Blog Post on Andrew Sheves

Unknown Knowns

Tue, 23 Apr 2024 00:00:00 +0000

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.” Defense Secretary Donald Rumsfeld February 12, 2002.

The Risk Manager’s Dilemma

Tue, 16 Apr 2024 00:00:00 +0000

Lloyds recently announced that they’re cutting a large number of risk managers because the group was hindering “intelligent risk-taking” (Bloomberg). This will pan out in a couple of years either in the bank’s earnings results or fines from the regulators but, whatever the outcome, this is a good example of the risk manager’s dilemma: how to balance:

The law and regulatory requirements
The business’s objectives and culture
The individual’s sense of what’s right

The dilemma is that these three won’t always be in alignment. And often, they shouldn’t be: a risk management system works best when it’s under a healthy degree of tension. We want a robust back-and-forth between an aggressive COO and a cautious CRO. That’s going to help the firm take manageable risks without getting into too much trouble.

The Right Tool for the Job: Getting the best out of AI for analytical tasks

Tue, 09 Apr 2024 00:00:00 +0000

Before we jump in, don’t be put off by the technical aspects of this: the overall concept is pretty straightforward and something you can put into practice yourself (I explain how to at the end).

Using the Right Tool for the Job

Despite their incredible capabilities, even the best LLM*-based AI suffers from a tendency to exaggerate or make up facts – AKA hallucinate. That’s not such an issue when you’re asking it to help tweak some text or brainstorm ideas, but it’s a big problem when you’re trying to use AI for analysis. (*Large language model.)

Threats are accelerating: so should we

Tue, 02 Apr 2024 00:00:00 +0000

We are moving too slowly

The existential threat that businesses and many countries are facing currently is not from artificial intelligence, climate change, the danger of another financial meltdown or a conflict.

The threat they need to address most urgently is an inability to move quickly and the events that we are facing far outpace our ability to understand, orientate, make decisions, and act.

(Spoiler: it’s impossible to plan your way out of a problem. At some point, we have to take action.)

Speed vs Accuracy. Speed (Obviously) But How?

Thu, 28 Mar 2024 00:00:00 +0000

The DCDR agents made a mistake the other day. The vessel’s name was incorrect in the original report on the bridge collapse in Baltimore. Not just a little wrong, completely wrong: it was the name of an actual vessel, but one that didn’t appear in any of the details supplied to the model.

(Thanks, Mark, for picking that up.)

So, I’ve added some additional quality control checks to reduce errors in the reports without sacrificing too much speed.

Risk and Crisis Consulting is Facing its Kodak Moment

Tue, 22 Aug 2023 00:00:00 +0000

Why the Industry is in Trouble

Despite being the inventor of the first digital camera in the late 1970s, Kodak famously ignored the switch to digital photography, losing the company its commanding market lead and significantly hurting the business.

Risk and crisis consulting is currently facing its own Kodak moment.

AI and machine learning tools reduce the effort, time, and cost of routine risk and crisis tasks by well over 90%. Consultancies believe they can harness these efficiencies to improve their profit margins and assume that only the largest firms will want, or be able, to develop their own tools.

How Businesses Can Plan for AI

Tue, 15 Aug 2023 00:00:00 +0000

Lots of businesses are wondering what AI means for them, and it’s essential that companies have an AI strategy, even if that strategy is to do nothing. But even if the answer is ‘do nothing,’ you can only get there by asking the ‘what if’ questions first.

But what are those questions?

We’ll get to those in a moment, but here’s a quick recap of why this is such a difficult discussion.

How AI will Affect Your Job

Tue, 08 Aug 2023 00:00:00 +0000

AI isn’t finally here – it’s been here for a while in everything from the autocorrect on your phone and the recommendations you get on Netflix – but it’s now in the mainstream. And thankfully, we’re having some of the hard conversations we failed to have when other technologies like social media were emerging. These will be long, complicated, and potentially inconclusive discussions, but at least they’re happening.

Clearly, a significant element of the discussion is around what AI means for work, and, as with most things, the answer is a variation of ‘it depends’ because every business and industry will be affected differently.

The Cost of Crisis

Fri, 04 Aug 2023 00:00:00 +0000

It’s always tough to answer the question, ‘How much damage does a reputational crisis cause?‘ Unlike a business interruption or accident, the cost of reputational crises is much harder to determine.

Unfortunately, whether you’re in the early stages of a crisis or trying to get a leadership team to find a preparedness program, ‘How much could this cost?’ is the kind of thing crisis managers get asked all the time.

Business Continuity in a Nutshell

Wed, 02 Aug 2023 00:00:00 +0000

I wrote this on a beautiful sunny morning last week, sitting on the Isle of Skye, enjoying the sun washing over the mountains with a fresh coffee and a copy of business continuity principles.

Different day, different highland view, but you get the idea

OK, so I enjoyed the sunrise, mountains, and coffee a little more than the business continuity guide, but it was nice to refamiliarize myself with business continuity management (BCM) again.

My Courses Are Now on Udemy

Thu, 11 May 2023 00:00:00 +0000

I’ve moved my courses over to Udemy so if you’re here, it’s likely that you followed an old link. I apologize for the inconvenience but you can find my courses on Udemy here

“This will never work. Here’s Why CrisisDojo Will Fail”*

Thu, 04 May 2023 00:00:00 +0000

*Is what people tell me, but here’s why they’re wrong

“This will never work.” “People won’t trust something so important to an automated process.” “You can’t develop high-quality, professional materials like this without extensive consultation.” “It can’t be done.”

These are the things you hear when you make something that’s only been available via expensive professional consultation into an on-demand service.

Except these comments aren’t just about CrisisDojo.

This is also what the founders of a small start-up heard back in 2001 when they launched their online legal services firm.

A Simple Crisis Management Plan Framework

Tue, 25 Apr 2023 00:00:00 +0000

I want to share a simple framework for crisis response.

But, if you’re a crisis management professional or corporate communicator, you need to take a deep breath before you read this.

You’ll want to tell me that you can’t simplify crisis response.
You’ll want to tell me, ‘It’s not exactly like the standard’.
You’ll want to tell me that this won’t work for your big clients.

I understand these concerns, so there’s no need to email me and tell me why I’m wrong.

SITREP for Friday, April 14, 2023

Fri, 14 Apr 2023 00:00:00 +0000

Welcome to the Friday, April 14, 2023

I’m on the road today, so it’s a Dragnet edition: just the key metrics today.

If this is your first time receiving this email, greetings! These SITREPS (situation reports) contain updates on critical events and essential metrics for you to use in your decision-making. There’s a guide here and a detailed white paper about the small data approach to risk assessment here.

On to the numbers.

How To Run a Great Crisis Exercise

Tue, 11 Apr 2023 00:00:00 +0000

A great exercise presents participants with a near-real environment that will apply stress to them, their plans, and their processes. Like a good gym session, they’ll finish tired, and a few things might be sore, but they’ll be better, stronger, and faster not long afterward.

However, it’s just as easy to put together a training session that leaves everyone hurt, confused, anxious, and feeling less prepared.

So how can we deliver a great exercise? One that will make a team much more crisis ready by the end?

SITREP for Friday, April 7, 2023

Fri, 07 Apr 2023 00:00:00 +0000

Welcome to the SITREP for Friday, April 7, 2023.

It’s Passover, Easter, and Ramadan this week so a good number of you will be celebrating this weekend. (And if none of those is your thing, today is also National Beer Day. )

Chag Pesach Sameach, Happy Easter, رمَضَان كريم , and cheers (delete as necessary)

But before you slack off for the weekend, let’s catch you up on some important goings on.

SITREP for March 31, 2023

Fri, 31 Mar 2023 00:00:00 +0000

Welcome to the SITREP for March 31, 2023

We’re on a mini-vacation in Europe this week, so it’s a Dragnet edition today: just the facts!

By the way, if you haven’t signed up for the CrisisDojo waitlist, you’re already missing out.

The waitlist folks already got a sneak peek at the crisis standard builder and got a chance to build a 20-page, formal crisis management standard, just by answering a few simple questions.

Planning a Great Crisis Exercise

Tue, 28 Mar 2023 00:00:00 +0000

Exercises are an essential part of skills development and, for things like emergencies and crises, the only way to build these skills outside of an actual event, events that are thankfully few and far between. But creating a successful exercise takes a lot of work and planning – you can’t just throw some problems at a group of people and hope they’ll learn from the experience.

So how do you plan a great crisis exercise?

SITREP for Friday, March 24, 2023

Fri, 24 Mar 2023 00:00:00 +0000

There’s still only one big story right now: banks. And rather than being out of the woods, as many are hoping, I think we might have just gotten into the woods. Keep in mind that something the increased rates are designed to do is expose and break weaknesses in the financial system.

This is harsh medicine and not something anyone welcomes but, when there’s a build-up of toxicity, this kind of cleanse is necessary. The problem is that you need to see it through, not quit just as it starts to have an effect. My view is that this is why the Fed and others continued with rate increases this week not despite the failure of some banks, but because of the failure of some banks.

