Uncertainty and risk are often used interchangeably, however, they are different.
Is understanding the difference between risk and uncertainty really that important? Yes, especially when developing a management or project plan. Risk is a known or anticipated event with an unknown outcome. Uncertainty is an event that may not be anticipated. A good plan includes mitigations for anticipated risks. Continue reading
Sometimes we get so lost in auditing jargon, technology buzzwords, heat maps and risk assessments that we forget common sense. We also forget how quickly the future overtakes our state-of-the-art present.
The risk with respect to a resource or event can vary by location, year, day of the week, week of the year, time of day, acts of war or nature or even possibly by the ripples made by a drop of water (possibly the drop that causes a catastrophic overflow). Perhaps your Tsunami wall was high enough except for the fact that the tectonic plate your island is sitting on dropped a foot in an earthquake. A single failure can cascade into tragic disasters.
Today – you could have the latest, most secure, perfectly configured infrastructure for your business needs. Tomorrow – you could be forced to connect your beautiful infrastructure to an unstable and insecure network (like the Internet) due to business requirements, a merger or acquisition, or ill-informed management executing a misguided vision. Possibly you will be privileged to have visionary well-informed management with a funded vision and a realistic timeline. Nonetheless, your equipment or some critical configuration will be rendered out of date by a patch, update, new business requirement or new technology. How many companies are scrambling to offer their service on a mobile phone or update their infrastructure to securely support mobile phones?
One example of time-based context would be IT restrictions on a company internet at quarter close. Login’s may be disabled for most staff after hours. Web access may be restricted. Phone calls may be monitored for leaks of quarterly results. The network and equipment are the same, but the operating and business context change IT priorities. The year 2000 was another instance of time-based context, where the world scrambled to update applications the original developers assumed would be rewritten or made obsolete years before the new millennium.
The most critical infrastructure (i.e. SCADA systems) may be most in need of updating and ironically, may be too critical to update. There are applications on Wall Street that can’t be rewritten or ported because no one is quite sure exactly how they work. The business rules are contained in code and institutional knowledge that departed with one or more key employees years ago.
Of course, I am writing this article with 20-20 hindsight with respect to beliefs about context that have been invalidated by unexpected or unlikely circumstances. In reality, I have spent plenty of time with “umption” along with the donkey in “assumption”.