Posts

“Well, there was the kidnapping. Is that something you’re interested in?” It was our last day of a week-long site security survey. We were meeting with the site manager to wrap up our visit but this was the first time we had heard anything about something as serious as this. So yes, a kidnapping was something we were very, very interested in learning about…. I have no idea why it hadn’t come up before: we had conducted dozens of other interviews that week and had dozens of pages of notes. However, it almost didn’t come up at all: at this late stage, we were going to skip the interview and go straight into a review of our findings. ...

I’ve written before about how you need to have a clear idea of what you’re trying to achieve with your risk assessment and to get everyone onto the same page. Without this kind of understanding, it’s very unlikely that you will complete the assessment in the time available. Even if you do, you might not have answered the original question. So you need to plan your assessment properly but what does that look like? Here’s a short five-step process to make sure that you are well-prepared for your assessment before you ask the first question or open up a spreadsheet. ...

There are lots of different methodologies for assessing or breaking down a risk. The most common is a two-factor approach where the likelihood and potential impact of an event combine to create a risk. Likelihood (of the thing) + Impact (how the thing affects you) = risk This is what’s used for The World’s Simplest Risk Model. However, this two-dimensional approach leaves out one thing. Sometimes there are barriers between the event or threat and you. So in addition to the event and its potential impact, there’s the concept of vulnerability or exposure: factors that make you more or less susceptible to the event. These can be passive factors – e.g. physical distance – or active measures you’ve taken to reduce your vulnerability to an event. ...

Naturally, a lot of time and effort in risk management goes into understanding the risks that you face. After all, if you don’t understand what you’re up against, there’s not a lot of risk management to be done. However, even when you complete a comprehensive risk assessment, this is just the beginning of the process. Now the real work starts and you have to answer the big question. What do we do next? ...

Original image – Partnership for a Drug-Free America There are lots of things that are hard about risk and risk management: you are often dealing with abstracts and potential events; showing success can be challenging when your job sometimes means nothing happens; you might not be seen as adding value. But the biggest challenges always seem to concern discussions about risk. These discussions are hard, even when we have set out clear definitions for what we mean by risk and have everyone on the same page theory-wise. ...

*Photo by Ula Kuźma on *Unsplash To manage your risk management system, you need to have a way to categorize your threats. This is a key part of being able to structure your risk assessments and you need to identify a set of imaginary buckets or folders into which you can group similar threats. But this also helps with information gathering as data on a specific threat category might be grouped together. It also assists when it’s time to address the risks as one action could help mitigate a whole category of threats. Finally, these categories will also help you identify trends and patterns and start to develop an overall picture of your risk environment. ...

In addition to the many different definitions for risk, there are lots of different ways to calculate risk. Having a way to assess a risk and ascribe a value is the core of any risk assessment: this valuation allows us to prioritize our risks and differentiate between those of low priority vs the higher, more urgent issues we need to deal with. So we need a way to do these kinds of calculation but if we aren’t careful, we can end up with a model that’s too complicated for most people’s needs. ...

If you’re cooking, you need a way to tell how hot the oven is. You won’t be able to tell the difference between 275oF and 325oF just by sticking your hand inside – both are going to feel hot to you – but this is the difference between a perfect, crunchy yet chewy meringue and something that’s dry and explodes into a pile of dust. So we use a thermometer to give us the information we need. ...

The point of risk management is to understand and react to the threats and opportunities that might affect your business. The problem is that risk management can often become dislocated from the mainstream business processes. Instead of being integrated into the organization, risk management takes place in a parallel but separate workstream: one that decision-makers dip into occasionally but generally look at as a specialized, technical process. I’ve seen a similar thing happens with cybersecurity. Despite the fact that almost every business is now wholly dependent on a robust, secure and effective IT infrastructure, cyber security is still often seen as a ‘thing that IT does’. Even though cyber security is effectively supply chain security (plus a lot more), it isn’t thought of that way. ...

Up front, this seems like an easy question to answer. ‘It’s to help us understand our risks.’ That’s true but then, what? What comes next? If we start a risk assessment with no clear idea of what it’s to be used for, we will end up with something that’s unfocussed and doesn’t provide the insight we need. Or we might end up losing our way as we get spread too thin trying to assess everything. ...