Uncategorized

This post originally appeared on Quora in answer to the question “How does risk management fit in security risk management profession?” Link How does risk management fit in security risk management profession? Ideally, a security manager will use a risk management foundation for their security management system. This will help integrate security risks into the organization’s understanding of its overall risk environment. This focus also ensures that the security program is focussed on protecting the organization’s objectives which aligns with the ISO definition of risk: ...

Summer’s here* which means it’s time for a change of pace and a chance to try something different for a couple of months. So instead of the normal longer-form pieces or interviews, I am going to stick to nice, short pieces for the next month or two. Perfect, bite-sized risk nibbles to keep your risk synapses firing during these long, hot days. To start with, these will be re-posts of answers to questions posed on Quora which I have been trying to do more regularly. I’m really enjoying Quora for two reasons. Firstly, I don’t need to think about a subject (which I often find is the hardest part of writing). It’s right there, waiting for me. Secondly, it’s great practice in condensing and summarizing something that might otherwise become a 1,500-2,000 word essay. ...

OK, I confess that this took me a little longer than I had hoped but I finally updated the risk management maturity tool to reflect the 2018 ISO 31000 risk management standard. The new tool is available here and you can read my review of the standard here. So if you were wondering how mature your risk management system was, wonder no longer! The assessment only takes a few minutes and you get a nifty report like this emailed to you right away. ...

Yawn! Aside from GDPR-inspired emails with news of updated terms and conditions , this will be the most boring thing you will read all week…. *However, it might be one of the more important if you are a risk manager because one of the core risk management references has just been updated and there are a few changes to be aware of. * I had to review these documents to ensure that my material was up to date so I thought I should keep some notes as I want to save you from having to go through the same ‘compare and contrast’ exercise. Plus, I love standards. : ) ...

Risks don’t just arise from operational incidents. Often the conduct of the organization and its senior leaders result in a type of risk that is very different but just as threatening as a large, physical event. In this conversation with Nick Smart we explore the intersection of risk, ethics and governance. Nick is an independent strategic risk advisor and was the chief ethics and compliance officer (CECO) for a global energy services company, before which he designed and built the security risk management function for the same company in his capacity as chief security officer (CSO). ...

KISS – keep it simple stupid – was drilled into us in the military and it’s hard to unlearn some things. I still make my bed each morning – even in hotels – and always tuck in my shirt. However, KISS is more than a tired old army saying. The more I look around and think about it, the more keeping things simple seems to be the key to success. Importantly, the more complex and consequential something is, the more important it is to keep things simple. ...

I have known Andy Cuerelfor a number of years and have always appreciated his in-depth yet practical approach to business continuity management. So when it was time to have someone provide a high-level overview of BCM for Riskademy, Andy was an obvious choice. I hope our conversation helps clarify the relationship, and differences, between crisis management and business continuity management and gives you a good overview of BCM. (If you missed the last few posts, you can read more about crisis management here.) ...

The WDYMB…Crisis? articleprompted a few questions concerning the interactions and relationship between crisis management, business continuity management and general response. These relationships are complicated both in how these are managed and also because different disciples will view the relationships differently. Below, there is a quick video I made to help explain the relationships as I described these in the article. Spoiler – the graphic is a little busy so it is worth pausing the video to take a look at this before you listen to the whole thing. ...

After 15 years, it feels very good to finally be able to write that. Take a look. The video might be scrappy but the app isn’t. [Video: https://video.wordpress.com/embed/zX4Nf4zz?hd=0&autoPlay=0&permalink=1&loop=0&preloadContent=metadata&muted=0&playsinline=0&controls=1&cover=1] DCDR is live AND it has users. It’s been a busy week. Schedule your demo

When things go wrong Despite the best efforts of the risk manager and senior leadership, it’s still possible that things can go wrong for your organization. Processes aren’t followed or are applied incorrectly, mitigation measures turn out to be inadequate, something unforeseen happens or, as is so often the case, someone does something they shouldn’t. At one end of the spectrum are relatively common slips, trips or falls, minor fires, or the accidental deletion of data. More significant are the payment of bribes, cutting corners on regulations or a crass, offensive comment from an executive. At the extreme end of the spectrum are crisis events, situations that can strike a fatal blow to the organization: a chemical spill causing mass casualties, widespread fraud or a toxic culture of racism, sexism or other discrimination. ...