Four Take-Aways from Recent Banking Flame Outs

Wed, 22 Mar 2023 00:00:00 +0000

Image (C) Bloomberg

In the last few weeks, US banks Sivergate, Signature, and the Silicon Valley Bank (SVB) collapsed, while First Republic Bank required a $30bn bailout from larger Wall Street Firms. Meanwhile, in Europe, the Swiss bank Credit Suisse has been bought by rival UBS.

Each of these banks was in a different position, and no single factor caused these banks to get into trouble. However, these recent events provide some essential takeaways for risk and communications managers. Here are four I think are worth thinking about.

SITREP for Friday March 17 2023

Fri, 17 Mar 2023 00:00:00 +0000

Daily SITREP for Friday, March 17, 2023

Read this on the Blog

Welcome to the SITREP for Friday, March 17, 2023.

Two very different banking crises played out this last week and, while both seem to be over, the panicky reactions in world markets indicates a lot of FUD (fear, uncertainty, and doubt) has built up. This suggests that companies won’t get the benefit of the doubt if there’s a stumble or any sign of weakness.

How Often Should Your crisis Management Team Train?

Thu, 16 Mar 2023 00:00:00 +0000

Recently, there was a great discussion on the frequency of crisis management exercises in a forum I’m part of. What was most surprising to me was the degree of consensus on the ideal tempo.

The vast majority of folks recommended a quarterly & annual frequency.

– Quarterly low-intensity tabletops focused on skills development and team cohesion.

– Annual high-intensity simulations to reinforce learning and test teams and systems in a realistic environment.

20 Years in the Making

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

💕 Happy Valentine’s Day 💕

It’s a slightly different intro today because I’ve some exciting news to share.

I know, I know. Every email you get starts with someone saying how excited they are: excited that you signed up for free coupons, excited that you joined an exclusive group of only 3,289,000 other professions, excited that you chose their firm to clean your windows, etc., etc.

I get it.

A Bird Flu Reminder to Keep Contingency Plans up to Date

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

A recent outbreak of bird flu has been detected in mammals raising concerns that a variant of the H5N1 virus could eventually infect humans. The chances of this are slim but it’s a good reminder to review plans nevertheless. Meanwhile, the metrics are a mix of extremes: wheat and iron and steel are at some of their highest prices for the 90-day period, while shipping and the VIX are at their lowest. Oil is relatively low but has been fluctuating recently.

A Mid-January reality check and why you need to pay attention to sovereign debt

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

ding! You’ve got mail…. 📬

Welcome to the first Daily SITREP! No more anxiously waiting between updates: now you’ll be getting the metrics and critical events delivered to your inbox daily, Monday – Friday.

Please keep the feedback coming – that way, I can make this as useful as possible (and not waste valuable space in your inbox).

Yesterday was Blue Monday when the reality of the New Year sets in: whatever excitement there was around the holidays has faded, the decorations are back in the attic, and we’ve all gotten used to writing ‘2023’ on our checks. And there was a similar feeling with the key metrics: movements are relatively gentle and valuations seem to be stabilizing for the moment as things settle into the New year. Unfortunately, some of this stability comes from pretty grim contributing factors – there’s no let up in Russia’s attacks on Ukraine, for example – and the results are no less pleasant as the cost of living bites and layoffs continue. Nevertheless, this is a moment of relative calm which should be appreciated. And a bit like your New Year’s resolutions, it’s worth reviewing any big plans you made for your organization in early January to see if those are still great ideas now the enthusiasm has ebbed a little.

A New Gas Deal in Libya, Egypt’s Looming Challenges, and Fiddly Fingers Caused the NYSE’s Wild Tuesday

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

ENI is about to sign a new gas deal with Libya which is good news but adds a fraction of what the EU needs. Fiddly fingers (that’s a technical term – look it up) caused Tuesday’s wild opening on the NYSE while it was Microsoft’s turn on Wednesday.

Meanwhile, several recent stories about Egypt bring the combined challenges of what prices, inflation and sovereign debt info focus. These same conditions exist in many countries so the stories are worth reading to get a sense of what’s going on in frontier markets.

America defaults (kind of), using these metrics, and the value of delaying your morning cup of Joe.

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

America hit the debt limit yesterday: that means no more borrowing is possible until the debt ceiling is lifted. The government will keep running and paying the bills for a few months because funds have already been appropriated or because the extraordinary measures introduced by Treasury Secretary Yellen provide additional financial flexibility.

The political back and forth has begun: House Republicans are vowing to force the White House to make tough choices on spending cuts while the Biden administration has refused to negotiate, calling this “economic vandalism”.

Balloons, Taiwan and Made in ChiMexico: A Chinese Threefor

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

The extent of yesterday’s earthquake in Turkey and Syria is becoming clear and many difficult days of search, rescue and recovery lie ahead. Although tragic, something like this is outside the scope of this newsletter and I can’t do justice to such a fast-moving event so I won’t be continuing to cover the response unless there is a significant development. (As a reminder, there are many reputable organizations providing relief in the affected areas and they would appreciate your support if possible but do check the credentials of any organization before donating.)

Bumps Ahead as The Transition to Renewables Speeds Up

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

A few articles on the transition to renewable energy I found this week are worth a read.

The first explains why crossing 5% usage is the ‘tipping point’ for mass adoption and what the current uptake looks like in different countries, and for different technologies. Read ‘Clean Energy Has a Tipping Point, and 87 Countries Have Reached It’ from Bloomberg here.

The others concern the minerals we need to create the hardware and infrastructure needed to sustain this switch. This all comes down to mining enormous tracts of land to get at the minerals needed to make solar panels, EV engine components, and batteries. Congo and Indonesia are two places developing new mining projects at the moment, but China dominates the entire sector as either a source of rare earth minerals or as the backer of these enormous projects. As the US dominates the oil and gas sector, China now dominates the rare earth sector.

China’s population is shrinking and moving. Why ‘recyclable’ doesn’t mean what you think it means.

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

The newly released 2021 Chinese census showed a surprising drop in population for the first time in 60 years which, while not unexpected, was earlier than many had expected. Meanwhile, millions in Asia are preparing to celebrate the Lunar New Year which for many in China, means it’s the first chance to see family in years now that COVID restrictions have lifted. Sadly, that may be a bittersweet reunion for some as elderly, rural relatives may be exposed to COVID for the first time. However, the end of the celebrations in February will be the start of the big economic reopening.

DCDR Research – Tuning Out The Noise

Sat, 11 Mar 2023 00:00:00 +0000

DCDR research is a succinct, useable data feed that cuts through the noise to give you the critical information you need to make data-driven decisions. The project is the outcome of over 15 years work in this area as both an analyst and decision-maker.

The intent: to give leaders a set of critical metrics in an easy-to-understand format to help speed up and simplify their decision-making.

The full white paper and methodology will be published in December 2022 and you can request early access to the reports here.

DCDR Research: User’s Guide DRAFT

Sat, 11 Mar 2023 00:00:00 +0000

We all want better information for our risk analysis (well, at least everything reading articles like this does) and DCDR Research is building a data feed to get you those metrics. But even when you’ve got that data, there’s often one other problem.

How to use it?

Not to worry. Here’s a guide on how to use these reports specifically and if you want some more general background on using metrics in your risk assessments, take a look at these blog posts.

Dragnet Edition: Just the Facts

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

I had to take a personal day on Tuesday, so it’s just Chad with the metrics today. Apologies, and I’ll be back with a proper SITREP tomorrow.

On to the numbers

(Still not sure of how to use these metrics in your risk analysis? There’s a cheat sheet at the bottom of the email but the user’s guide is here. Want to know more? Read the white paper.)

Relative Values (90-Days)

Turn your phone for a better view ⟳

ESG Compliance, a Drop in Ransomware Attacks, and a Chad’s on a Spa Day 🤖

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

There were a few interesting pieces of news on ESG compliance and regulations that are worth keeping an eye on. Many of these rules are yet to come into force, but companies should start thinking about how they will meet these requirements (and who will take the lead). Also, there’s some positive news on the ransomware front.

Unfortunately, the metrics didn’t update properly today. I’ve sent Chad (the robot who manages the data) off for a spa day while I fix things, and I apologize that there aren’t any numbers today.

ESG is Under Attack: So What?

Sat, 11 Mar 2023 00:00:00 +0000

GM and welcome to the ‘So What’ briefing: a shot of additional angst to go with your morning chai latte macchiato.

Let’s dive in

1,200 Words, reading time 5 mins 6 secs

Nutritional information

Today’s post contains hints of regulation

ESG under attack as ‘woke’ capital

In a lot of recent coverage, ESG (environmental, social & governance) is being termed ‘woke’ capitalism by both supporters and detractors of the investment class. This perception further strengthens the sense that, rather than measuring how well a firm or fund performs in some important non-operational ways, ESG is nothing more than a form of virtue signaling and/or a scam.

Famine, Oil Production Forecasts, and Custom Metrics

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

Some quick updates today plus I’m sharing an example of the personalized SITREPS I announced yesterday.

Famine in the Horn of Africa and North Korea

Wheat and grain prices remain high making many food staples more expensive around the world but there are also many who are living in famine or near-famine conditions (Axios). The Horn of Africa is undergoing another period of drought following its fifth failed rainy season. This places millions in Somalia, Eastern Ethiopia and Northern Kenya in severe danger of acute malnutrition. (UNICEF)

For Economies “This Is Normal”, the WEF’s 2023 Risk Forecast, Holocaust Remembrance Day.

