Why don’t organizations have a CREAMO?
That is, a Chief Risk Evaluation And Mitigation Officer.
A bad handle on risk seems to be pervasive even in good organizations, both for- and non-profit. The unfolding FTX debacle shows that even Rationality-inspired orgs suck at risk assessment as much as any other place. If you go through the list of failed, ailing and failing startups in the ratosphere, they don’t seem to do any better than your average ones, in terms of evaluating risk and acting on it. One can imagine that they would be good at handling known unknowns, and it’s the black swans that would be a real danger. And yet, orgs get blindsided by entirely predictable events (why did FTX or its donors learn nothing from the Mt. Gox fiasco?). I can see some reasons where accurate risk evaluation is not in the interests of top-level human mesa-optimizers within an organization, because the compensation incentives are so misaligned. I can also see how everyone would hate that person. Or maybe this role is distributed between other executive officers? Certainly some rudimentary risk evaluation is done at every level, from the board down, but it doesn’t seem to be the main focus of anyone. Or maybe I am missing something here and this role is not useful in general.
I don’t think what we know about what happened at FTX means that Sam Bankman-Fried did not have this outcome as a significant probability in his models. In his stated decision theory taking huge risks and betting everything is very much fine.
Just because an event happens that causes a firm to fail doesn’t mean that the firm did a mistake in its risk assessment. Startups are started with the expectation that the most likely outcome isn’t a success.
I mostly mean people who gave FTX money to “invest”, not the Madoffs of the world.
People and organizations seem to me to be two different things. Do you think there are many organizations that went bankrupt as a ripple effect of depending on FTX?
If so do you have links?
Finance, investment, and insurance firms may well have a Chief Risk Officer (or a Chief “Risk Management” or “Risk and Compliance” Officer)
Not universal, but definitely not unknown.
Yeah, good point.
I’m CISO at a fintech, and my approach to risk and security in a growing organization is to start small but set up structures that can grow. Call it a walking skeleton, that has the rough structure of the future thing but is small and simple to build/set up and run. It can then grow as you go. It is difficult to add in security and risk controls when you are large. Establish a culture of risk awareness and encourage people to think about risks and report them.
That’s just infotech though? Essential, but only one small part of the whole. And bottom up, not organically a part of the whole. I work at a small company with lax security practices and very little support for better ones from the top, and I can see how security is always an afterthought when you are growing up, and later it is already too late to do it right.
No. The principle applies to the structure of the organization and it’s culture in the same way as to it’s software. Walking skeleton comes from software engineering, yes, that’s where I picked it up. But I intended it as a more general metaphor. In the same way that it is difficult to add security into a software that never had it, so is it difficult to add a security mindset to a workforce that never had it. The relevant touch points are missing everywhere. HR doesn’t know what to look for, it’s not an interview topic with sufficient depth, nobody asks you to assign a strong password, pen tests are done superficially because no one knows all the endpoints to test etc. You have start talking about this from the start and grow all of them as you go.