death or a major injury could happen to an employee or a client. From an IT perspective, it could mean that something causes a major network outage and takes down the organization. There is a fallacy that addressing risk merely means that you should try to prevent a disaster from occurring.

A smart risk reduction program looks at the breadth and depth of risks, large and small. The reality is that small risks, in aggregate, add up to major losses. This is the metaphorical death by 1,000 cuts, where a single cut is inconsequential, but with enough cuts, the loss of blood is deadly.

Risk can also include security concerns. The infamous WannaCry worm of 2017 was a worldwide ransomware attack that clearly had the impact to cripple enterprises. While regular malware does not usually have the devastating impact of WannaCry, in aggregate, all of the individual incidents combined add up to an impact that could potentially be as significant, if not worse than, WannaCry.

The concept of total quality management (TQM), discussed in Chapter 12, addresses the fact that small losses throughout a process add up to major losses. For example, if you have a manufacturing process that has 10 steps, and the defect rate is around 1% in each step, in total, your manufacturing process has a defect rate of roughly 10%. That is significant.

It is the same with all disciplines involving security and risk. A single incident involving a small loss may not be recorded. In organizations with strong safety programs, every injury reported, from a small cut to death, is recorded and tracked. However, in most organizations, few incidents are recorded and tracked. As we talk about risk management and security programs deserving more attention and resources, a significant way to begin to improve results is to record and track as many incidents as possible.