Justin Case and Risk Management?

Have any of you come across this ubiquitous fellow “Justin Case”? He seems to raise his ugly head every time someone suggests trying something new. “Oh, we can’t change that process, Just-in Case the regulator gives us a poor grading!”, I’ve heard people say. Or, “We have to have separate quality checks, Just-in Case there’s a health & safety problem!”. Or, “We can’t ask staff to stop doing that as we had a real problem once where somebody almost got injured so the Unions won’t allow us to stop”.

The real issue is 2 fold;

1. People engage their biases (see Daniel Kahneman, Thinking Fast & Slow) as soon as they’re challenged. Kahneman (in his book) talks primarily about System 1 and System 2. System 1 involves the emotional side of our personality as opposed to System 2 – our logical or rational side. The emotional side is not bad, most of the time it’s actually doing its job (to keep the host alive!). By design the brain rapidly develops potentially harmful situations to avoid!
2. Very few people are educated (if at all) on how to properly assess or, dare I say it, calculate RISK!

These two factors are a real road-block to improving or transforming an organisation, creating reasons for not doing anything.

The picture above sums up pretty well how to properly visualise risk in a simple format most people could understand in their heads! Referring back to Kahneman, this is engaging system 2!

We have even witnessed a company turning down a contract through not hosting desensitised police data  on a server, Just-in Case, staff could be held at gunpoint in their car park and threatened by criminals wanting access to this data! In 2018 IBM reported the average cost per loss of stolen data to be $3.8M of which 48% was through a malicious or criminal attack ($1.57M) and 9% was in the UK ($141,300). None of these thefts was reported within the Criminal Justice arena. Also the majority of these thefts would presumably have happened through online hacking (further reducing the probability that you are not safe in the carpark!). Further, on checking all sources I knew or read about who were involved in police data (including highly sensitive data), no-one had come across any criminals threatening staff in order to gain access to data! So the chances are as close to 0 as you can get. But, being safety biased (something else from Kahneman), let’s borrow a well-known probability which is well-known in the airline industry. The probability of dying in an airplane crash is 0.00002%. Using this number we can actually calculate the maximum risk to the organisation;

Risk         = Probability x Loss

                < 0.00002% x $141,300

                < $0.028

So even if this was calculated on an hourly or daily basis this contract would probably have been worth it! But I bet that company flies people around the world without giving it a thought!

Seems to me, the picture above says it quite clearly – you have to look at the probability as well as the impact (or loss) – and rather than engaging the high-cost Just-in Case, just engage proper risk management!