Naturally, a lot of time and effort in risk management goes into understanding the risks that you face. After all, if you don’t understand what you’re up against, there’s not a lot of risk management to be done. However, even when you complete a comprehensive risk assessment, this is just the beginning of the process. Now the real work starts and you have to answer the big question. What do we do next? ...
Original image – Partnership for a Drug-Free America There are lots of things that are hard about risk and risk management: you are often dealing with abstracts and potential events; showing success can be challenging when your job sometimes means nothing happens; you might not be seen as adding value. But the biggest challenges always seem to concern discussions about risk. These discussions are hard, even when we have set out clear definitions for what we mean by risk and have everyone on the same page theory-wise. ...
*Photo by Ula Kuźma on *Unsplash To manage your risk management system, you need to have a way to categorize your threats. This is a key part of being able to structure your risk assessments and you need to identify a set of imaginary buckets or folders into which you can group similar threats. But this also helps with information gathering as data on a specific threat category might be grouped together. It also assists when it’s time to address the risks as one action could help mitigate a whole category of threats. Finally, these categories will also help you identify trends and patterns and start to develop an overall picture of your risk environment. ...
In addition to the many different definitions for risk, there are lots of different ways to calculate risk. Having a way to assess a risk and ascribe a value is the core of any risk assessment: this valuation allows us to prioritize our risks and differentiate between those of low priority vs the higher, more urgent issues we need to deal with. So we need a way to do these kinds of calculation but if we aren’t careful, we can end up with a model that’s too complicated for most people’s needs. ...
If you’re cooking, you need a way to tell how hot the oven is. You won’t be able to tell the difference between 275oF and 325oF just by sticking your hand inside – both are going to feel hot to you – but this is the difference between a perfect, crunchy yet chewy meringue and something that’s dry and explodes into a pile of dust. So we use a thermometer to give us the information we need. ...
The point of risk management is to understand and react to the threats and opportunities that might affect your business. The problem is that risk management can often become dislocated from the mainstream business processes. Instead of being integrated into the organization, risk management takes place in a parallel but separate workstream: one that decision-makers dip into occasionally but generally look at as a specialized, technical process. I’ve seen a similar thing happens with cybersecurity. Despite the fact that almost every business is now wholly dependent on a robust, secure and effective IT infrastructure, cyber security is still often seen as a ‘thing that IT does’. Even though cyber security is effectively supply chain security (plus a lot more), it isn’t thought of that way. ...
Up front, this seems like an easy question to answer. ‘It’s to help us understand our risks.’ That’s true but then, what? What comes next? If we start a risk assessment with no clear idea of what it’s to be used for, we will end up with something that’s unfocussed and doesn’t provide the insight we need. Or we might end up losing our way as we get spread too thin trying to assess everything. ...
If you’ve ever read anything about software start-ups, you will have heard the term MVP (minimum viable product). The idea is that you create something that does the bare minimum necessary to allow you to test your idea. This lean, minimalist approach lets you produce something quickly, test your assumptions and then use this feedback to go on to develop something more detailed or comprehensive. This is in contrast to building a fully functioning piece of software up front which might mean that you invest a significant amount of time and effort only to find out that you’ve missed the mark. ...
‘risk – the effect of uncertainty on objectives’ ISO 73, Risk Management Definitions A risk is something that will have an effect on your objectives, good or bad. So you might have something that threatens your success (a downside risk) or an opportunity that could help you on your way (an upside risk). There are lots of ways to break a risk into components but most include a combination of a thing that can happen (a threat or opportunity), how likely that thing is (the likelihood) and what its effect might be (the impact). ...
“That’s been one of my mantras – focus and simplicity. Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.” Steve Jobs This quote sums up the paradox of simplicity – simple is hard. Working out what the essentials are and how to do things efficiently isn’t just hard, it can seem like more work than just sticking with the complicated path in the first place. ...