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

There’s some macroeconomic analysis that’s worth your time today (or over the weekend), plus a belated recommendation to read the WEF’s Global Risk Report if you haven’t already. Today is Holocaust Remembrance Day.

And thanks to everyone who voted on the layout. The overwhelming response was that you prefer having the analysis first so we’ll stick with this format and starting next week, I’m going to trim the commentary around the metrics unless there’s a big event or change. That should streamline things even more

Hundreds Dead after Turkey and Syria Earthquake, plus Executive Liability in the US.

Sat, 11 Mar 2023 00:00:00 +0000

A sad morning.

The death toll in Turkey and Syria following Monday’s terrible earthquake is rising and the latest death toll at the time of writing was over 1,000 but this number has been rising steadily all morning. The full toll will be many times higher while thousands more are injured or without shelter and power. The recovery and aid operations will be complex and likely hampered by political and security considerations.

Lunar New Year, Tanks to Ukraine (or not), and An Election Switcheroo in Turkey.

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

Welcome to the upside-down edition of the Daily SITREP

Don’t worry, it’s not as scary as the Upside Down. Image © Stra Things / Netflix

I like numbers. You like numbers. We all like numbers. (If you don’t…)

But the danger of writing a daily briefing that leads with the metrics is that it can feel like a market tracker (this isn’t) and you can get a little ‘number blind’. You also might get sidetracked on your way to the updates which are hopefully flagging what you really need to pay attention to (that would be bad).

Oil Cuts (Meh…), WhatsApp and UFOs

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

Surprisingly, markets quickly shrugged off Moscow’s Friday announcement that Russia would cut oil production by half a million barrels per day (bpd), suggesting that Russia’s influence on oil markets is much diminished.

Meanwhile, two stories on regulation are good reminders that rules should be followed but also that the communication of these rules can be complicated and subtleties can be lost. Unfortunately, ‘we were confused by your messaging’ isn’t an excuse for non-compliance, so it falls to leaders to ensure that staff understand, and meet, obligations.

Positive Vibes from DC, Negative Vibes in Pristina and US Egg Smugglers.

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

The readout after Wednesday’s meeting between Joe Biden and Kevin McCarthy was positive, giving some hope for smoother-than-anticipated negotiations around the debt ceiling. The Fed continued to raise rates but less quickly, which markets took as a sign that the worst was over. However, Mardi Gras is still three weeks away – and landing the US economy even farther off – so shouts of ‘laissez les bons temps rouler’ from Wall Street are premature. Finally, Kosovo is one of many seemingly small disputes that can cause oversized headaches and is therefore worth keeping an eye on.

Rapid-Fire Friday: Geopolitics Issue

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

🌐 A rapid-fire roundup of some of the big geopolitical issues today: Tunisia, the Turkey / Syria earthquake, Russian sanctions, the Nigerian Election, and Israel-Palestine.

The Cyprus election run-off is this weekend and America will be watching a football game while eating a record number of nachos and wings.

See you on Monday!

🇹🇳 Tunisia

There have been no steps to address the lack of a decisive outcome in the election runoff that took place two weeks ago despite protests and complaints that the government of President Saied is illegitimate. Instead, the President has sanctioned a crackdown on the opposition, increasing the number arrested or charged with frivolous offenses and is describing the opposition on the terms of a “cancer” on the country.

Shipping Containers Are Very Expensive: So What?

Sat, 11 Mar 2023 00:00:00 +0000

GM and welcome to So What: a fresh perspective on an emerging risk that will add to your grey hairs.

Let’s dive in.

839 words – 3 mins, 31 seconds read time

TL;DR

Container prices remain at record highsThis affects global shipping of all goods with an impact on supply chains and pricesThis looks set to continue through 2022 and maybe into 2023 so companies should plan accordingly.This also reinforces the dangers of globalization and just-in-time inventory which need to be reduced.

Some news from Davos while the metrics remain relatively quiet. Plus giant space lasers.

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

First, a clarification

**In yesterday’s piece on sovereign debt, I said that Secretary Janet Yellen had announced that the US would hit the debt ceiling in early June and she was implementing special measures to help manage that process.

In fact, Secretary Yellen said that the US will probably hit the ceiling around January 19 (A.K.A tomorrow!) but that the “extraordinary measures [will] prevent the United States from defaulting on its obligations”. These measures can be sustained until early June, after which it is unclear exactly when the US will run out of cash, although many economists believe that this will happen by August.

Tanks to Ukraine, a Mini-Flash Crash (maybe), and New ECB Climate Metrics. Plus, treehouses=terrorism?

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

It’s a bite-sized issue as there’s a lot to share today. Tanks are heading to Ukraine, the ECB has issued new climate metrics and the NYSE had some wild swings on Tuesday. (Oh, and Chad’s fully refreshed after his spa day so the metrics are back. )

Feedback so far is that quite a few folks seem to prefer having the commentary first but please use the poll to let me know what you think.

The Uyghur Forced Labor Prevention Act Just Came Into Effect: So what?

Sat, 11 Mar 2023 00:00:00 +0000

GM and welcome to So What: your daily snippet of risky goodness that adds one extra headache to your to-do list. (But you’ll read it right away tomorrow anyway.)

Let’s dive in.

1685 words – 6 mins, 30 seconds read time

TL;DR

The UFLPA addresses US concerns about the use of the Uyghur as forced labor in China.Similar EU legislation is likely in the near future.UFLPA places a high burden on firms importing goods and materials from China to prove that the imports have not originated from facilities or regions using forced labor.The Act will impact firms importing goods and materials from China into the US and manufacturers who reply upon these items.Both importers and those who have Chinese goods in their supply chains should audit their supply chains and prepare for and adapt to any disruption.Over the mid-to-long term, companies should reduce their dependence upon goods and materials of Chinese origin and look for other parts of their supply chain that may be linked to forced labor.It places a high burden on firms importing goods and materials from China to prove that the imports have not originated from facilities or regions using forced labor.The Act will impact firms importing goods and materials from China into the US and manufacturers who reply upon these items.

Ukraine and Russia Produce Over 1/3 of the World’s Grains. So what?

Sat, 11 Mar 2023 00:00:00 +0000

GM and welcome to So What: your snippet of risky goodness that (in this case) will bum you out before breakfast (you are reading this before breakfast, right?)

Let’s dive in.

1,200 words, 4:48 reading time

1/5 of the world’s grains originate from Ukraine and Russia, meaning the Russian invasion of Ukraine is causing a significant interruption to global food supplies. In addition to the detrimental effects on food security, this may also cause instability in some countries. Here’s why.

Ukraine Anniversary Offensive, Nigerian Elections, plus custom reports.

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

Two quick updates today plus the customized risk / opportunity ratings.

Click here to try out customized reports.

Russia on the Offense Prior to February 24

Russia appears to be building up for a concentrated offensive in Ukraine to coincide with next week’s one-year anniversary of its invasion. Additional missile strikes took place on Thursday morning and Russian forces appear to be making progress in taking the city of Bakhmut which would put them within striking distance of other major cities in the northwest Donetsk region. See Reuters for more.

Uncertainty in Tunisia, Czechs reject eastward turn, Middle East Attacks and China’s COVID wave ‘coming to an end’

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

Tunisia’s second-round voting had a similarly low turnout as the first round making it unclear what will happen next. Recent attacks in Israel, Palestine, and Iran signal a period of heightened tension that feels poised to boil over.

Meanwhile, Czech voters clearly returned formed NATO General Pavel with 58% of the vote, signaling their preference to remain aligned with the West. On a (hopefully) positive note, China’s CDC declared that the current wave of COVID infections was coming to an end.

US Debt Fight Round 1, Unease in Pakistan, and How Reliable is Carbon Offset Reporting?

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

The real work to avoid a US deficit starts today and will give us a sense of how the stage of the drama will unfold. A terrible attack in Pakistan left 100 dead and ratches up tension.

Meanwhile, reports of inaccuracies in one of the world’s largest greenhouse gas crediting programs are a good reminder to take care and conduct your due diligence. Otherwise, you might find you’re making misleading statements to regulators and shareholders which (checks notes) is bad.

US Deficit Timeline Update, More Arrests in Tunisia and a New Prime Minister in Moldova

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

Monday is President’s Day so there’s no SITREP and then you’ll see a difference in the content and frequency of the free emails as the PRO plans kick in. So, starting Tuesday:

PRO subscribers get the daily updates and customized risk metrics.General subscribers get the Friday round up only.

You can try the PRO plan for free here. (And if you have any questions on what you get in the PRO plan, and how the customization works, please just hit reply and I’ll send you more information.)

We Have Too Much Stuff

Sat, 11 Mar 2023 00:00:00 +0000

Good morning.

I got sucked into a supply chain vortex on Bloomberg this morning and did some digging around so you don’t have to.

It turns out the world over-ordered during COVID and now, some supply chains are full of surplus goods and materials. This could be a great opportunity for some but signals big problems for others.

However, it’s also a good reminder of why you need to take a historic view in your planning, something that toilet paper manufacturers understood, but Peleton didn’t.

SITREP for Friday, March 10, 2023

Fri, 10 Mar 2023 00:00:00 +0000

Nigerians Vote and a South Pacific Remake

Thu, 23 Feb 2023 00:00:00 +0000

Good morning.

