To err is human. Does that mean risk management is necessary as a result of goofs by people? A blog from Risk Analysis tries to answer this question after having been inspired by other articles about security management. Failures in security are often a product of people proving too trusting or lazy, or of security personnel underestimating the ability of criminals to crack systems. When it comes to risk management, the blog author does agree it still might be a people problem, but with a caveat.
He believes that individual issues that pop up as risk are at the whim of individuals, but in the sense that it involves many people to maintain a stable working environment, it actually becomes an organizational management problem. Three reasons are offered to support this, the first of which being that risk tolerance of an organization is set by the board and senior management. Secondly, it is policy that dictates risk tolerance. Organizational communication treats workers comprehensively as a group of non-descript individuals to be held accountable in the same ways. As for the third reason, it is stated:
The effectiveness of matching “security” to risk tolerance is a function of the security department, audit, external stakeholders like consultants or government actors, and senior management (in their willingness to allocate resources to an operational expense vs. some other “bucket”). Again, groups (or organizations) of people working under the same premise.
Break downs occur in the absence of controls rather than in the absence of technology. Senior management need to be able to realize that problems will persist as long as general edicts are passed down to apply to large swaths of people. Individuals must be held accountable in practical and specific ways if effective risk management is to be realized.