Zero Trust Imperatives for Risk Management

Importance of Risk in Business

Gone are the days ‘Risk Aversion’ is considered unbefitting for business. ‘Taking Risks’ is no longer an indispensable leadership trait. Risk Management has become a very interesting as well as an essential subject of study.

Risk is now a subject of study in many management standards as well as frameworks. There is plethora of frameworks for Risk Management. There are even specialized professional qualification schemes in Risk Management.

Information Security and Risk

Risk Management is an essential component in Information Security Management System. Information Security is not complete without implementing effective operational Risk Management. Requirements for Risk Management principles as a process has been sufficiently covered in ISO/IEC 27001:2013 standard as Mandatory Requirements: 6.1, 8,2 & 8.3.

ISO has included Risk Management in Quality Management Standards as well starting from 2015 version. Risk-based thinking is included with the introduction of ISO 9001:2015 standard. ISO 9001 has implicitly addressed the issue through “preventative actions” in previous revisions. ISO has now made the importance of Risk based decision making explicit in 9001:2015 replacing the preventative actions clause with Clause 6.1 “actions to address risks and opportunities” in the new version. Risk has to be considered even in some other clauses of ISO 9001 such as 4.4, 5.1, 5.1.2, 9.1.3 & 10.2.

Risk plays an important part in many other ISO standards as well. ISO has defined an exclusive series of standards for Risk Management ISO 31000.

The ISO 31000 standard provides an organizational-level risk management approach. ISO 31000 deals with the crucial risk management concepts like:

  • Avoiding activities associated with a given risk

  • When to or not to accept risk when taking advantage of a key opportunity

  • Acceptable ways to remove a risk source

Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.

Apart from ISO 31000, many other recognized standards are available to address Risk Management efficiently in an organization. Some of these are COSO Framework (Committee of Sponsoring Organizations of the Treadway Commission), TARA Framework, etc.

Risk Assessment is an essential requirement for compliance to HIPAA (Health Insurance Portability and Accountability Act of 1996 - USA) and GDPR (General Data Protection Regulation).

Risk Management is an interesting and sought-after profession now developed in the last decade with Risk Management becoming an essential requirement for every business. Risk Management as a profession matured in the last 30 years but references about Risk Management are sufficiently available in Indian Classical Literature, Literature dating back to 2000 to 3000 years.

Risk Management in Classical Indian Literature

Risk Management is not a modern concept developed over the last 30 year only. All the concepts of Risk Management as enshrined in Risk Frameworks are covered sufficiently in great Indian Literature. Let me explain using Thirukkural written by Thiruvalluvar in the classical language tamil (rather tamizh) as an example.

Thiruvalluvar, also known as theivapulavar (a poet with divine capabilities), was a celebrated Tamil poet and philosopher. He is best known for authoring Thirukkuṛaḷ, a collection of couplets in classical Tamil. Thirukkural is a collection of 1,330 poems compiled as 133 adhikarams (subjects) of 10 poems each. These are broadly categorized into three chapters viz. Arathupal (based on dharma), Porutpal (based on worldly affairs) and Kamathupal (based on love and affection). Beauty of thirukkural is that powerful and insightful messages gets conveyed using just 7 words. Each couplet ie kural is only of 7 words and includes a powerful message within these 7 words.

Let us see couple of kurals covering various processes involved in Risk Management. Risk Management comes in Porutpal (Worldly Affairs).

Importance Of Risk Assessment In Thirukkural

தெளிவி லதனைத் தொடங்கார் இளிவென்னும்

ஏதப்பாடு அஞ்சு பவர். (Thirukkural 464)

Meaning - Those who fear reproach will not commence any work which has not been thoroughly assessed and made clear.

Though the term Risk has not been explicitly mentioned in the above kural, the reference ‘clarity about an initiative’ includes understanding risks as well. An initiative is unequivocally unclear if the associated risks are not analyzed. Essentially don’t start any work until and unless the associated risks are understood.

Important point to be noted, Thiruvalluvar advised us to understand the risks before starting a work but not to avoid risky work. This versel cannot be taken to mean that Thiruvalluvar endorsed risk-aversion.

Project Feasibility Assessment In Thirukkural

முடிவும் இடையூறும் முற்றியாங்கு எய்தும்

படுபயனும் பார்த்துச் செயல் ( Thirukkural 676)

Meaning of the above verse - Analyse & Manage the hindrance, exertion required, business goals and benefits when performing a task.

Here hindrance can be taken as the equivalent of Risk referred to by Thiruvalluvar. Thiruvalluvar gave the wisdom in this kural that any venture should result in eventual business benefits but that comes with certain possible risks and efforts required to achieve the benefits. It is absolute imprudence to take business decisions based on projected benefits only. Project Appraisal should be based on the Projected benefits, Possible risks in achieving the benefits and resources required to achieve the benefits including Time, Efforts, People, etc.

Essentially, the concept of Project Feasibility Assessment covered in 7 words beautifully.

Risk Mitigation In Thirukkural

ஊறொரால் உற்றபின் ஒல்காமை இவ்விரண்டின்

ஆறென்பர் ஆய்ந்தவர் கோள் (Thirukkural 662)

Meaning - Removing troubles proactively before they occur and not to get disenchanted if they occur are the principles of those who learned the subject.

Here the phrase ‘Those who learned the subject’ could be taken as reference to ‘Risk Management Experts’, ‘troubles’ refers to RISKS and ‘Removing troubles proactively’ refer to ‘Completing Risk Mitigation’.


The Author

T. Jaganathan is the author of the book ‘MANAGEMENT IMMEMORIAL – Learnings from Literature’ which received wide acclaim. He is a Story Teller, Entrepreneur & Mentor for many professionals and organizations.