🇳🇬 Nigerians Vote

Nigerians will elect their new president and parliament this weekend with third-party candidate Peter Obi leading recent polls (ANAP Foundation). Obi has a strong following amongst younger Nigerians and a win would signal a break from some of the traditional political power structures in the country. However, there is still a significant margin for error in the polls and all three leading candidates have strong bases of support so a close election and run-off are still a significant possibility.

Some AI Safeguards

Fri, 27 Jan 2023 00:00:00 +0000

Note that things are moving very quickly with AI and OpenAI. CatGTP in particular so some of the issues below may have been fixed by the time you read this. (Sadly, not the bits that involve humans.)

Some things to think about before you dive into GTP3

Like most of us, I love new toys. And like many others, I’ve been playing with OpenAIs tools since access opened up last year. With GTP4 scheduled for release soon and rumors that Google and Facebook both have pending AI releases, a lot will happen with AI in the near future.

A Small Data Approach to Risk Metrics: Risk Metrics White Paper

Wed, 14 Dec 2022 00:00:00 +0000

(Read more about the origins of the risk metrics project here and here)

The Risk Metrics White Paper

The risk metrics project has come into sharper focus over the last couple of weeks and I’m now comfortable with the foundation of the system and how to manage the data. I’m still a little unsure as to which metrics will be most useful but I have an initial set of 12 to start with and user feedback will be the best judge of what’s relevant.

Chatting with an AI about Risk Management

Tue, 13 Dec 2022 00:00:00 +0000

I chatted with OpenAI’s Chatbot the other day and asked it some questions about risk management. The answers were clear, nuanced and thoughtful, supporting all the hype surrounding the tool.

It’s a text compiler so therefore not an analytical machine for the purposes of risk analysis – other tools of that kind will come on the scene eventually but I’m writing a paper as to why that’s a little ways off yet – but there are some uses I can see in the risk management space.

Risk Management Isn’t Just About Compliance

Mon, 28 Nov 2022 00:00:00 +0000

It’s no secret that I love standards (I even confessed to this in a previous blog post).

However, there’s a problem: as soon as you introduce a standard, you’re in danger of turning things into a compliance exercise. Initially, that might not sound so terrible. If you’re compliant with a risk management standard, you’ll be managing your risks properly, right?

Unfortunately not.

Because compliance, or anything else that can be reduced to a ‘check the box exercise,’ very quickly moves the focus from outputs to inputs. So, as long as you have written the procedure, conducted the assessment, and established a governance board, you’ve complied with the requirement set out in the standard. But that doesn’t mean that the procedure is fit for purpose, that the assessment effectively evaluated the risks, or that there’s effective governance in place. It just means you’ve checked off these requirements in the standard.

The Signal and The Noise – Book Review

Mon, 21 Nov 2022 00:00:00 +0000

*The Signal and The Noise Why So Many Predictions Fail–but Some Don’t by Nate Silver *is the 2012 best-seller from the then New York Times columnist who now runs the FiveThirtyEight election analysis and prediction site in the US.

TL;DR – This is a great read that explains why and how you need to mix statistics and experience in your predictions and decision-making. It can feel a little technical and heavy on the math at first glance, but Silver explains everything clearly, making it an easy read, given the subject matter.

The Question You Can’t be Afraid to Ask

Mon, 14 Nov 2022 00:00:00 +0000

Something that’s very hard to do as a consultant is to say,* ‘I don’t know,’ *or confess that you don’t understand something. But you’ve got to overcome any discomfort and learn how to do this because it’s critical that you’re honest about your knowledge gaps if you genuinely want to understand an organization or situation.

But the problem is that this is hard to do when you’ve positioned yourself as an expert, and someone’s brought you in as a problem solver. So you’ll feel self-conscious if one of the first things the client hears you say is, ‘I don’t understand that. Please explain’.

Risk Metrics Project Update – November 2022

Tue, 08 Nov 2022 00:00:00 +0000

This post is an update on the risk metrics project I described a few weeks ago. You can read about the origin of the project and the intent here.

If you recall, the underlying metrics for the project had to meet the following criteria:

Broad, not narrow (meaning the metric has widespread effects)
Publicly available
Easily understandable
Updated frequently
Commonly used

Unfortunately, for a lot of the data I looked at, I could get four out of five criteria but often one remained out of reach. Usually, this was frequency as some macro-indicators are published in annual reports, not weekly or monthly. However, for a macro trend such as literacy rates, a year-on-year measurement is sufficient, which means that the final criteria could read regular or frequent.

How vs. What: Don’t stop your planning too early

Tue, 01 Nov 2022 00:00:00 +0000

A problem I’ve observed is that we often need to differentiate more clearly between what we need to do and how we will do it. This confusion makes us think that a problem’s been solved when, in fact, all we’ve done is identify the effect we want to achieve, not how we’re going to get there.

The roadmap for how to make that happen is missing.

Imagine a business that’s trying to cut its costs because its cash flow is out of balance. Discussions might end with decisions to trim expenses or reduce headcount, which are reasonable ways to cut costs significantly. Everyone leaves the meeting thinking the problem’s been solved. However, they still need to determine what costs can be cut without compromising operations. How to manage layoffs and the effect these will have on the business? They will have identified the ‘what’, but not the ‘how’.

A Data-Driven Approach to Risk Management – The Risk Metrics Project Background & Overview

Tue, 11 Oct 2022 00:00:00 +0000

Full disclosure: this is me working through an idea in public but, if you’ve been reading my stuff for a while, you’ll know that the blog and email are often me thinking out loud, trying out ideas to see what sticks.

In this case, it’s not a new idea but, instead, a rather old one. A 20-year-old one…

Data-Driven Risk Management

How this came about isn’t important, but since my first risk assessment, I’ve felt that there’s a need for some kind of simple math to underpin things and help with consistency. Eventually, that became the kind of thing you’ll have seen in the metrics and gradings work here.

Who’s Your Organization’s Barbara?

Tue, 11 Oct 2022 00:00:00 +0000

This recent tweet made me chuckle as I thought, ‘Yup, sounds just like a Barbara.’

Ed Burmilia on Twitter

Like this author’s fictitious Peggy, ‘Barbara’ is my shorthand for the person who’s essential to an organization. But, unlike Peggy, Barbara’s real.

What’s a Barbara?

Barbara was the founder’s EA at a firm where I worked and, having been there since the very beginning, knew everything there was to know about the business.

ESG is Under Attack: So What?

Mon, 03 Oct 2022 00:00:00 +0000

ESG under attack as ‘woke’ capital

This post originally appeared in the ‘So What’ newsletter on July 1, 2022

A Quick Way to Establish Context and Develop Understanding

Thu, 15 Sep 2022 00:00:00 +0000

Data or information by itself is meaningless.

For it to be useful, we need to add context. This is the difference between information and intelligence: once we’ve analyzed the information and put it into context, the resultant intelligence gives us an understanding of a situation.

Another way to write this is understanding = knowledge + context

But that’s sometimes easier said than done. What do we mean by context, and how does this help you understand a situation better?

A Prayer for Risk and Crisis Managers

Thu, 08 Sep 2022 00:00:00 +0000

There’s a saying that there are no atheists in a foxhole, and it’s the same for a boardroom in crisis. Facing the worst day of their life, even the most bitter executives who don’t even know where the nearest church, mosque, or temple is will be trying to remember the prayers they learned as a child. They won’t add God to their stakeholder matrix, but they still hope He’s on their side.

Reflections after five years of KISS risk management

Tue, 15 Feb 2022 00:00:00 +0000

I started the KISS risk management project five years ago with the idea that risk management was being made too complicated and there were too many gatekeepers in the way. That makes it hard to get started in the profession, which robs businesses of a broad range of perspectives and viewpoints (a risk in itself). But this lack of general risk intelligence also makes us all worse off: we need people to make risk-based decisions in all kinds of situations.

10 Considerations for New Risk Managers

Fri, 19 Mar 2021 00:00:00 +0000

*I received an email a few years ago from someone just getting started in risk management asking if I had any thoughts or advice on the risk management skills they needed. The response quickly became several pages long and I thought it was worth turning it into a blog piece that others might benefit from. So here are 10 considerations for new risk managers (although this could also be titled ‘Letter to a 30-year old me’ or a 40-year old me.) *

Becoming a risk manager

Sun, 07 Mar 2021 00:00:00 +0000

Becoming a risk manager can seem to be more art than science. There’s not a clear pathway from degree to junior risk manager to senior risk manager to CRO (Chief Risk Officer) in the same way that you can chart the progress from freshly minted CPA (Certified Public Accountant) to head of Ernst & Young. (Financial risk management is the exception here as there is usually a clear path there.)

What is a risk manager?

Sun, 28 Feb 2021 00:00:00 +0000

Googling ‘what is a risk manager?’ will get you variations on ‘it’s the person who manages that organization’s risks,’ which is a pretty weak answer. It’s certainly not enough to help anyone who’s just starting in the role to understand what they’re supposed to do. Similarly, if someone’s thinking about this as a career, we need a bit more.

🎧 Listen to a recording of this post 🎧

So here’s a more detailed answer.

