In addition to the many different definitions for risk, there are lots of different ways to calculate risk. Having a way to assess a risk and ascribe a value is the core of any risk assessment: this valuation allows us to prioritize our risks and differentiate between those of low priority vs the higher, more urgent issues we need to deal with. So we need a way to do these kinds of calculation but if we aren’t careful, we can end up with a model that’s too complicated for most people’s needs. ...

If you’re cooking, you need a way to tell how hot the oven is. You won’t be able to tell the difference between 275oF and 325oF just by sticking your hand inside – both are going to feel hot to you – but this is the difference between a perfect, crunchy yet chewy meringue and something that’s dry and explodes into a pile of dust. So we use a thermometer to give us the information we need. ...

The point of risk management is to understand and react to the threats and opportunities that might affect your business. The problem is that risk management can often become dislocated from the mainstream business processes. Instead of being integrated into the organization, risk management takes place in a parallel but separate workstream: one that decision-makers dip into occasionally but generally look at as a specialized, technical process. I’ve seen a similar thing happens with cybersecurity. Despite the fact that almost every business is now wholly dependent on a robust, secure and effective IT infrastructure, cyber security is still often seen as a ‘thing that IT does’. Even though cyber security is effectively supply chain security (plus a lot more), it isn’t thought of that way. ...

Up front, this seems like an easy question to answer. ‘It’s to help us understand our risks.’ That’s true but then, what? What comes next? If we start a risk assessment with no clear idea of what it’s to be used for, we will end up with something that’s unfocussed and doesn’t provide the insight we need. Or we might end up losing our way as we get spread too thin trying to assess everything. ...

If you’ve ever read anything about software start-ups, you will have heard the term MVP (minimum viable product). The idea is that you create something that does the bare minimum necessary to allow you to test your idea. This lean, minimalist approach lets you produce something quickly, test your assumptions and then use this feedback to go on to develop something more detailed or comprehensive. This is in contrast to building a fully functioning piece of software up front which might mean that you invest a significant amount of time and effort only to find out that you’ve missed the mark. ...

‘risk – the effect of uncertainty on objectives’ ISO 73, Risk Management Definitions A risk is something that will have an effect on your objectives, good or bad. So you might have something that threatens your success (a downside risk) or an opportunity that could help you on your way (an upside risk). There are lots of ways to break a risk into components but most include a combination of a thing that can happen (a threat or opportunity), how likely that thing is (the likelihood) and what its effect might be (the impact). ...

“That’s been one of my mantras – focus and simplicity. Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.” Steve Jobs This quote sums up the paradox of simplicity – simple is hard. Working out what the essentials are and how to do things efficiently isn’t just hard, it can seem like more work than just sticking with the complicated path in the first place. ...

You say either and I say either You say neither and I say neither Either, either, neither, neither Let’s call the whole thing off “Let’s call the whole thing off” George and Ira Gershwin It’s good to have an idea of what you are going to be talking about before you start any discussion, but this is vitally important when you are talking about risk. The word is used conversationally and technically in lots of different ways so we need to be clear that we are all speaking the same language to avoid confusion later on. ...

After the core elements of the risk and incident modules themselves, adding risk mitigation this was the most requested feature people asked for. We rolled this out as a beta feature in December and I’m pleased to say that testing, tweaking and tinkering is over so this feature is ready to go for all TEAM and PRO users. You can now add mitigation for individual risks, allocate an owner and add a due date, all within the app. Any active ‘to-dos’ you have will show up in the ‘My Open Actions’ panel in your dashboard. ...

As a risk manager, you will often be asked to explain the RoI (return on investment) of you, your team, even the whole risk management program. Effective risk management can help an organization grasp an opportunity and realizing an upside risk should generate a positive RoI. However, when you are focussed on shoring up a weak system, plugging gaps and minimizing risks, showing an RoI can be hard. Even so, an inability to show a positive RoI in a cost-conscious environment can threaten investment in your team. It can even make people question the value of the program as a whole. ...