Uncategorized on Andrew Sheves

Getting the Risk Assessment to Work For Us

Fri, 13 Dec 2024 00:00:00 +0000

I’ve had a lot of conversations about risk assessments recently and just finished a new feature in the Decis platform, both of which prompted this thought: What if we have things backwards? What if our risk assessment updated us instead of the other way around?

We spend days — sometimes weeks — building a comprehensive risk assessment to understand our risks and build mitigation measures. But these are snapshots in time and can quickly become overtaken by events. That’s when we move from risk management to incident management or at minimum, we have to review our mitigation.

Why (and How) You Should Conduct an End of Year Risk Management Review

Fri, 02 Dec 2022 00:00:00 +0000

For most people, this will be a busy time of the year: end-of-year performance reviews, last-minute budget planning, holiday parties, or a final push to achieve their annual goals. All of this adds up to a very busy time when all you want to do is take a break.

However, there’s one other thing I’m going to suggest you squeeze in before you start next year’s ERM program.

An end-of-year review

This review will neatly tie up everything you did over the past year and get you ready for the next. And best of all, it’s something you can do in an afternoon.

Flirting with Disaster – a Book Review

Mon, 24 Oct 2022 00:00:00 +0000

My risk management master’s course had a heavy reading list as you’d expect but a lot of these set texts – and the course material itself – was pretty thick and not much fun. However, I found a few books that I used alongside the course work which helped summarize a lot of the technical, academic stuff and, frankly, made it less dull. I wanted to share a few of these with you beginning with a book about when and how things go wrong.

10 Considerations for New Risk Managers

Fri, 19 Mar 2021 00:00:00 +0000

*I received an email a few years ago from someone just getting started in risk management asking if I had any thoughts or advice on the risk management skills they needed. The response quickly became several pages long and I thought it was worth turning it into a blog piece that others might benefit from. So here are 10 considerations for new risk managers (although this could also be titled ‘Letter to a 30-year old me’ or a 40-year old me.) *

Practicing what I preach

Sun, 07 Jun 2020 00:00:00 +0000

A while back, I wrote something on the need to speak up, even when it’s hard. That’s something we face as risk managers, but it’s also a necessity in other parts of our lives.

I’ve also written about how there are risks that are so big and uncomfortable that they’re left in the corner: we pretend not to see them.

I even wrote a whole piece on Jim Barksdales’ rule about snakes: “The first rule of snakes is, if you see a snake…Just take care of it”. Basically, if you see a problem, don’t stand around staring, debating whether it’s real or not, just deal with it.

Just in Time Planning is a Myth

Thu, 21 May 2020 00:00:00 +0000

Just-in-time inventory is the idea that the materials you need arrive just as you need them. This approach cuts down on the cost of storage space and reduces the amount of inventory sitting around doing nothing. A just-in-time approach is very efficient but very fragile.

If the supply chain hiccups and inventory gets delayed, the knock-on effects shudder through the whole supply chain.

Just in time inventory works, until it doesn’t

Toyota discovered this in 1997 when a supplier’s factory burned down. Aisin Seiki was the sole-supplier of a critical part Toyota used in the majority of their vehicles, and the fire left them with just two-three days of inventory because of their just-in-time inventory system. Toyota’s recovery, which amounted to an almost national-mobilization of Japan’s industrial base, was incredible and taught manufactures the world over many valuable lessons.

This is your brain on risk

Mon, 01 Apr 2019 00:00:00 +0000

Original image – Partnership for a Drug-Free America

There are lots of things that are hard about risk and risk management: you are often dealing with abstracts and potential events; showing success can be challenging when your job sometimes means nothing happens; you might not be seen as adding value.

But the biggest challenges always seem to concern discussions about risk. These discussions are hard, even when we have set out clear definitions for what we mean by risk and have everyone on the same page theory-wise.

Your risk assessment’s a thermometer, not a crystal ball

Mon, 11 Mar 2019 00:00:00 +0000

If you’re cooking, you need a way to tell how hot the oven is. You won’t be able to tell the difference between 275oF and 325oF just by sticking your hand inside – both are going to feel hot to you – but this is the difference between a perfect, crunchy yet chewy meringue and something that’s dry and explodes into a pile of dust. So we use a thermometer to give us the information we need.

Your biggest risks are in the corners

Tue, 08 Jan 2019 00:00:00 +0000

Your biggest risks aren’t usually the ones staring you in the face

The big ticket items – the ones that are at the top of everyone’s list, the first thing the CEO wants to talk about – aren’t usually the biggest risk you’re facing.