Using blockchain to validate records in DCDR

Wed, 24 Feb 2021 00:00:00 +0000

Security is a guiding principle for DCDR, and protecting user data has been baked in from the start. However, there’s more to data security than restricting access and managing user permissions. I’ve used the INFOSEC abbreviation CIA – confidentiality, integrity, and availability – as a guide to help determine the steps required to protect your data while also ensuring that the system does what it’s supposed to. Overall, the intent is to ensure:

Risk reports in 30 seconds?

Tue, 19 Jan 2021 00:00:00 +0000

It’s as easy as 1, 2, 3 with DCDR

80 / 20 your risk management

Mon, 11 Jan 2021 00:00:00 +0000

This is a very short post which should work because it’s a very simple idea. Obviously, I’m a fan of simple (this is KISS risk management after all) but, as with lots of simple ideas, the trick is sticking to the idea and seeing it through without getting distracted.

🎧 Listen to a recording of this post 🎧

The idea is that you use the Pareto principle, or 80 / 20 rule, when you’re thinking about your risk management system. In short, the principle or rule is:

Lets’s wait and see…

Mon, 04 Jan 2021 00:00:00 +0000

Happy New Year. Sorry this is a grim (stern?) start to the year but this idea bears repeating

“Let’s wait and see…”

..actually, let’s not.

Let’s do something about [fill in the risk here] right now.

The sooner we start to act, the earlier we’ll understand the situation, the faster we’ll be able to mobilize resources, and we’ll start limiting the damage that will only worsen with time.

This speed is essential when there’s a lagging indicator. By the time the metrics show things are getting worse, it’s already bad.

Happy New Year! Here’s to a great 2022!

Mon, 28 Dec 2020 00:00:00 +0000

Don’t worry, that’s not a typo.

Nor does it mean that you’ve missed a whole year (although we probably all feel like we could have done with a little less 2020).

But I want you to imagine for a second that it’s almost January 2022.

Why?

Well, although we’re all going to probably feel a lot better psychologically in a few weeks time, the fact is that the situation on January 1 2021 will look a lot like the situation in late December, 2020.

Get your risk governance system running like clockwork

Wed, 16 Dec 2020 00:00:00 +0000

There’s a lot in risk management where success is achieved by breaking something very large and complex (say, a risk assessment of a whole organization) into bite-sized pieces and risk governance is no different. I’ve written about risk governance in more detail here but I’m aware that the schedule of activities can become a bit overwhelming.

So I spent a bit of time in my calendar and Asana, a project management app, the other day, looking at how to set this up once and then let automation do its thing. I estimate this will take about 30 minutes to get things set up. Then all you need to do is follow the schedule, saving you lots of time scheduling individual meetings and, best of all, avoid things getting out of sequence and gumming up your risk governance structure.

Sweat the small stuff this week

Thu, 10 Dec 2020 00:00:00 +0000

We’re getting towards the end of the year and, after a year like this, it’s understandable that we’re trying to wind down.

Unfortunately, risk management doesn’t work like that so your risk register is sitting there, waiting for some TLC. Those big, scary reds are still there and you know that there’s still a lot to do. There are also a few ambers that you’re concerned about but haven’t quite got around to yet.

Risk appetite and risk tolerance

Fri, 04 Dec 2020 00:00:00 +0000

Defining an organization’s risk appetite and risk tolerance is one of the most significant challenges a risk manager faces.

I’ll explain why in a moment but it’s important to understand these parameters as this helps managers at all levels understand where they are operating in relation to the organization’s risk /comfort level.

Understanding these limits guides them when they are deciding which initiatives to pursue or kill. Or how much mitigation a risk requires. Maybe it’s what helps them decide it’s time to start pulling out of a market or country.

Getting ready for 2021

Fri, 27 Nov 2020 00:00:00 +0000

I think it’s safe to say that we’re all ready for 2020 to be over.

The arrival of January 1st won’t miraculously solve all of our issues but we will be moving into a year where a lot of the unknowns of 2020 are now knowns. That’s a huge relief for risk manager who probably feel like they’ve been playing on heroic mode all year.

2020 wasn’t a game of Halo, but it felt like it at times

Boiling the kettle: when risks become events

Tue, 03 Nov 2020 00:00:00 +0000

*How can you spot the point where risks become events? How do you know you’ve moved from something that might occur to something that is actually occurring? *

I’d argue that you don’t need to identify the specific point of change, and you’ll waste valuable time trying to spot the exact moment of transition. Most importantly, if you wait to see the transition point, your response will be on the back-foot from the get-go.

November is risk management training month

Sun, 25 Oct 2020 00:00:00 +0000

Seven takeaways from reviewing my degree notes

Mon, 12 Oct 2020 00:00:00 +0000

I looked back at some of my degree notes the other day and came across something I’ve been meaning to work on for a long time. (By long time, I mean about 10 years*.)

It’s based on two concepts. First, the work that Brian Toft, Simon Reynolds and Barry Turner did with respect to how disasters evolve and how we can learn from the. The second concerned how to differentiate between emergencies and crises. Bringing these concepts together gives us a model or framework for how risks become events and how these events can become disasters.

Rehabilitating the deficit model for risk communications (or why having a better conversation starts with not calling the other person an idiot)

Wed, 07 Oct 2020 00:00:00 +0000

We seem to be pretty bad at talking to one another right now.

Subjects where you might expect some general agreement with maybe a slight difference on the edges become die-in-the-ditch arguments. Arguments that rapidly spiral into unrelated areas of increasing vitriol.

If you’re talking about sports, then that’s fine: we don’t expect Yankees or Red Sox fans to agree.

However, we need a way to have a measured debate when talking about public safety, national security, or healthcare issues. I believe that we can achieve that by improving the deficit model for risk communications. (There’s a primer on risk perception and communications here if you’re not familiar with the topic.)

What is risk management?

Thu, 10 Sep 2020 00:00:00 +0000

*Asking ‘what is risk management?’ often gets you the trite answer ‘it’s the management of risk’ or we get a list of activities associated with risk management. Neither result is satisfying and we need a better definition that explains the intent of risk management along with some clarification of what this is and is not. Here, I’ve presented some initial ideas on a definition along with four components that should give us a more thorough definition. *

The Buck Stops Here

Wed, 05 Aug 2020 00:00:00 +0000

As risk managers, we spend a lot of time working out how to get things done.

After all, the risk assessment is just the start of the process. Once you’ve identified your risks and worked out how to address them, you need to get down to work: then the actual management part begins.

Determining ownership for many risks will be relatively straightforward and departments will often fight very hard to maintain ownership of risks that fall within their remit.

Simple doesn’t mean easy

Sun, 19 Jul 2020 00:00:00 +0000

I realized a while back that it can be too easy to mistake ‘simple’ with ‘easy’ and I’ve been concerned that promoting a simple approach to risk management might lead people to think that this makes everything easy. Unfortunately, even though a KISS approach makes risk management easier, it doesn’t do away with the need for hard work altogether. Worst of all, it can be easy to mistake shortcuts for simplification.

Dealing with uncertainty in your risk assessment

Sun, 12 Jul 2020 00:00:00 +0000

Most of the risk assessment models I’ve discussed before use a basic formula to calculate a value for risk. By adding or multiplying values for the individual factors, you’ll get a numeric value for the risk itself. That’s going to allow you to put things into order, apply a color-code or description. That gives you enough differentiation to start a risk-based discussion or determine where you need to focus your attention and resources.

Organizational smoke alarms: how to become more proactive

Sat, 27 Jun 2020 00:00:00 +0000

Many people have a few smoke alarms dotted around their house and, to me, these are some of the most straightforward set-it-and-forget-it risk management tools you can get. You set these up and then…nothing. You can forget about them until that annoying ‘chirp’ sound wakes you up one night, telling you to change the battery.

And most people will never hear their smoke alarm go off except for those times that their cooking gets a little out of hand.

What’s a Black Swan & why you need contingency plans

Sun, 14 Jun 2020 00:00:00 +0000

I’m sure you’ve heard people referring to COVID-19 as a ‘Black Swan’ – something that no-one could have seen coming – but is that actually the case?

Terrible though it is, I don’t think it’s accurate to describe the current situation as a Black Swan because we’ve had to deal with highly contagious, deadly diseases before.

Calling this a ‘Black Swan’ is, therefore, a way to excuse a confused response: ‘how could we have prepared for something that no-one could see coming?’

Trusting your Gut: Informed Intuition and Risk-Based Decision-Making

Sat, 16 May 2020 00:00:00 +0000

I was thinking a while back about the idea of informed intuition: cases when you seem to be trusting your intuition but, in fact, you’re recalling deeper experiences and patterns that help with your risk-based decision-making. As I was building upon this idea, it became clear that I wasn’t onto any thing new but, instead, this has been explained in the work of, among others, Gary Klein and the RPD model.

This is the balance we’re trying to strike

Tue, 05 May 2020 00:00:00 +0000

In Amman, we’re in our 7th week of curfews, homeschooling, and weekend lockdowns, and things are starting to ease up so you can drive, the bigger stores are opening again, and in some people’s eyes, we can get back to normal.

Unfortunately, as I’ve said previously, I don’t think we’re going back to how things were (‘normal’), and our ‘new normal’ requires some adjustments. Sadly, in some places, we’re treating the lifting of restrictions as an ‘all-clear’ which is only going to make things much worse.

