Risk Assessments? Don’t be Frank! Part two

This is part two of our new miniseries, running for the rest of week. Every day you’ll be able to find out how the story unfolds and what Frank and Matt get up to next.  Read part one of the story here.

Written by Luke Milner, senior technical writer at IT Governance.


Matt cleared his throat pointedly. He’d been aiming for polite, but something in his throat had decided that a sort of fascist assertiveness was necessary. Maybe it was the psychological effect of having to wear three different visitor IDs, as well as what appeared to be a Geiger counter.

The figure in the corner jerked around on his chair with a wild and horrified expression. He looked like he’d shaved with a particularly amorous porcupine.

“I hope I’m in the right place,” Matt said, brandishing three of his IDs like a shield, “I’m here for the knowledge-sharing. Risk assessments and all that.” He held out his free hand. “I’m Matt.” There was a pause as the native before him eyed his IDs suspiciously. “Here for the knowledge-sharing. Matt,” he repeated. Then he repeated it again.

He felt an uncertain hand grip his – it wasn’t exactly a dead-fish handshake, perhaps more a Swiss-alpine-spider-crab-eyeing-up-the-Italian-border handshake. “Frank.”

Frank pulled out what looked like a fold-up office chair designed for a child and offered it to Matt. “We make these for a client. They’re not uncomfortable, but don’t try to spin on it and move it at the same time.” The look on Frank’s face told Matt all he needed to know. He’d seen the same look on one of the guys in health and safety. Matt sat down – carefully – and brought out his notepad.

“Shall we get started, then?”

*             *             *

Frank’s system for tracking and recording risk assessments wasn’t completely insane, Matt had to concede. It was mostly arcane and Byzantine, but there were lucid moments, just like in a fever-dream. Matt had to wonder if he was actually still at home; maybe last night’s chicken was bad and he was living through an unimaginable hallucination.

On the plus side, anyone could theoretically pick up Frank’s files and, assuming they know how to run a risk assessment, could probably figure out his system. On the other hand, it would actually require finding someone who a) knew how to run a risk assessment, b) knew how to use vlookup commands, c) knew how Wolfram & Sheinhardt handles its asset registers, and d) has that peculiar genius possessed only by the truly harassed, harried and desperate. As far as Matt could tell, that made Frank’s whole system a bit of a risk. Maybe not as severe as some of the other risks the company apparently faced,[1] but risky nonetheless.

In many ways, Frank’s system really was a work of genius. Wolfram & Sheinhardt manufactures parts for other industries – tiny, insanely detailed parts with tolerances of nanometres, the sort of things they might have made Japanese typewriters from in the 90s, when you were prone to losing them if you sneezed – which meant they were handling huge amounts of proprietary data, and some systems had to be isolated to meet contractual requirements.

To manage this, Frank was treating the whole information security management system as a set of nested, overlapping structures, all locking together like a web built by a multidimensional, super-intelligent meta-spider. On reflection, Matt had to admit that this might not actually be a strength.

And then there were the errors. Every sheet they looked at was a morass of multi-coloured fields and occasional code errors; Matt didn’t really understand art, but he was pretty certain that some of it looked like this – he was also pretty certain that a risk assessment shouldn’t.

“That’ll be a copy-paste error,” Frank muttered. “It’s just messed up the formulas. Happens all the time when people don’t know the system. Should be a quick fix –” several of the fields turned a lurid blue, and Matt thought he saw at least one cell wink at him seductively. Frank slammed a few more keys hard enough to dislodge the A and send it flying into his coffee, but the spreadsheet at least stopped assaulting his eyeballs with military-grade wavelengths.

“How do you know all that’s correct?” Matt asked in what he hoped was an innocent tone that didn’t betray his abject horror. “You’ve changed the inputs.” He really wanted to scream “Where’s the audit trail?” but Frank didn’t seem to be in the right psychological space to deal with such a metaphysical problem. Plus, the stapler next to Frank’s keyboard looked heavy and seemed to have dried bits of office assistant attached to it.

Frank stared at him blankly, like a guppy puzzled by the sudden appearance of a sweet potato burrito in its tank. Several long moments of silence later, a pained expression flickered over his face. It was almost like watching a serial killer struggle with basic questions of morality, or a programmer hunting for an unclosed bracket. In either case, Matt changed the topic quickly. Perhaps foolishly, too, but it was certainly one of the swifter topic-shifts he’d ever engaged in.

“So, how about consistency?”

It worked; Frank was distracted like a tiger spotting a laser dot. It occurred to Matt too late that the dot might have been on his own forehead, but it had seemed like a good idea at the time.

Frank stuttered his way through his insistence that anyone doing the assessments had to follow his explicit instructions on the scales they used, and that his spreadsheets had appropriate formulas to make the calculations correctly. This, of course, relied on the other assessors and various asset and risk owners following those instructions – to the letter, no less[1] – which people were notably hesitant to do.

As a back-up system, Frank insisted on checking, cross-checking and rechecking everything that came in, which, once again, made him effectively irreplaceable. Matt liked Frank – despite his quirks – and could see that he was good at his job, but, as he tried to explain, redundancy in the system wouldn’t actually mean redundancy for Frank.

Finally, Matt was overwhelmed by the work that must have to go into every assessment. It was boggling: all those sheets that needed to be updated and checked, confirming all of the results, making sure the formulas were correct… And then there was the documentation: Frank spent days just putting together the Statement of Applicability, drawing together all of the spreadsheets to figure out which controls were or weren’t being used, referring to reports that might as well have been written in Elvish by a deranged witch doctor; and the actual procedures to cover the controls were written by whoever didn’t shout loudly enough that they were busy, incompetent or both, so they were inconsistent, bizarrely formatted and almost impossible to find. Frank did not enjoy external audits.

Find out how vsRisk can help you conduct risk assessments without the pain that spread sheets deliver. View more information now.


[1] “You have ‘Biblical Apocalypse’ listed as a risk?”

“We have a contractual obligation for that. As you can see,” Frank opened a spreadsheet apparently at random, “the impact rating translates to ‘It doesn’t matter anymore’, and the likelihood as ‘It depends who you ask’. No one’s complained yet.”

[2] Frank later explained that a misreading of one of his instructional documents had once resulted in a mobile phone being declared the new CTO. The resulting internal power struggle briefly turned Wolfram & Sheinhardt into a monarchy under King Nokia III before sensibility reasserted itself and everyone looked at their feet and pretended they’d been out of the office for lunch and had nothing to do with it.

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *