Posts

Full disclosure: this is me working through an idea in public but, if you’ve been reading my stuff for a while, you’ll know that the blog and email are often me thinking out loud, trying out ideas to see what sticks. In this case, it’s not a new idea but, instead, a rather old one. A 20-year-old one… Data-Driven Risk Management How this came about isn’t important, but since my first risk assessment, I’ve felt that there’s a need for some kind of simple math to underpin things and help with consistency. Eventually, that became the kind of thing you’ll have seen in the metrics and gradings work here. ...

This recent tweet made me chuckle as I thought, ‘Yup, sounds just like a Barbara.’ Ed Burmilia on Twitter Like this author’s fictitious Peggy, ‘Barbara’ is my shorthand for the person who’s essential to an organization. But, unlike Peggy, Barbara’s real. What’s a Barbara? Barbara was the founder’s EA at a firm where I worked and, having been there since the very beginning, knew everything there was to know about the business. ...

ESG under attack as ‘woke’ capital This post originally appeared in the ‘So What’ newsletter on July 1, 2022 In a lot of recent coverage, ESG (environmental, social & governance) is being termed ‘woke’ capitalism by both supporters and detractors of the investment class. This perception further strengthens the sense that, rather than measuring how well a firm or fund performs in some important non-operational ways, ESG is nothing more than a form of virtue signaling and/or a scam. ...

Data or information by itself is meaningless. For it to be useful, we need to add context. This is the difference between information and intelligence: once we’ve analyzed the information and put it into context, the resultant intelligence gives us an understanding of a situation. Another way to write this is understanding = knowledge + context But that’s sometimes easier said than done. What do we mean by context, and how does this help you understand a situation better? ...

There’s a saying that there are no atheists in a foxhole, and it’s the same for a boardroom in crisis. Facing the worst day of their life, even the most bitter executives who don’t even know where the nearest church, mosque, or temple is will be trying to remember the prayers they learned as a child. They won’t add God to their stakeholder matrix, but they still hope He’s on their side. ...

I started the KISS risk management project five years ago with the idea that risk management was being made too complicated and there were too many gatekeepers in the way. That makes it hard to get started in the profession, which robs businesses of a broad range of perspectives and viewpoints (a risk in itself). But this lack of general risk intelligence also makes us all worse off: we need people to make risk-based decisions in all kinds of situations. ...

*I received an email a few years ago from someone just getting started in risk management asking if I had any thoughts or advice on the risk management skills they needed. The response quickly became several pages long and I thought it was worth turning it into a blog piece that others might benefit from. So here are 10 considerations for new risk managers (although this could also be titled ‘Letter to a 30-year old me’ or a 40-year old me.) * ...

Becoming a risk manager can seem to be more art than science. There’s not a clear pathway from degree to junior risk manager to senior risk manager to CRO (Chief Risk Officer) in the same way that you can chart the progress from freshly minted CPA (Certified Public Accountant) to head of Ernst & Young. (Financial risk management is the exception here as there is usually a clear path there.) ...

Googling ‘what is a risk manager?’ will get you variations on ‘it’s the person who manages that organization’s risks,’ which is a pretty weak answer. It’s certainly not enough to help anyone who’s just starting in the role to understand what they’re supposed to do. Similarly, if someone’s thinking about this as a career, we need a bit more. 🎧 Listen to a recording of this post 🎧 So here’s a more detailed answer. ...

Security is a guiding principle for DCDR, and protecting user data has been baked in from the start. However, there’s more to data security than restricting access and managing user permissions. I’ve used the INFOSEC abbreviation CIA – confidentiality, integrity, and availability – as a guide to help determine the steps required to protect your data while also ensuring that the system does what it’s supposed to. Overall, the intent is to ensure: ...