Note on Risk Management and the Cloud

Think of it as a quadrant of conscious and unconscious competence and incompetence.

- Unconscious incompetence

- Conscious incompetence

- Unconscious competence

- Conscious competence.

We move from unawareness to awareness of problems, from unconscious incompetence, to conscious competence. It makes me laugh that unconscious competence exists because you are doing the right thing but you don't know it (!). We can see a lion in a room and know it’s a risk. It we are looking the other way it is still in the room but we are unaware of it.

The assertion of some risk experts is that there is no such thing as an unmanageable risk - we just need to plan contingency for this. Arguably the Oil leak in the gulf could have been planned and resolved but the risk threshold and the nature of risk changed over time. (Risk status is not static it can change over time - another lion enters the room which may either fight the first Lion or you have two Lions coming for you. One lowers the risk outcome the other increasing it.) It’s about risk tradeoffs. If you have a gun to mitigate the lion then you have lowered the risk. A Crash helmet is a risk mitigating device but it you travel too fast it can still not protect you and kill you etc...

In risk management there are planned risks and unplanned risks which you can atribute risk factors and weighting to. Unplanned risks can still be conscious events unplanned or worse unplanned events that you were not expecting (the oil rig issue)

In cloud computing there are known risks but there can also be unknown risks as it’s a new technology and we simply don’t have a priori knowledge of the risk or the technology to know everything.

Just moving the risk to a 3rd party does not change the existence of the threat or risk - it’s still there but it’s someone else’s problem - but we assume they ca consciously plan for it. We have examples of cloud vendors not doing this- they fail and the knock on effect is that their tenants are affected too - a classic example of devolved risk but not resolved - it’s still there.

Hope this makes sense - it’s all just risk management theory - Warwick Business School, that I have some associations with in the UK have this covered very well and as you can imagine it’s a big topic particularly with the recent finance industry failures - like Goldman Sachs - they had some serious issues of course in this area of perceived and managed risk - they arguable had institutional denial - the halo effect of assuming the best etc.

I advocate that it’s a matter of weighing up different risk scenarios - private or public or other and to get one group of people to see that it’s a lower risk better option than the other - life is rarely that straight forward but I think many technology adoption curves and transformation programs is in effective moving people across different risk weighting - consciously or subconsciously, cooperatively or coersively...