These might be the biggest threats.

These might reflect everyone’s biggest fear.

But because these are so well known. Because these get so much attention, you’re probably spending a lot of time and effort on these risks. The result is thatthese are closely monitored, well mitigated and heavily managed so the resultant risk is relatively benign.

And theme for 2019 is…

Mon, 31 Dec 2018 00:00:00 +0000

It was the highpoint of a recent meeting with a large firm’s corporate security team. While we were showing them around DCDR, the CSO leaned over to a colleague and said

“I love the simplicity“.

Cue smiles from our side….

Our intent was always to make the best piece of risk management software possible and a key part of that was to keep things simple. However, as time goes on, it’s easy to lose sight of the original concept, to add ‘just one more feature’ and eventually end up with a Frankenstein’s monster which looks nothing like your original idea (and that everybody hates).

Stack the Odds in your Favor (I): How to Understand your Startup Risks

Sun, 02 Dec 2018 00:00:00 +0000

Failure is not Definitely an Option

People agree that starting a business is risky and although the failure rates might not be as dire as people like to say, 20% fail in their first year and only 50% make it to five years. A decade in, only 30% are still around (Stats courtesy of Fundera.).

A tech startup takes that to a whole new level because of the additional layers of uncertainty that technology imposes. Startup’s risks are significant.

Five Risk Assessment Problems that Threaten your Next Assessment

Thu, 01 Nov 2018 00:00:00 +0000

Conducting a risk assessment is a big project and, like any big project, there are a lot of things between you and success. However, there are five common risk assessment problems that crop up time and time again. These make the difference between success and failure no matter what else you do. Keep these five problems in mind and plan accordingly to maximize the chances of success with your next risk assessment.

10 Risk Management Skills to Master ASAP

Mon, 15 Oct 2018 00:00:00 +0000

I received an email a while back from someone just making their start in risk management asking if I had any thoughts or advice on the risk management skills they needed. The response quickly became several pages long and I thought it was worth turning it into a blog piece that others might benefit from. This could also be titled ‘Letter to a 30-year old me’ or a 40-year old me..

What is the difference between subjective and objective risk?

Thu, 11 Oct 2018 00:00:00 +0000

In some ways, all risks can be considered subjective for two reasons.

Firstly, how we perceive risks is a very personal matter based on in-built biases, the experiences we have had and our current situation.

An example from a well-known risk textbook is an icy sidewalk. A child might see that as a fun thing to slide on so their perception is that there is no risk. A retiree will perceive this as a high risk as their chance of falling and becoming injured is higher and more debilitating. If a kid falls, they usually just get up and carry on with what they are doing.

This time it isn’t different

Mon, 17 Sep 2018 00:00:00 +0000

Two major events are going to happen in US within the five years. One is a replay of the US subprime mortgage collapse which spawned the 2008 financial crisis. The other will occur when the bubble of college debt bursts. Both events – one of which may well trigger the other – will cause massive strain on US banks with potential global repercussions.

This isn’t a bold claim. There are lots of people, all of whom much more familiar with this kind of risk than I am, sounding similar alarm bells. For example, the day after I started writing this, the Financial Times’ editorial was on a similar topic. And there may be other significant events that occur in addition to these but making forecasts about what’s going to happen isn’t the point of this article.

Get Things Done this Month

Thu, 30 Aug 2018 00:00:00 +0000

Happy September!

I’m a big fan of September for several reasons: the weather is cooling down, vacation-time is over, fall race season is starting (well, it is normally) and there’s a lot of pie-ready fruit available (I love pie).

However, one reason I really like this month is that September is a great month for getting things done.

And if you have any plans to build or update your enterprise risk management system by the end of the year, this might be your last chance to get started.** **

The devil is the detail

Sun, 19 Aug 2018 00:00:00 +0000

We often say ‘the devil is in the detail’ meaning that it is the small things that will catch us out. But sometimes the problem begins by looking at the details in the first place.

Don’t get me wrong, I’m a fan of details. I believe the more planning and specificity you can put into something, the better. The problem occurs when we jump into the details too quickly. Instead of starting with a strategic perspective, we dive right into the weeds.

If it looks like a duck (or a snake)….

Sun, 29 Jul 2018 00:00:00 +0000

“The first rule of snakes [problems] is, if you see a snake, you kill it….Just take care of it” Jim Barksdale, former CEO Netscape

It’s rare for an event to be truly unexpected.

