Authors: Dan Caprio, Jonathon Litchman
In January 2017, the National Institute of Standards and Technology published its Privacy Risk Management Framework, helping to further focus attention on applying risk management principals to issues of privacy. Similarly, the International Standards Organization had previously published a privacy framework addressing many of the privacy elements necessary in understanding and applying a risk-based approach to privacy risk, especially its comprehensive treatment of the myriad facets of personally identifiable information.
While both documents are necessary to better manage the intersection of privacy and security from a compliance and engineering perspective, there’s more knowledge required in guiding organizations to understand how to manage future or unanticipated privacy risks.
Privacy professionals must take a strategic view of privacy risk by challenging the assumptions that have been made about the type of risk they are trying to manage and the thinking that went into conceptualizing the manifestation and likelihood of the risk.
What type of risk am I managing?
Harvard Business School professors Robert Kaplan and Anette Mikes observe that despite how much discussion there is about the importance of risk management, it is frequently treated as solely a compliance issue. They present a three-tiered risk framework that both identifies and distinguishes the types of risks organizations face and how each type of risk has its own approach for managing risk.
The first category of risk is preventable risks. It is this type of risk that is well known and best addressed by rules-based compliance approaches. These types of internal and controllable risks are well served by the systems engineering approach espoused by NIST, MITRE, and ISO and the well understood compliance approaches used by many organizations.
The second category of risk is strategy risk. Strategy risks are business decisions designed to benefit the organization through the assumption of risk, and change the nature of the risk activity to actively managing assumed risks. But not all risks will be obvious at first, and the risk-management program will need to carefully monitor risks and adjust quickly as new or unforeseen risks become apparent.
The last category of risk is external risk; risk that is outside and beyond the control of the organization and, therefore, cannot be treated the same way as a controllable risk. Indeed, an external risk may not be preventable, so the focus of risk management must then turn to early risk identification and impact mitigation.
Underlying the risk management approach for both strategy risks and external risks is the need for engagement of the most senior business leaders and the board. Privacy risk, with its intimate relationship to cybersecurity risk, must be treated as an enterprise risk, requiring the active participation of senior executives from across the business.
How am I thinking about privacy risk?
A critical part of risk management, one that is often too casually approached as the first step in the process, is risk framing. Risk framing is a process of understanding and conceptualizing an organization’s risk in order for business leaders to make risk-informed decisions. It requires that the full range of risk assumptions leading to the development of a risk strategy to be identified, including threats, vulnerabilities, the likelihood of risk being realized, as well as potential constraints, uncertainty, and risk tolerance.
But, to be effective in anticipating and managing risk, the risk framing process must be rigorous, and all assumptions about risk must be challenged. This is essential for organizations to avoid surprises that should have been anticipated, and therefore mitigated, but weren’t because of either inattention or cognitive barriers that prevent leaders from anticipating future risk.
The European General Data Protection Regulation, scheduled to take effect in the spring of 2018, is an excellent example of the confusion between managing privacy compliance risk and privacy risk management. The GDPR is often described as a risk-based approach to data protection, but it is more of a roadmap for risk-based compliance leveraging the language of risk management. This is a distinction with a difference, especially when it comes to thinking about future privacy risks and steps needed to mitigate these potential risks.
For example, recent European enforcement action by privacy regulators from the Netherlands, Belgium, France, Spain, and Germany against Facebook and its acquisition of WhatsApp highlights the need for customers to agree with new data-sharing terms. This collective regulatory action was foreseeable and could have been mitigated had Facebook employed a strategic risk management approach and included senior business executives to anticipate risks as a function of their strategic planning process.
Thinking about the future and anticipating future risk is about more than making specific predictions about the future. It involves using analytical tools, such as war-gamming, scenario analysis, counterfactual narratives, and probability modeling to understand the range of potential risks. Only when the risk landscape is rigorously understood can senior executives make the appropriate risk-based decisions about their business.
Privacy professionals must engage senior executives to think beyond compliance risk when it comes to privacy in order to avoid the “black swan” events that could have devastating consequences for their organizations. As Nassim Taleb has cautioned, “remember for an event to be a Black Swan, it does not have to be rare, or just wild; it has to be unexpected, has to lie outside our tunnel of possibilities.”