We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.


An Ounce of Prevention is Worth...

Originally published April 17, 2008

Let’s consider one aspect of any decision-making process: the assessment of risk versus reward, and at what point we are willing to dispense with worrying about the risk in search of a greater reward. From another standpoint, we can ask that question in a slightly different way: to what extent should one “over-engineer” a process in deference to ignoring the risk of low probability events having material impact on the result, requiring significant effort to remediate?

This seems like a relatively academic question, yet people are faced with this numerous times each day, from mostly benign situations (“Do I have enough time to use the restroom before the next meeting or will I miss something important?”) to the more impactful (“If I am driving 75 miles per hour, will I get a ticket?”) to downright critical (“Should the bank buy more subprime mortgage-backed securities or shut down a hedge fund and take a $4 billion write-off?” or “Should we make every airline passenger passing through security take off their shoes?”). In each of these cases, the question revolves around risk and reward; and, ultimately, this question is relevant depending on conceptual variables associated with risk. Four examples are risk tolerance, risk prevention, risk mitigation and risk deferral.

Risk tolerance can be summed up as the degree to which you are willing to ignore a set of risks in order to achieve the reward. Risk prevention is characterized by the effort expended in reducing the probability that one or more specific risky events will materialize. Risk mitigation is the commitment to properly address the impacts should a risky event occur. Risk deferral is the presumption that some event may take place and that its impacts can be addressed in the future if it ever does happen.

Consider the example of a skydiver, who (by virtue of his or her willingness to jump out of a plane) has a high tolerance for risk. However, it is unlikely that the skydiver will jump out of a plane without wearing a parachute with a number of fail-safe devices intended to ensure a safe landing. Skydiving facilities probably have risk mitigation policies in place, such as ambulances available to take skydivers to the hospital when their parachutes don’t open. Even so, every once in a while, there is some calamity involving skydivers, but this does not seem to prevent avid enthusiasts from engaging in their risky hobby.

These same variables come into play in almost all decision situations, even ones that have long-term effects. For example, scientists have determined that there are byproducts of the manufacturing processes that lead to health problems, such as carcinogenic materials that can lead to the development of malignancies in certain populations. On the other hand, is money invested in modifying the manufacturing processes to eliminate the production of carcinogens or in the race to develop a cure for cancer? The former is an example of investment in risk prevention; the latter is in risk deferral and mitigation.

Understanding the relevance of risk variables within the way that an information technology (IT) group supports business activities can be useful when assessing business needs for IT practices. Frequently, I am asked about how to assemble a business case that can be used to convince business managers of funding projects to institute good data management practices, such as data quality management, metadata management, or master data management (MDM). Often, there are very good justifications for doing so, such as instituting MDM to support a customer knowledge program as dictated by the need for regulatory compliance. Often, there are alternate business initiatives in flight that require data standards or a strong metadata program. Absent these situations, one may be able to use risk as a lever to establish a business justification, although this must be done in the context of the assessment of the organization’s (or perhaps business client’s) own risk variables.

Let’s explore data quality management in this context. In our consulting practice, we have recommended instituting a data quality management program as a way to control the impacts associated with data flaws and process failures. The objective of the approach is to determine the most egregious impacts that could be associated with data errors, develop monitors for identifying those errors early in the processing streams, and proactively preventing those errors from having the consequences by flagging flawed data as soon as it is identified. This program is appealing to those with a low tolerance for risk and a desire for risk prevention.

However, in some environments, there is a perception that there is a low probability of data errors occurring and having a material impact, or even occurring at all. In this situation, there may be a high level for risk and a willingness to defer worrying about it until an event actually occurs. These environments are not likely to invest in prevention but, in turn, are likely to be willing to supplement the costs of mitigation with “SWAT teams” (set up when issues need addressing) that can diagnose and fix a problem and clean up its aftereffects. In these cases, it would be difficult to justify a data quality control program until the cumulative effects of data quality issues are enough to modify the business clients’ level of risk tolerance.

There are many potential applications of assessment of variables associated with risk, with justifying programs being just one. In upcoming months, we will look at other aspects of risk and reward as we continuously evolve the way we can apply perception of risk to investment in technology.

Recent articles by David Loshin

 

Comments

Want to post a comment? Login or become a member today!

Be the first to comment!