I had the opportunity to watch “3 Idiots” which in my view is one the best Hindi movies of all times. Several things in the movie stood out, the basic theme from Chetan Bhagat’s book, the amazing adaption and modifications by Raju Hirani, the concept of “be the best in what you do and success will follow”, the astonishing transformation of Aamir Khan to a 22 year old student etc.

One interesting element of the movie is the use of “All is well” and the story behind it. Rancho (Aamir Khan) uses the words “All is well” whenever he is in trouble (including the highly melodramatic child birth!)  and explains the logic behind it. When he was small they used to have an old watchman who used to roam around the streets shouting “All is well” and every one used to sleep peacefully. Only later did they realize that the watchman was actually night blind! The “All is well” shouts used to give great level of comfort to all and as he says it’s required to fool the heart once in a while.

In lot of ways we risk managers are like the watchman. Our job is to provide assurance to our organizations that “All is well”. This “All is well” feeling is seen by the general users and employees of the organization by the “visible” controls and their implementation. We often come across controls which are not “real” but more “visible”, maybe more deterrents than controls. E.g. the checking of underbellies of cars by guards at shopping malls or hotels. These guys seldom have any clue on what they are looking for; they are doing it just because someone has instructed them to do so. Worst of course is when we are asked to open the boot, they shove a metal detector inside and wait till it makes some noise and then let you pass!

In an ideal situation we should have controls which are specific, manage the risks effectively, are visible, are easy to manage, are not too expensive and don’t cause too much inconvenience. Since most of us don’t operate in the ideal world, it’s important to balance the real and visible controls. It is important to visibly inform the users that security is taken seriously and any deviation would be captured. It’s not about getting it 100% right; it’s about having something in place instead of nothing. As they say “it’s better to be approximately correct, that completely wrong”. Needless to say only having “visible” controls would be disastrous, it’s about having the right balance.

It’s our responsibility to provide assurance and the “All is well” feeling to our organization and users. Hopefully we would be doing it consciously and not as the night blind watchman of 3 Idiots.