As risk managers, we spend a lot of time working out how to get things done. After all, the risk assessment is just the start of the process. Once you’ve identified your risks and worked out how to address them, you need to get down to work: then the actual management part begins. Determining ownership for many risks will be relatively straightforward and departments will often fight very hard to maintain ownership of risks that fall within their remit. ...

I realized a while back that it can be too easy to mistake ‘simple’ with ‘easy’ and I’ve been concerned that promoting a simple approach to risk management might lead people to think that this makes everything easy. Unfortunately, even though a KISS approach makes risk management easier, it doesn’t do away with the need for hard work altogether. Worst of all, it can be easy to mistake shortcuts for simplification. ...

Most of the risk assessment models I’ve discussed before use a basic formula to calculate a value for risk. By adding or multiplying values for the individual factors, you’ll get a numeric value for the risk itself. That’s going to allow you to put things into order, apply a color-code or description. That gives you enough differentiation to start a risk-based discussion or determine where you need to focus your attention and resources. ...

Many people have a few smoke alarms dotted around their house and, to me, these are some of the most straightforward set-it-and-forget-it risk management tools you can get. You set these up and then…nothing. You can forget about them until that annoying ‘chirp’ sound wakes you up one night, telling you to change the battery. And most people will never hear their smoke alarm go off except for those times that their cooking gets a little out of hand. ...

I’m sure you’ve heard people referring to COVID-19 as a ‘Black Swan’ – something that no-one could have seen coming – but is that actually the case? Terrible though it is, I don’t think it’s accurate to describe the current situation as a Black Swan because we’ve had to deal with highly contagious, deadly diseases before. Calling this a ‘Black Swan’ is, therefore, a way to excuse a confused response: ‘how could we have prepared for something that no-one could see coming?’ ...

A while back, I wrote something on the need to speak up, even when it’s hard. That’s something we face as risk managers, but it’s also a necessity in other parts of our lives. I’ve also written about how there are risks that are so big and uncomfortable that they’re left in the corner: we pretend not to see them. I even wrote a whole piece on Jim Barksdales’ rule about snakes: “The first rule of snakes is, if you see a snake…Just take care of it”. Basically, if you see a problem, don’t stand around staring, debating whether it’s real or not, just deal with it. ...

Just-in-time inventory is the idea that the materials you need arrive just as you need them. This approach cuts down on the cost of storage space and reduces the amount of inventory sitting around doing nothing. A just-in-time approach is very efficient but very fragile. If the supply chain hiccups and inventory gets delayed, the knock-on effects shudder through the whole supply chain. Just in time inventory works, until it doesn’t Toyota discovered this in 1997 when a supplier’s factory burned down. Aisin Seiki was the sole-supplier of a critical part Toyota used in the majority of their vehicles, and the fire left them with just two-three days of inventory because of their just-in-time inventory system. Toyota’s recovery, which amounted to an almost national-mobilization of Japan’s industrial base, was incredible and taught manufactures the world over many valuable lessons. ...

I was thinking a while back about the idea of informed intuition: cases when you seem to be trusting your intuition but, in fact, you’re recalling deeper experiences and patterns that help with your risk-based decision-making. As I was building upon this idea, it became clear that I wasn’t onto any thing new but, instead, this has been explained in the work of, among others, Gary Klein and the RPD model. ...

In Amman, we’re in our 7th week of curfews, homeschooling, and weekend lockdowns, and things are starting to ease up so you can drive, the bigger stores are opening again, and in some people’s eyes, we can get back to normal. Unfortunately, as I’ve said previously, I don’t think we’re going back to how things were (‘normal’), and our ‘new normal’ requires some adjustments. Sadly, in some places, we’re treating the lifting of restrictions as an ‘all-clear’ which is only going to make things much worse. ...

I meant to write this piece a few months back, focusing on the first part. However, with the developments around COVID-19, I thought the second point was also relevant and timely. Plus, I thought it might do some good, but I’d love to know what you think. Please send me an email with your thoughts. Risk and security managers are often faced with the difficult task of defending the success of a risk management program with little or no supporting evidence. Ironically, the more successful a risk management program is, the less evidence there can be to demonstrate its effectiveness. So this success actually increases the perception that the program is unnecessary: after all, why have an expensive security program when you have few, if any, significant incidents? ...