We know that our personal habits affect our health. We know that incorrect use of tools and machinery can cause injury. We know that small-scale corner-cutting leads to more serious infringements. We know that running complex systems – like drilling rigs or nuclear power stations – beyond established safe parameters can be catastrophic.

What is a risk mitigation plan?

Fri, 13 Jul 2018 00:00:00 +0000

This post originally appeared on Quora in response to the question ‘What is a risk mitigation plan?’ Link

What is a risk mitigation plan

The risk mitigation plan is a series of specific actions or steps you will take in response to a risk once you have completed your risk assessment. However, before you start to develop the mitigation plan in detail, you need to determine a general course of action based on one of five main options: avoid, tolerate, treat, transfer and terminate (A4T). Which of these is most applicable will depend on your risk tolerance (short term), risk appetite (longer term) and what you can reasonably achieve with the resources available (ALARP).

Convincing people to take risks

Fri, 06 Jul 2018 00:00:00 +0000

This post first appeared on Quora in response to the question ‘How do you convince people to take a risk in a company?’ Link.

How do you convince people to take a risk in a company?

Firstly, I don’t think we should ever push people to take risks that 1) they are uncomfortable with and 2) that don’t serve the company’s objectives.

However, I also know that sometimes people might overestimate and subsequently avoid a risk that might actually benefit them and the company. That is something we can help with.

Risk management and the security manager – a quick note

Sat, 30 Jun 2018 00:00:00 +0000

This post originally appeared on Quora in answer to the question “How does risk management fit in security risk management profession?” Link

How does risk management fit in security risk management profession?

Ideally, a security manager will use a risk management foundation for their security management system. This will help integrate security risks into the organization’s understanding of its overall risk environment. This focus also ensures that the security program is focussed on protecting the organization’s objectives which aligns with the ISO definition of risk:

Summer shorts

Fri, 29 Jun 2018 00:00:00 +0000

Summer’s here* which means it’s time for a change of pace and a chance to try something different for a couple of months. So instead of the normal longer-form pieces or interviews, I am going to stick to nice, short pieces for the next month or two. Perfect, bite-sized risk nibbles to keep your risk synapses firing during these long, hot days.

To start with, these will be re-posts of answers to questions posed on Quora which I have been trying to do more regularly. I’m really enjoying Quora for two reasons. Firstly, I don’t need to think about a subject (which I often find is the hardest part of writing). It’s right there, waiting for me. Secondly, it’s great practice in condensing and summarizing something that might otherwise become a 1,500-2,000 word essay.

Risk Management Maturity Tool Update

Mon, 11 Jun 2018 00:00:00 +0000

OK, I confess that this took me a little longer than I had hoped but I finally updated the risk management maturity tool to reflect the 2018 ISO 31000 risk management standard.

The new tool is available here and you can read my review of the standard here.

So if you were wondering how mature your risk management system was, wonder no longer!

The assessment only takes a few minutes and you get a nifty report like this emailed to you right away.

ISO 31000 – a review of the 2018 standard

Tue, 05 Jun 2018 00:00:00 +0000

Yawn!

Aside from GDPR-inspired emails with news of updated terms and conditions , this will be the most boring thing you will read all week….

*However, it might be one of the more important if you are a risk manager because one of the core risk management references has just been updated and there are a few changes to be aware of. *

I had to review these documents to ensure that my material was up to date so I thought I should keep some notes as I want to save you from having to go through the same ‘compare and contrast’ exercise. Plus, I love standards. : )

Meet the expert – a conversation with Nick Smart

Thu, 24 May 2018 00:00:00 +0000

Risks don’t just arise from operational incidents. Often the conduct of the organization and its senior leaders result in a type of risk that is very different but just as threatening as a large, physical event.

In this conversation with Nick Smart we explore the intersection of risk, ethics and governance. Nick is an independent strategic risk advisor and was the chief ethics and compliance officer (CECO) for a global energy services company, before which he designed and built the security risk management function for the same company in his capacity as chief security officer (CSO).

Exhibit #A19670174000 – A Reminder to KISS

Thu, 10 May 2018 00:00:00 +0000

KISS – keep it simple stupid – was drilled into us in the military and it’s hard to unlearn some things. I still make my bed each morning – even in hotels – and always tuck in my shirt. However, KISS is more than a tired old army saying. The more I look around and think about it, the more keeping things simple seems to be the key to success. Importantly, the more complex and consequential something is, the more important it is to keep things simple.

