Superconductor

COSO, the Committee of Sponsoring Organizations of the Treadway Commission, was formed in 1985 by the leading US accounting organizations to help address the problems of fraudulent financial reporting. Since then, COSO has written a number of reports that give guidance on many aspects of dealing with accounting issues, which includes elements of risk management. One of the more recent reports was the Enterprise Risk Management - Integrated Framework. The full report costs $75, but you can get the executive summary for free.

There are lots of interesting ideas in the Enterprise Risk Management - Integrated Framework. One of them concerns the big picture - why businesses should be interested in risk management and incorporate it into their strategic planning at the highest levels. One such idea that one of the important goals of risk management is ensuring predictability of outcomes. From this point of view, revenue of $200 million that's predictable is better that revenue that will average $200 million but could be anywhere in the range of $150 million to $250 million. So predictable outcomes should be preferred, even if they may be less desirable that some unpredictable outcomes.

This is essentially what insurance does. You pay slightly more for insurance than the average losses that you'd expect to incur without the insurance. The slight difference covers the operating costs of the insurance company. But by doing this, you gain predictability. Your loss will be no more that the cost of your insurance premiums plus whatever deductible you might have to pay.

Information security also provides a desirable level of predictability. Consider the case of laptop computers. About 1 in 10 laptops gets lost or stolen each year. Most of the lost laptops don't cause any problems. After all, most people really don't want the data on someone else's laptop.

Suppose that Alice is the VP of Marketing for an airline manufacturer and Bob is a sales manager for a plastic tubing company. Alice's laptop might contain marketing plans for her company, a few romantic comedies to watch on long flights and some classical music that she likes to listen to. Bob's laptop might contain the plans for his company's new line of narrow-threaded pipes that they plan to launch next quarter, a few action movies to watch on long flights and some rap music that he likes to listen to. Both Alice and Bob think that the information on their laptops is very valuable, but it's actually of no value at all to the other one. Alice doesn't care about what new types of pipe Bob will be selling next quarter, and has absolutely no interest in the movies and music on his laptop. Bob has a similar level of disinterest in everything on Alice's laptop.

This situation is probably typical, so that is a laptop is lost, the chances are that the person who ends up with it doesn't really want the data on the laptop, even if its original owner thought that it was worth millions of dollars. The serious trouble is caused by those rare cases where a lost laptop ends up in the hands of someone who does have an interest in the data on it. It doesn't happen often, but when it does, it can cause a major headache.

Encrypting the hard drive of laptops is good protection against these rare events. When they happen, the damage that they cause is greatly reduced. If you lose an encrypted laptop, the loss is limited to the value of the laptop and you're not gambling on who will end up with the data on the laptop. You'll have spent a little more, the cost of buying and supporting the encryption software, but you'll have gained a very predictable outcome by doing this. According to the COSO report, that's a goal that all businesses should have.