We often say ‘the devil is in the detail’ meaning that it is the small things that will catch us out. But sometimes the problem begins by looking at the details in the first place. Don’t get me wrong, I’m a fan of details. I believe the more planning and specificity you can put into something, the better. The problem occurs when we jump into the details too quickly. Instead of starting with a strategic perspective, we dive right into the weeds. ...

“The first rule of snakes [problems] is, if you see a snake, you kill it….Just take care of it” Jim Barksdale, former CEO Netscape It’s rare for an event to be truly unexpected. We know that our personal habits affect our health. We know that incorrect use of tools and machinery can cause injury. We know that small-scale corner-cutting leads to more serious infringements. We know that running complex systems – like drilling rigs or nuclear power stations – beyond established safe parameters can be catastrophic. ...

This post originally appeared on Quora in response to the question ‘What is a risk mitigation plan?’ Link What is a risk mitigation plan The risk mitigation plan is a series of specific actions or steps you will take in response to a risk once you have completed your risk assessment. However, before you start to develop the mitigation plan in detail, you need to determine a general course of action based on one of five main options: avoid, tolerate, treat, transfer and terminate (A4T). Which of these is most applicable will depend on your risk tolerance (short term), risk appetite (longer term) and what you can reasonably achieve with the resources available (ALARP). ...

This post first appeared on Quora in response to the question ‘How do you convince people to take a risk in a company?’ Link. How do you convince people to take a risk in a company? Firstly, I don’t think we should ever push people to take risks that 1) they are uncomfortable with and 2) that don’t serve the company’s objectives. However, I also know that sometimes people might overestimate and subsequently avoid a risk that might actually benefit them and the company. That is something we can help with. ...

This post originally appeared on Quora in answer to the question “How does risk management fit in security risk management profession?” Link How does risk management fit in security risk management profession? Ideally, a security manager will use a risk management foundation for their security management system. This will help integrate security risks into the organization’s understanding of its overall risk environment. This focus also ensures that the security program is focussed on protecting the organization’s objectives which aligns with the ISO definition of risk: ...

Summer’s here* which means it’s time for a change of pace and a chance to try something different for a couple of months. So instead of the normal longer-form pieces or interviews, I am going to stick to nice, short pieces for the next month or two. Perfect, bite-sized risk nibbles to keep your risk synapses firing during these long, hot days. To start with, these will be re-posts of answers to questions posed on Quora which I have been trying to do more regularly. I’m really enjoying Quora for two reasons. Firstly, I don’t need to think about a subject (which I often find is the hardest part of writing). It’s right there, waiting for me. Secondly, it’s great practice in condensing and summarizing something that might otherwise become a 1,500-2,000 word essay. ...

(This post was updated on Nov 7, 2018 to reflect the discontinuation of the free SOLO plan.) Launch day! For about 15 months now, I have been working on a project to build a better piece of risk management software. This is something I have been thinking about since 2002 and I think now, more than ever, we need – and deserve – a better piece of software for risk management. Why? ...

OK, I confess that this took me a little longer than I had hoped but I finally updated the risk management maturity tool to reflect the 2018 ISO 31000 risk management standard. The new tool is available here and you can read my review of the standard here. So if you were wondering how mature your risk management system was, wonder no longer! The assessment only takes a few minutes and you get a nifty report like this emailed to you right away. ...

Yawn! Aside from GDPR-inspired emails with news of updated terms and conditions , this will be the most boring thing you will read all week…. *However, it might be one of the more important if you are a risk manager because one of the core risk management references has just been updated and there are a few changes to be aware of. * I had to review these documents to ensure that my material was up to date so I thought I should keep some notes as I want to save you from having to go through the same ‘compare and contrast’ exercise. Plus, I love standards. : ) ...

Risks don’t just arise from operational incidents. Often the conduct of the organization and its senior leaders result in a type of risk that is very different but just as threatening as a large, physical event. In this conversation with Nick Smart we explore the intersection of risk, ethics and governance. Nick is an independent strategic risk advisor and was the chief ethics and compliance officer (CECO) for a global energy services company, before which he designed and built the security risk management function for the same company in his capacity as chief security officer (CSO). ...