Meet the expert – A conversation with Andy Cuerel

Thu, 29 Mar 2018 00:00:00 +0000

I have known Andy Cuerelfor a number of years and have always appreciated his in-depth yet practical approach to business continuity management. So when it was time to have someone provide a high-level overview of BCM for Riskademy, Andy was an obvious choice.

I hope our conversation helps clarify the relationship, and differences, between crisis management and business continuity management and gives you a good overview of BCM. (If you missed the last few posts, you can read more about crisis management here.)

Incident Response vs. Crisis vs. BCM – video

Thu, 22 Mar 2018 00:00:00 +0000

The WDYMB…Crisis? articleprompted a few questions concerning the interactions and relationship between crisis management, business continuity management and general response. These relationships are complicated both in how these are managed and also because different disciples will view the relationships differently. Below, there is a quick video I made to help explain the relationships as I described these in the article.

Spoiler – the graphic is a little busy so it is worth pausing the video to take a look at this before you listen to the whole thing.

DCDR is live in beta

Wed, 14 Mar 2018 00:00:00 +0000

After 15 years, it feels very good to finally be able to write that.

Take a look. The video might be scrappy but the app isn’t.

[Video: https://video.wordpress.com/embed/zX4Nf4zz?hd=0&autoPlay=0&permalink=1&loop=0&preloadContent=metadata&muted=0&playsinline=0&controls=1&cover=1]

DCDR is live AND it has users. It’s been a busy week.

Schedule your demo

WDYMB…Crisis?

Thu, 01 Mar 2018 00:00:00 +0000

When things go wrong

Despite the best efforts of the risk manager and senior leadership, it’s still possible that things can go wrong for your organization. Processes aren’t followed or are applied incorrectly, mitigation measures turn out to be inadequate, something unforeseen happens or, as is so often the case, someone does something they shouldn’t. At one end of the spectrum are relatively common slips, trips or falls, minor fires, or the accidental deletion of data. More significant are the payment of bribes, cutting corners on regulations or a crass, offensive comment from an executive. At the extreme end of the spectrum are crisis events, situations that can strike a fatal blow to the organization: a chemical spill causing mass casualties, widespread fraud or a toxic culture of racism, sexism or other discrimination.

DCDR App demo – Feb 2018

Tue, 20 Feb 2018 00:00:00 +0000

I’ve just uploaded a short video showing one of the functional assessment apps in use. Although the methodology is different from the full DCDR tool, the approach and functionality is very similar:

Fast? Check!

Simple? Check!

Easy to use? Check!

So here’s a taster of what the DCDR app is going to look like. Enjoy!

[Video: https://video.wordpress.com/embed/xThbiOro?hd=0&autoPlay=0&permalink=1&loop=0&preloadContent=auto&muted=0&playsinline=0&controls=1&cover=1]

DCDR Update – mid-February 2018

Mon, 19 Feb 2018 00:00:00 +0000

Opportunity overload continues to be the biggest threat to DCDR right now: I keep finding myself being seduced by thoughts of what the app could do, rather than what the core feature set should be. Luckily, I am getting good advice from Matt and from the several thousands of hours of podcasts and interviews I have consumed. As usual, the problem isn’t getting the right advice. Following the advice, however, is always more difficult. I am finding Paul Graham’s advice particularly useful and his ‘Startups in 13 Sentences‘ essay has become my roadmap.

I Love (and Hate) Standards – You Should Too

Mon, 15 Jan 2018 00:00:00 +0000

I confess to having a love / hate relationship with standards. On the plus side, having an agreed way of doing things is incredibly attractive. There is no need to spend long periods trying to design a system; shared terms, concepts and processes; easy collaboration between different groups. So when they work well, standards are great and definitely have a lot going for them. Yay!

However, there are also drawbacks.

Get your ERM System Ready for Next Year in just One Afternoon

Wed, 20 Dec 2017 00:00:00 +0000

For most people, this will be a busy time of the year: end of year performance reviews, last-minute budget planning, holiday parties or a final push to achieve their annual goals. All of this adds up to a very busy time when all you want to do it take a break. However, there’s one other thing I’m going to suggest you squeeze in before you start next year’s ERM program.

Meet the expert – Crisis Communications with Price Floyd

Thu, 19 Oct 2017 00:00:00 +0000

Meet the expert – Crisis Communications with Price Floyd

We are kicking off our ‘meet the expert’ series with an interview with Price Floyd, the founder of the Engaging America Projectand an expert in risk and crisis communications. Price has over 25 years of experience in government and the private sector and here he shares over a dozen key lessons he has learned including:

The difference between communications in government and the private sector
How digital media has improved crisis communications
Why it’s too late to call the communications team when things start going wrong
The number one skill for communicators
Why it’s important to tend the garden (and what this means)

Watch the video to hear these and many more key lessons that you can put into action today.