The difficulty of proving a negative

Sun, 12 Apr 2020 00:00:00 +0000

I meant to write this piece a few months back, focusing on the first part. However, with the developments around COVID-19, I thought the second point was also relevant and timely. Plus, I thought it might do some good, but I’d love to know what you think. Please send me an email with your thoughts.

Risk and security managers are often faced with the difficult task of defending the success of a risk management program with little or no supporting evidence. Ironically, the more successful a risk management program is, the less evidence there can be to demonstrate its effectiveness. So this success actually increases the perception that the program is unnecessary: after all, why have an expensive security program when you have few, if any, significant incidents?

Getting in the Fight: Transitioning to Crisis

Sun, 22 Mar 2020 00:00:00 +0000

Change is hard, and the transition from ‘peacetime’ to crisis is one of the hardest. Facing the spread of COVID-19, that’s where many of us find ourselves today: struggling to adjust to the reality of what we are facing. That might be personally, within your family, or at an organizational level. However, I can’t think of anywhere that’s going to escape this contagion so, no matter the level, we all have to transition and the faster, the better.

A time for overwhelming action

Sat, 14 Mar 2020 00:00:00 +0000

By now, you will probably have picked up that I enjoy a good old risk assessment. However, there are times when you don’t need a risk assessment to figure out what to prioritize. When something’s staring you in the face, it’s time to take action.

So when a real crisis hits, the time for the risk assessment is over.

So is the time to ‘wait and see.’

So is the time for asking, ‘why me?’

Speaking up is hard (but necessary)

Mon, 09 Mar 2020 00:00:00 +0000

In David McKee’s book for children ‘Not Now Bernard’, a young boy tries to warn his parents about a monster in the yard, but they’re too busy to pay attention. All they say is ‘not now Bernard’ and ignore him. In the end, the monster eats Bernard and moves into the house, but his parents are still too busy to notice.

Look Out, Bernard! Illustration by David McKee

I don’t think the author meant this to be a homily about risk management, but this will be a familiar refrain if you’re a risk manager. The slot for the update on the risk register gets pushed to one side. Or your data is dismissed out of hand because someone doesn’t like what they’re hearing. Or you simply get shouted down.

Why your contingency plans will fail

Wed, 29 Jan 2020 00:00:00 +0000

You need to fix a fatal assumption

Most organizations and groups have contingency plans in place for when things go wrong. So do many families and individuals. They’ve spent the time thinking about what to do if someone gets sick, a product launch fails, a vehicle crashes, or there’s a fire.

The problem is that most of these plans will fail because they’re based on a completely false and unrealistic assumption.

Short on resources? Here’s where to apply your focus

Sun, 24 Nov 2019 00:00:00 +0000

Effective execution is a matter of dealing with scarcity: a scarcity of time, a scarcity of resources, and scarcity of information (although too much information can also cause problems). Tools like a risk assessment help manage this scarcity by prioritizing things to allow you to better allocate resources on what’s most important.

But there’s a hidden flaw in this process which often means that resources are misallocated, and the most important things are overlooked.

How less data can give you better results

Sun, 17 Nov 2019 00:00:00 +0000

“Hi, I’m Andrew, and I have a weakness for data.”

There, I said it.

I love spreadsheets. I love national statistics. I love primary sources.

I could probably have completed my Master’s dissertation without an extension if I had just accepted that cited quotes were valid instead of looking for all the original sources*. And I don’t need to read the last three years of a company’s annual reports before I have a 20-minute call with them.

It’s the destination, not the journey

Sun, 10 Nov 2019 00:00:00 +0000

A while back, I felt that pretty much everything was out of sync and I was highly disorganized. There was a growing list of undone things whether that was around the house, at work, with my family, or at the places where I volunteer.

It was definitely time for a reorganization.

A few weeks later, things were back in order (I even had time to write again), and a big part of my reorganization was refocussing on the systems I use for productivity.

Get SMART about your risk mitigation

Sat, 21 Sep 2019 00:00:00 +0000

Often, the end of the risk assessment feels like the end of the process and things start to ease off. Unfortunately, this is when the real work begins because, now that you have identified and prioritized your risks, you need to do something about them.

There are several options when it comes to dealing with a risk but it’s risk treatments I want to focus on here. These often go askew when mitigation measures aren’t designed carefully. This wastes resources and the risks aren’t reduced.

Repair the roof while the sun is shining

Mon, 05 Aug 2019 00:00:00 +0000

Back in his 1962 State Of The Union Address, JFK noted that “the best time to repair the roof is when the sun is shining.” He was making the point that the US needed to make harder economic decisions while the economy was strong rather than trying to implement cuts and structural changes during a downturn.

However, this idea extends well beyond economics and is something we should apply whenever there is a difficult decision to make. There will be times where something truly unexpected crops up and we don’t have much chance to plan beforehand but, in most situations, we can plan ahead. The critical thing is that hard decisions are much easier to tackle when you aren’t already in the middle of a stressful situation.

Decision Points: Prepare for Life’s Big Decisions

Mon, 08 Jul 2019 00:00:00 +0000

Right or left? The red pill or the blue pill? Speak up or stay quiet? Should I stay or should I go?

A decision point is a moment when a significant choice presents itself and the decision made will result in a significant change of course that cannot be undone easily. Moreover, that same choice or option is unlikely to reemerge in the future. The essential elements are that the decision is significant, non-repeatable, and non-reversible.

They Might Not Want a Hammer: How to Understand an Organization

Tue, 28 May 2019 00:00:00 +0000

One of the things I’ve enjoyed most as a consultant is having the opportunity to learn about organizations from a wide variety of sectors. These have ranged from schools, NGOs and the private offices of high net-worth individuals to Fortune Five oil and gas companies and governments. On the one hand, I’ve discovered that there are considerable similarities in all organizations, no matter their sector or size. However, I’ve also become acutely aware that the things that make the most significant difference – good or bad – are often very subtle.

Assessments without metrics

Mon, 20 May 2019 00:00:00 +0000

“Without data, you’re just another person with an opinion.”

[W. Edwards Deming](http:// https://deming.org/deming/deming-the-man), US academic and father of the continuous quality improvement movement in the US.*

A big part of the risk assessment process is the risk assessment, and a large part of that is usually the risk analysis. The problems is that this involves metrics and math which people often find challenging for two reasons.

Firstly, the math can be fuzzy and complicated to follow.

Get ready for a punch

Thu, 16 May 2019 00:00:00 +0000

There are two times you get punched: when you’re expecting it and when you aren’t. Sometimes you know what’s coming, but there might also be times where you get punched, seemingly out of nowhere.

Spoiler for those that haven’t tried this: getting punched hurts, no matter what.

The question is, what can you do to make it hurt less?

In some ways, knowing you’re going to get punched is worse because you know what’s coming. I’ve only boxed a couple of times, but it turns out that the ring is really (really, really!) small. Half the people in there want to hurt you, and the other half isn’t going to stop them. You also realize that three minutes getting hit by someone feels a lot longer than three minutes of Game of Thrones.

How to think about time to make real progress

Thu, 09 May 2019 00:00:00 +0000

Gary Vaynerchuk uses the term micro speed: macro patience to describe his approach to business. This goes a long way to explain the seeming contradiction between his 100-miles-an-hour life and his Zen-like view of when things will come good.

Looking back on the last two and a half years working mostly for myself, this is a useful mindset for anyone who’s starting out on their own, part of a startup or busy small business.

Structure, Silence and Lots and Lots of Notes: How to Conduct an Effective Interview

Mon, 29 Apr 2019 00:00:00 +0000

“Well, there was the kidnapping. Is that something you’re interested in?”

It was our last day of a week-long site security survey. We were meeting with the site manager to wrap up our visit but this was the first time we had heard anything about something as serious as this.

So yes, a kidnapping was something we were very, very interested in learning about….

I have no idea why it hadn’t come up before: we had conducted dozens of other interviews that week and had dozens of pages of notes. However, it almost didn’t come up at all: at this late stage, we were going to skip the interview and go straight into a review of our findings.

How to Plan a Risk Assessment

Mon, 22 Apr 2019 00:00:00 +0000

I’ve written before about how you need to have a clear idea of what you’re trying to achieve with your risk assessment and to get everyone onto the same page. Without this kind of understanding, it’s very unlikely that you will complete the assessment in the time available. Even if you do, you might not have answered the original question.

So you need to plan your assessment properly but what does that look like? Here’s a short five-step process to make sure that you are well-prepared for your assessment before you ask the first question or open up a spreadsheet.

Stop thinking about risk in two-dimensions

Mon, 15 Apr 2019 00:00:00 +0000

There are lots of different methodologies for assessing or breaking down a risk. The most common is a two-factor approach where the likelihood and potential impact of an event combine to create a risk.

Likelihood (of the thing) + Impact (how the thing affects you) = risk

This is what’s used for The World’s Simplest Risk Model.

However, this two-dimensional approach leaves out one thing. Sometimes there are barriers between the event or threat and you. So in addition to the event and its potential impact, there’s the concept of vulnerability or exposure: factors that make you more or less susceptible to the event. These can be passive factors – e.g. physical distance – or active measures you’ve taken to reduce your vulnerability to an event.

