Risk assessments? Don’t be Frank! (The final part of our miniseries)

This is the final part of our new miniseries. Read part one of the story here and read part two here.

Written by Luke Milner, senior technical writer at IT Governance.


The next week, Frank arrived at Vann Harl Inc., and he didn’t trust it from the start. The grounds outside had been landscaped. The security staff at the door already had a record that he was coming. He only needed one visitor ID badge. People smiled at him in the elevator. Frank was sure that the company must be a cover for an international crime syndicate, maybe one that was building a laser on the moon or a base in an undersea volcano.

Matt’s corner of the office had a few pot plants that actually seemed to be both real and alive. In Frank’s office only the spiders managed to eke out survival, and occasionally some of the staff.

Matt was waiting with a coffee and a chair – it didn’t look terribly comfortable, but it also didn’t look like it would fail catastrophically.

“What do you guys actually do here?” He asked. He was surprised when Matt brought out what seemed to be a film script – right down to the empty space and the typewriter font – and read out a perfectly banal and sterile marketing blurb that talked about “synergies” and “cross-operational derivatives” and “blue-sky talking”. Frank still wasn’t sure what Vann Harl did, but he suspected it was something to do with tacos.

“So,” Matt concluded, “shall we start?”

*             *             *

Frank was shaken. The risk assessment tool Matt used had to be the result of some unholy pact, or science gone too far – the software was a testament to man’s arrogance! Having said that, the saucy minx was definitely seductive, with its fancy user interface and automated outputs. As much as he didn’t want to admit it, Frank could see a number of advantages to the system.

Firstly, it was simple: just from watching Matt use the software, vsRisk, for a few hours, Frank was confident that he could poke around for half an hour and be ready to apply it to his own risk assessments. Hell, even Ian could probably figure it out, and Ian often claimed that his family was descended from carrots.

It also operated from a centralised database, so Matt didn’t have to worry about people making copies of files, changing them, then merging them back in.[1] This, of course, meant that dozens of people could theoretically be working on the risk assessment simultaneously. While the idea appealed to Frank – he hadn’t seen anything approaching that level of efficiency in years – it bothered him that so many people could have access to the system without a funnel to catch errors.

“That’s not really a problem,” Matt explained. “They can’t change any of the scales – I’ve set those and only I can modify them – and the tool basically walks them through the process. It only takes a few minutes to show them how to use it.”

“But how do they describe the risks?” Frank was nearly hysterical at the thought. “You get two people looking at the same risk and they’ll never write it down the same way. With your system, there’s no easy way to check whether they’re describing the same thing. Different risk owners will end up doing the same things. Horribly wasteful.”

Matt smiled and started typing in a risk. vsRisk seemed to know what he was thinking. It was offering up standardised risks like a psychic as he typed. It was uncanny. This sort of voodoo belonged in a Victorian horror story that used words like “surprize” and “quob”.[2]

Just when Frank thought he’d faint (or perhaps swoon) from all the excitement, Matt grinned broadly and said, “Check this out.” He clicked a button and suddenly had the option to build his own risks from a combination of a threat and a vulnerability, and the diabolical software composed it for him. Even the controls were already in the database – and not just the ISO 27001 controls. There were controls from a whole host of different frameworks. You could just scroll through a whole list until you found the one you wanted, or let the machine find it for you based on key words.

What infernal intellect had possessed the computer? Frank had a mind to add “vsRisk will make me redundant” as a risk, but he suspected the relationship Matt had with the software was more symbiotic than parasitic.

It turned out that Matt didn’t even have to build arcane file structures to track different risk assessments – the software could manage multiple ISMSs simultaneously, like some sort of multi-tasking ninja with tiny clipboard-shurikens.

And then there were the reports. Frank had assumed that writing the reports would be a nightmare because Matt wouldn’t be as familiar with the content – after all, half of the risk assessment was being done by other people and he didn’t have to check or double-check the data (or, in Frank’s case, quadruple-check, eventually discard it and do it again himself). When he mentioned this, Matt looked at him like he was mad.[3]

“It’s all done for you – right here.” It was a vision of beauty to Frank: a whole list of reports that the software would automatically generate, just waiting for review and approval. As Matt explained, you could even use the reports to validate the results; if you spot anything that looks off, you know where to look in the assessment itself.

“Well, you do that with spreadsheets, too,” Frank attempted to argue, but his heart wasn’t really in it.

It was exhausting. In almost every measure, vsRisk was proving superior to the spreadsheet system he’d built up over the years. It had been a labour of love, if love could be measured by swearing, heart palpitations and sacrifices to the gods. Still, Frank told himself, at least it was over. He could return to his office in the morning, drink stale coffee, and dream of having the time to put in a proposal to get vsRisk.[4]

Matt wasn’t done, though. Like a TV salesman pitching a new kitchen implement that no one knew they needed, he launched into explaining that the software came with a toolkit that provided all of the documents he’d need. Not just the reports, but policies, procedures, work instructions and records. This was too much for Frank – it had to be a scam.

His head began to swim and his throat dried up. It was probably a figment of his hypochondriac imagination, but he was sure his left arm was starting to throb. Was he having a heart attack? Maybe it was an allergic reaction to the clean air in Matt’s office. It was probably psychosomatic, he told himself. Merely an unrationalised response to stimulus he had no way of predicting. That had to be it. He sat down heavily as his vision narrowed. No, he thought, this is actually the end. I’m going to die because of a risk assessment. And that was the thought that brought him out of it. The more he contemplated vsRisk, the more he could see the sense in the system. This must be what religious epiphany feels like, he thought, I am become Frank, destroyer of risk! Or something like that.

Matt called an ambulance. He was pleased to hear the next day that Frank had simply suffered a minor existential crisis. The local medical centre had an excellent existential care unit.

It was a few weeks later that Matt got a notification from a professional network – Frank, it seemed, had moved on. In his profile picture he was clean-shaven, wearing a pressed suit and without the glazed look of a flattened hedgehog. He’d left Wolfram & Sheinhardt and was now working for a company that made even smaller, more detailed and intricate pieces of metal, which were even more likely to get lost and were worth an order of magnitude more. The company’s website said it was interested in “lateral by-thinking resolutions” and “off-piste haberdashery”, so he was sure that Frank was in good hands. And right there, under “Skills” at the bottom of his profile, alongside “Information security”, “Risk assessment and management”, “Crochet” and “Veterinary surgery (turtles)” Frank had listed vsRisk.

Find out how vsRisk can help you conduct risk assessments without the pain that spread sheets deliver. View more information now.


[1] Frank often had to deal with this. It was frustrating enough when someone inadvertently overwrote valid data, but the worst was when he discovered that someone had overwritten the file with a set of links to YouTube videos of poorly re-enacted scenes from the Brady Bunch that had been dubbed over in Arabic.

[2] Frank was aware that his distaste for English lessons had left him with a barely tenuous understanding of Victorian gothic novels. He did like the word “quob”, though.

[3] In Matt’s defence, Frank was looking slightly unhinged by this point.

[4] This was possibly the most elaborate fantasy of all. Wolfram & Sheinhardt had a record of avoiding anything that made its employees’ lives easier. Just last year, the company had moved its carpark to the top of an adjacent building, which was only accessible via military helicopter.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.