Steve Schlarman

The Riskicist’s Guide:  The Theory of Exponential Growth

Blog Post created by Steve Schlarman Employee on Dec 6, 2018

As I continue my Riskicist’s Guide to the Universe, my first theory regarding the future of risk management deals with change.

In very simple terms, the change of Risk in the past can be thought of as growing on a mainly linear scale as a function of the organizational size or complexity. In other words, a straight line. But there is more to it. Your company has market dynamics within your industry that force change. As your competitive pressures increase and your market changes, it affects your risk. The rate of risk change is therefore a function of your market, or F(x) = Y * x where Y is a measurement of your market volatility. If your market is changing rapidly, the coefficient is > 1. The line is steeper, the rate of risk is higher. If the market pressures are relatively slow than the rate of change is between 0 and 1. The line isn’t as steep – or risk is not expanding as fast. Don’t begin thinking these are actual mathematical models – this is a conceptual depiction – but the logic applies.

Prior to the digital revolution, this might have been an adequate way to graph a simple rate of change of risk. However, risk in the digital world doesn’t grow in this linear fashion. It grows at an exponential rate.


This leads to my first theory:

The GROWTH OF RISK will follow an exponential curve based the rate of change of your market taken to the power of your digital transformation.


In this conceptual model, Y is your market changes, Z is the rate of adoption of technology within your organization. The market pressures have been a constant force affecting industries. It is the Digital Transformation that can be a massive shift. As your business goes digital, it can represent an explosion of elements in your risk management framework. More systems, more data, more threats, more EVERYTHING. It is this exponential factor that fuels hyper growth and changes how we think of some of our fundamental needs in our risk program.

The main impact of this rapid risk growth I want to explore is the impact on understanding the business context around risk. Business Context is the relationship of any risk management framework element – like an incident or a control – to the business. Business Context sets the aperture by which risk can be viewed - the more context, the more clarity. When you have Hyper Risk Growth, you need Hyper Risk Management. Hyper Risk Management requires Hyper Business Context.


Hyper Business Context must be fueled by automation. Manual cataloging anything related to the risk management process in this new world will quickly fall behind. In short, the hyper growth of risk forces us to look to automated inputs with a frequency and reliability that exceeds today’s capabilities. We must rethink what it means to create the relationships to formulate business context. Your risk program must build business context from the insights it gathers – and not rely solely on manual efforts.

The good news is RSA has a unique position when it comes to the future of business context. RSA Archer already helps you build context for your risk program. But we can also think outside the box when it comes to building business context. For example, why not let the systems tell us what is important? Network monitoring systems like RSA Netwitness can tell us how much a system is used to identify availability risks. Identity Management systems like RSA SecurID can connect applications to user profiles building relationships between business functions and IT infrastructure. These are byproducts of those technologies that we can use to inform business context.


Automation and integration will be key in ensuring your context keeps up with the data flowing from your many systems especially as your business continues along its digital transformation.


Join me next week for my next blog that discusses an ever present variable that will have a tremendous impact on measuring risk in the future.