Now you understand your risk – what’s next?

Mon, 08 Apr 2019 00:00:00 +0000

Naturally, a lot of time and effort in risk management goes into understanding the risks that you face. After all, if you don’t understand what you’re up against, there’s not a lot of risk management to be done. However, even when you complete a comprehensive risk assessment, this is just the beginning of the process. Now the real work starts and you have to answer the big question.

What do we do next?

This is your brain on risk

Mon, 01 Apr 2019 00:00:00 +0000

Original image – Partnership for a Drug-Free America

There are lots of things that are hard about risk and risk management: you are often dealing with abstracts and potential events; showing success can be challenging when your job sometimes means nothing happens; you might not be seen as adding value.

But the biggest challenges always seem to concern discussions about risk. These discussions are hard, even when we have set out clear definitions for what we mean by risk and have everyone on the same page theory-wise.

Getting threat categorization right

Mon, 25 Mar 2019 00:00:00 +0000

*Photo by Ula Kuźma on *Unsplash

To manage your risk management system, you need to have a way to categorize your threats. This is a key part of being able to structure your risk assessments and you need to identify a set of imaginary buckets or folders into which you can group similar threats.

But this also helps with information gathering as data on a specific threat category might be grouped together. It also assists when it’s time to address the risks as one action could help mitigate a whole category of threats. Finally, these categories will also help you identify trends and patterns and start to develop an overall picture of your risk environment.

The World’s Simplest Risk Model

Mon, 18 Mar 2019 00:00:00 +0000

In addition to the many different definitions for risk, there are lots of different ways to calculate risk. Having a way to assess a risk and ascribe a value is the core of any risk assessment: this valuation allows us to prioritize our risks and differentiate between those of low priority vs the higher, more urgent issues we need to deal with.

So we need a way to do these kinds of calculation but if we aren’t careful, we can end up with a model that’s too complicated for most people’s needs.

Your risk assessment’s a thermometer, not a crystal ball

Mon, 11 Mar 2019 00:00:00 +0000

If you’re cooking, you need a way to tell how hot the oven is. You won’t be able to tell the difference between 275oF and 325oF just by sticking your hand inside – both are going to feel hot to you – but this is the difference between a perfect, crunchy yet chewy meringue and something that’s dry and explodes into a pile of dust. So we use a thermometer to give us the information we need.

Linking risk assessments to decision-making

Mon, 04 Mar 2019 00:00:00 +0000

The point of risk management is to understand and react to the threats and opportunities that might affect your business. The problem is that risk management can often become dislocated from the mainstream business processes. Instead of being integrated into the organization, risk management takes place in a parallel but separate workstream: one that decision-makers dip into occasionally but generally look at as a specialized, technical process.

I’ve seen a similar thing happens with cybersecurity. Despite the fact that almost every business is now wholly dependent on a robust, secure and effective IT infrastructure, cyber security is still often seen as a ‘thing that IT does’. Even though cyber security is effectively supply chain security (plus a lot more), it isn’t thought of that way.

What’s your risk assessment for?

Tue, 26 Feb 2019 00:00:00 +0000

Up front, this seems like an easy question to answer.

‘It’s to help us understand our risks.’

That’s true but then, what? What comes next?

If we start a risk assessment with no clear idea of what it’s to be used for, we will end up with something that’s unfocussed and doesn’t provide the insight we need. Or we might end up losing our way as we get spread too thin trying to assess everything.

The minimum viable assessment

Mon, 18 Feb 2019 00:00:00 +0000

If you’ve ever read anything about software start-ups, you will have heard the term MVP (minimum viable product). The idea is that you create something that does the bare minimum necessary to allow you to test your idea.

This lean, minimalist approach lets you produce something quickly, test your assumptions and then use this feedback to go on to develop something more detailed or comprehensive. This is in contrast to building a fully functioning piece of software up front which might mean that you invest a significant amount of time and effort only to find out that you’ve missed the mark.

What’s risk?

Mon, 11 Feb 2019 00:00:00 +0000

‘risk – the effect of uncertainty on objectives’ ISO 73, Risk Management Definitions

A risk is something that will have an effect on your objectives, good or bad.

So you might have something that threatens your success (a downside risk) or an opportunity that could help you on your way (an upside risk).

There are lots of ways to break a risk into components but most include a combination of a thing that can happen (a threat or opportunity), how likely that thing is (the likelihood) and what its effect might be (the impact).

KISS – easy to say, harder to achieve

Mon, 04 Feb 2019 00:00:00 +0000

“That’s been one of my mantras – focus and simplicity. Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.” Steve Jobs

This quote sums up the paradox of simplicity – simple is hard.

Working out what the essentials are and how to do things efficiently isn’t just hard, it can seem like more work than just sticking with the complicated path in the first place.

The first thing you need to do in any risk conversation

Mon, 28 Jan 2019 00:00:00 +0000

You say either and I say either You say neither and I say neither Either, either, neither, neither Let’s call the whole thing off “Let’s call the whole thing off” George and Ira Gershwin

It’s good to have an idea of what you are going to be talking about before you start any discussion, but this is vitally important when you are talking about risk. The word is used conversationally and technically in lots of different ways so we need to be clear that we are all speaking the same language to avoid confusion later on.

Address your LOI before your ROI

Mon, 21 Jan 2019 00:00:00 +0000

As a risk manager, you will often be asked to explain the RoI (return on investment) of you, your team, even the whole risk management program.

Effective risk management can help an organization grasp an opportunity and realizing an upside risk should generate a positive RoI.

However, when you are focussed on shoring up a weak system, plugging gaps and minimizing risks, showing an RoI can be hard. Even so, an inability to show a positive RoI in a cost-conscious environment can threaten investment in your team. It can even make people question the value of the program as a whole.

Stay lean

Tue, 15 Jan 2019 00:00:00 +0000

‘Lean’ is a buzzword in software development describing an approach where you conduct lots of short, fast experiments and iterate depending on the outcome.

‘Lean’ also conjure up images of a racehorse or athlete. Fit, powerful and ready for peak performance.

‘Lean’ can also means stripped of anything superfluous and free of frills.

Your risk assessment process needs to include elements of all of these.

Your need a lean risk assessment process.

Your biggest risks are in the corners

Tue, 08 Jan 2019 00:00:00 +0000

Your biggest risks aren’t usually the ones staring you in the face

The big ticket items – the ones that are at the top of everyone’s list, the first thing the CEO wants to talk about – aren’t usually the biggest risk you’re facing.

These might be the biggest threats.

These might reflect everyone’s biggest fear.

But because these are so well known. Because these get so much attention, you’re probably spending a lot of time and effort on these risks. The result is thatthese are closely monitored, well mitigated and heavily managed so the resultant risk is relatively benign.

And theme for 2019 is…

Mon, 31 Dec 2018 00:00:00 +0000

It was the highpoint of a recent meeting with a large firm’s corporate security team. While we were showing them around DCDR, the CSO leaned over to a colleague and said

“I love the simplicity“.

Cue smiles from our side….

Our intent was always to make the best piece of risk management software possible and a key part of that was to keep things simple. However, as time goes on, it’s easy to lose sight of the original concept, to add ‘just one more feature’ and eventually end up with a Frankenstein’s monster which looks nothing like your original idea (and that everybody hates).

Stack the Odds in your Favor (I): How to Understand your Startup Risks

Sun, 02 Dec 2018 00:00:00 +0000

Failure is not Definitely an Option

People agree that starting a business is risky and although the failure rates might not be as dire as people like to say, 20% fail in their first year and only 50% make it to five years. A decade in, only 30% are still around (Stats courtesy of Fundera.).

A tech startup takes that to a whole new level because of the additional layers of uncertainty that technology imposes. Startup’s risks are significant.

Five Risk Assessment Problems that Threaten your Next Assessment

Thu, 01 Nov 2018 00:00:00 +0000

Conducting a risk assessment is a big project and, like any big project, there are a lot of things between you and success. However, there are five common risk assessment problems that crop up time and time again. These make the difference between success and failure no matter what else you do. Keep these five problems in mind and plan accordingly to maximize the chances of success with your next risk assessment.

10 Risk Management Skills to Master ASAP

Mon, 15 Oct 2018 00:00:00 +0000

I received an email a while back from someone just making their start in risk management asking if I had any thoughts or advice on the risk management skills they needed. The response quickly became several pages long and I thought it was worth turning it into a blog piece that others might benefit from. This could also be titled ‘Letter to a 30-year old me’ or a 40-year old me..

What is the difference between subjective and objective risk?

Thu, 11 Oct 2018 00:00:00 +0000

In some ways, all risks can be considered subjective for two reasons.

Firstly, how we perceive risks is a very personal matter based on in-built biases, the experiences we have had and our current situation.

An example from a well-known risk textbook is an icy sidewalk. A child might see that as a fun thing to slide on so their perception is that there is no risk. A retiree will perceive this as a high risk as their chance of falling and becoming injured is higher and more debilitating. If a kid falls, they usually just get up and carry on with what they are doing.

This time it isn’t different

Mon, 17 Sep 2018 00:00:00 +0000

Two major events are going to happen in US within the five years. One is a replay of the US subprime mortgage collapse which spawned the 2008 financial crisis. The other will occur when the bubble of college debt bursts. Both events – one of which may well trigger the other – will cause massive strain on US banks with potential global repercussions.

