How-To

This post originally appeared on Quora in response to the question ‘What is a risk mitigation plan?’ Link What is a risk mitigation plan The risk mitigation plan is a series of specific actions or steps you will take in response to a risk once you have completed your risk assessment. However, before you start to develop the mitigation plan in detail, you need to determine a general course of action based on one of five main options: avoid, tolerate, treat, transfer and terminate (A4T). Which of these is most applicable will depend on your risk tolerance (short term), risk appetite (longer term) and what you can reasonably achieve with the resources available (ALARP). ...

This post first appeared on Quora in response to the question ‘How do you convince people to take a risk in a company?’ Link. How do you convince people to take a risk in a company? Firstly, I don’t think we should ever push people to take risks that 1) they are uncomfortable with and 2) that don’t serve the company’s objectives. However, I also know that sometimes people might overestimate and subsequently avoid a risk that might actually benefit them and the company. That is something we can help with. ...

I have been thinking about effective crisis management a lot recently and am working on a more in-depth piece on managing a crisis which I hope to publish soon. However, crises don’t wait until we are properly prepared before they strike so I put together this quick set of suggestions as a stop-gap. Normally, I wouldn’t make a top-10 list but sometimes it’s the easiest way to share ideas. So here goes and I hope you find these suggestions useful. ...

Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years. ASIS International has identified it as a strategic focus. However, after a review of the literature, beginning with the 2010 CSO roundtable paper on ESRM, two issues are raised that could make ESRM implementation difficult. The initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). ...

*Integrating a risk management system into your department or organization will be a major endeavor and while there are significant benefits to making this change, the degree of effort required should not be underestimated. Moreover, the overall workload of the organization and other major initiatives that might also be underway are major considerations when planning ERM implementation. This article will refer to ERM systems but the same principles will apply if the implementation is for a less expansive risk management system. Importantly, as a supporting function and not an operational activity, risk management must be shaped to fit the organization. It should not try to shape the organization to fit it. Implementing a risk management system requires thorough planning, a careful combination of change and project management and a high degree of cultural sensitivity. * ...

Once an organization’s risks are understood, it is important that appropriate action is taken to address these risks to ensure that the organization’s objectives are protected or enhanced. Some risks are severe enough to require immediate action. Others can be dealt with in the short term whereas some risks require longer-term attention over months or even years. This essay explores the key ideas and terms associated with addressing risks and outlines the steps to take to ensure that the appropriate action is taken once a risk is identified concentrating on five main options: avoid, tolerate, treat, transfer and terminate. ...

When we are conducting a risk assessment, we need a way to assess, grade and order risks to allow us to use this information for decision-making and to prioritize our actions. This article outlines some basic techniques that can be used for risk assessment grading and matrics. These basic examples lay the foundation for more complex sets of metrics that can be adapted for your organization and the specifics of the assessment. An example of the metrics used in the r = tvi construct and the risk calculation tool are included along with links to online tools that you can copy and use in your own assessments. ...

*The risk assessment lies at the core of risk management. Without a clear understanding of the risks faced, none of the other risk management activities can be undertaken. This means that the organization will remain reactive instead of being able to take proactive steps informed by risk-based decision making. However, risk assessments have the potential to become hugely complex, sometimes becoming the only risk management activity that is undertaken, as organizations become exhausted by the assessment process and don’t conduct any of the follow-up activities. Detailed here is a four-phase risk assessment process that can be used for most non-technical assessments. * ...