10 quick thoughts on risk

Sun, 01 Oct 2017 00:00:00 +0000

I’m trying to improve my videos so apologize for the quality but here’s a quick video with 10 quick thoughts on risk management.

[Video: https://video.wordpress.com/embed/zX8wUAWO?hd=0&autoPlay=0&permalink=1&loop=0&preloadContent=metadata&muted=0&playsinline=0&controls=1&cover=1]

Let me know what you think!

A KISS Approach to Enterprise Security Risk Management

Tue, 12 Sep 2017 00:00:00 +0000

Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years. ASIS International has identified it as a strategic focus. However, after a review of the literature, beginning with the 2010 CSO roundtable paper on ESRM, two issues are raised that could make ESRM implementation difficult.

The initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO).

Risk Governance

Wed, 23 Aug 2017 00:00:00 +0000

Completion of the assessment and development of risk mitigation strategies help the organization understand their risks and what it can do to bring these risks within the levels of its risk tolerance and appetite. The elements that ensure that these risks stay within the permissible levels are risk governance and system controls.

*Controls are what help keep the system in equilibrium or prompt a reaction where things begin to deviate from ‘normal’. Governance provides oversight to ensure that the risk management system is operating properly and that risks are being identified, elevated and managed at the appropriate levels. *

Integrating a Risk Management System into Your Organization

Wed, 16 Aug 2017 00:00:00 +0000

*Integrating a risk management system into your department or organization will be a major endeavor and while there are significant benefits to making this change, the degree of effort required should not be underestimated. Moreover, the overall workload of the organization and other major initiatives that might also be underway are major considerations when planning ERM implementation. This article will refer to ERM systems but the same principles will apply if the implementation is for a less expansive risk management system. Importantly, as a supporting function and not an operational activity, risk management must be shaped to fit the organization. It should not try to shape the organization to fit it. Implementing a risk management system requires thorough planning, a careful combination of change and project management and a high degree of cultural sensitivity. *

WDYMB…Address Risks?

Fri, 28 Apr 2017 00:00:00 +0000

Once an organization’s risks are understood, it is important that appropriate action is taken to address these risks to ensure that the organization’s objectives are protected or enhanced. Some risks are severe enough to require immediate action. Others can be dealt with in the short term whereas some risks require longer-term attention over months or even years. This essay explores the key ideas and terms associated with addressing risks and outlines the steps to take to ensure that the appropriate action is taken once a risk is identified concentrating on five main options: avoid, tolerate, treat, transfer and terminate.

WDYMB…Risk Perception and Risk Communication?

Mon, 03 Apr 2017 00:00:00 +0000

Complicated, subtle factors affect how we perceive risk and these can be exacerbated by the way we receive risk information. We refer to the ways we think about and react to risks as risk perception, and the processes for discussing risk as risk communication. Even when people are in the same or very similar situations, they may perceive the risks very differently. Similarly, different people listening to the same risk information will react to it differently depending on several factors that affect their perspective. The overall result of this is “the general frustration experienced by both risk managers and affected parties in conveying and understanding risk information”.[i]

A Foundation for Risk Management

Fri, 10 Mar 2017 00:00:00 +0000

In the simplest of terms, risk management helps you function in the real world. Organizations are under constant assault from both anticipated and unanticipated events which threaten to derail their plans. Risk management is what helps them understand, prepare for and react to these events. The largest firms will spend thousands of hours and billions of dollars on risk and compliance annually and there are dozens of different standards or methodologies to help guide the risk manager. But what do you do if you are a small organization and there is no money for training or consulting? Or if risk management is the second or third responsibility on your job description – the one you never quite get around to?

WDYMB…Understanding?

Fri, 03 Mar 2017 00:00:00 +0000

*Understanding is not the same as having information – it is the process of putting that information into context to work out what it means in a particular situation. We conduct a similar process on a larger scale during the ‘understand’ stage of the risk management process. During this time, we build on our knowledge of an organization to understand the risks it faces. *

The term ‘understand’ is both an activity and a stage in our risk management process. As an activity, understanding means relating that information to a situation. Chess is often used as an illustration because I may know the names of the pieces on a chess board and what they can do, but I could still not understand chess. How the pieces interact, the set moves, strategies and how to apply these are all necessary to understand the game. Understanding can be achieved by asking the questions ‘why?’ or ‘so what?’ until you run out of questions.