This isn’t a bold claim. There are lots of people, all of whom much more familiar with this kind of risk than I am, sounding similar alarm bells. For example, the day after I started writing this, the Financial Times’ editorial was on a similar topic. And there may be other significant events that occur in addition to these but making forecasts about what’s going to happen isn’t the point of this article.

Get Things Done this Month

Thu, 30 Aug 2018 00:00:00 +0000

Happy September!

I’m a big fan of September for several reasons: the weather is cooling down, vacation-time is over, fall race season is starting (well, it is normally) and there’s a lot of pie-ready fruit available (I love pie).

However, one reason I really like this month is that September is a great month for getting things done.

And if you have any plans to build or update your enterprise risk management system by the end of the year, this might be your last chance to get started.** **

The devil is the detail

Sun, 19 Aug 2018 00:00:00 +0000

We often say ‘the devil is in the detail’ meaning that it is the small things that will catch us out. But sometimes the problem begins by looking at the details in the first place.

Don’t get me wrong, I’m a fan of details. I believe the more planning and specificity you can put into something, the better. The problem occurs when we jump into the details too quickly. Instead of starting with a strategic perspective, we dive right into the weeds.

If it looks like a duck (or a snake)….

Sun, 29 Jul 2018 00:00:00 +0000

“The first rule of snakes [problems] is, if you see a snake, you kill it….Just take care of it” Jim Barksdale, former CEO Netscape

It’s rare for an event to be truly unexpected.

We know that our personal habits affect our health. We know that incorrect use of tools and machinery can cause injury. We know that small-scale corner-cutting leads to more serious infringements. We know that running complex systems – like drilling rigs or nuclear power stations – beyond established safe parameters can be catastrophic.

What is a risk mitigation plan?

Fri, 13 Jul 2018 00:00:00 +0000

This post originally appeared on Quora in response to the question ‘What is a risk mitigation plan?’ Link

What is a risk mitigation plan

The risk mitigation plan is a series of specific actions or steps you will take in response to a risk once you have completed your risk assessment. However, before you start to develop the mitigation plan in detail, you need to determine a general course of action based on one of five main options: avoid, tolerate, treat, transfer and terminate (A4T). Which of these is most applicable will depend on your risk tolerance (short term), risk appetite (longer term) and what you can reasonably achieve with the resources available (ALARP).

Convincing people to take risks

Fri, 06 Jul 2018 00:00:00 +0000

This post first appeared on Quora in response to the question ‘How do you convince people to take a risk in a company?’ Link.

How do you convince people to take a risk in a company?

Firstly, I don’t think we should ever push people to take risks that 1) they are uncomfortable with and 2) that don’t serve the company’s objectives.

However, I also know that sometimes people might overestimate and subsequently avoid a risk that might actually benefit them and the company. That is something we can help with.

Risk management and the security manager – a quick note

Sat, 30 Jun 2018 00:00:00 +0000

This post originally appeared on Quora in answer to the question “How does risk management fit in security risk management profession?” Link

How does risk management fit in security risk management profession?

Ideally, a security manager will use a risk management foundation for their security management system. This will help integrate security risks into the organization’s understanding of its overall risk environment. This focus also ensures that the security program is focussed on protecting the organization’s objectives which aligns with the ISO definition of risk:

Summer shorts

Fri, 29 Jun 2018 00:00:00 +0000

Summer’s here* which means it’s time for a change of pace and a chance to try something different for a couple of months. So instead of the normal longer-form pieces or interviews, I am going to stick to nice, short pieces for the next month or two. Perfect, bite-sized risk nibbles to keep your risk synapses firing during these long, hot days.

To start with, these will be re-posts of answers to questions posed on Quora which I have been trying to do more regularly. I’m really enjoying Quora for two reasons. Firstly, I don’t need to think about a subject (which I often find is the hardest part of writing). It’s right there, waiting for me. Secondly, it’s great practice in condensing and summarizing something that might otherwise become a 1,500-2,000 word essay.

Risk Management Maturity Tool Update

Mon, 11 Jun 2018 00:00:00 +0000

OK, I confess that this took me a little longer than I had hoped but I finally updated the risk management maturity tool to reflect the 2018 ISO 31000 risk management standard.

The new tool is available here and you can read my review of the standard here.

So if you were wondering how mature your risk management system was, wonder no longer!

The assessment only takes a few minutes and you get a nifty report like this emailed to you right away.

ISO 31000 – a review of the 2018 standard

Tue, 05 Jun 2018 00:00:00 +0000

Yawn!

Aside from GDPR-inspired emails with news of updated terms and conditions , this will be the most boring thing you will read all week….

*However, it might be one of the more important if you are a risk manager because one of the core risk management references has just been updated and there are a few changes to be aware of. *

I had to review these documents to ensure that my material was up to date so I thought I should keep some notes as I want to save you from having to go through the same ‘compare and contrast’ exercise. Plus, I love standards. : )

Meet the expert – a conversation with Nick Smart

Thu, 24 May 2018 00:00:00 +0000

Risks don’t just arise from operational incidents. Often the conduct of the organization and its senior leaders result in a type of risk that is very different but just as threatening as a large, physical event.

In this conversation with Nick Smart we explore the intersection of risk, ethics and governance. Nick is an independent strategic risk advisor and was the chief ethics and compliance officer (CECO) for a global energy services company, before which he designed and built the security risk management function for the same company in his capacity as chief security officer (CSO).

10 Tips For Crisis Management

Thu, 17 May 2018 00:00:00 +0000

I have been thinking about effective crisis management a lot recently and am working on a more in-depth piece on managing a crisis which I hope to publish soon. However, crises don’t wait until we are properly prepared before they strike so I put together this quick set of suggestions as a stop-gap.

Normally, I wouldn’t make a top-10 list but sometimes it’s the easiest way to share ideas. So here goes and I hope you find these suggestions useful.

Exhibit #A19670174000 – A Reminder to KISS

Thu, 10 May 2018 00:00:00 +0000

KISS – keep it simple stupid – was drilled into us in the military and it’s hard to unlearn some things. I still make my bed each morning – even in hotels – and always tuck in my shirt. However, KISS is more than a tired old army saying. The more I look around and think about it, the more keeping things simple seems to be the key to success. Importantly, the more complex and consequential something is, the more important it is to keep things simple.

How to Build a Crisis Management Plan

Thu, 12 Apr 2018 00:00:00 +0000

The WDYMB…Crisis? article explained what a crisis is and how these can arise. One of the most important points stressed is that crises are often avoidable and in many cases, survivable. Ultimately, this might come down to good luck and obviously the skills and abilities of the team responding play a big part. However, the chances of surviving a major event are significantly increased if the organization has prepared in advance. As far as a crisis is concerned, one of the key elements of this preparation is a crisis management plan (CMP). This article will explain what a CMP is, what it should contain and how you can develop one for your organization.

A Framework for a Risk Management System

Thu, 17 Aug 2017 00:00:00 +0000

Effective risk management requires a series of behaviors and attitudes to exist within an organization that make risk considerations prominent in day-to-day operations. This mindset alone will go a long way to making an organization more risk-led but a functioning risk management system is also required to develop, support and guide that mindset.

The specific system adopted by an organization will be influenced by a number of factors: the industry may have a series of regulatory requirements; the country in which it is headquartered will have applicable laws to follow; there will be cultural aspects which will differ from organization to organization; and individual sectors and industries have preferred approaches to risk management. That makes it difficult to prescribe what a risk management system will look like and even a review of the existing standards and common references can still leave the reader without a clear template to follow.

Risk Assessments Grading and Metrics

Fri, 24 Mar 2017 00:00:00 +0000

When we are conducting a risk assessment, we need a way to assess, grade and order risks to allow us to use this information for decision-making and to prioritize our actions. This article outlines some basic techniques that can be used for risk assessment grading and matrics. These basic examples lay the foundation for more complex sets of metrics that can be adapted for your organization and the specifics of the assessment. An example of the metrics used in the r = tvi construct and the risk calculation tool are included along with links to online tools that you can copy and use in your own assessments.

How to Conduct a Risk Assessment

Sat, 18 Mar 2017 00:00:00 +0000

*The risk assessment lies at the core of risk management. Without a clear understanding of the risks faced, none of the other risk management activities can be undertaken. This means that the organization will remain reactive instead of being able to take proactive steps informed by risk-based decision making. However, risk assessments have the potential to become hugely complex, sometimes becoming the only risk management activity that is undertaken, as organizations become exhausted by the assessment process and don’t conduct any of the follow-up activities. Detailed here is a four-phase risk assessment process that can be used for most non-technical assessments. *

What is Risk?

Fri, 24 Feb 2017 00:00:00 +0000

Risk and risk discussions are often hampered by inconsistent terminology and a high degree of subjectivity. To overcome this, we need to understand what we mean when we ask ‘what is risk?’. This article lays out a concept for risk using the ISO definition – the effect of uncertainty on objectives. It breaks individual risks into their three main components: threat, vulnerability and impact for downside risks or opportunity, and exposure and impact for upside risks. These concepts form the basis for all subsequent risk discussions and lay the groundwork for a risk assessment methodology.