Risk on Andrew Sheves

Getting the Risk Assessment to Work For Us

Fri, 13 Dec 2024 00:00:00 +0000

I’ve had a lot of conversations about risk assessments recently and just finished a new feature in the Decis platform, both of which prompted this thought: What if we have things backwards? What if our risk assessment updated us instead of the other way around?

We spend days — sometimes weeks — building a comprehensive risk assessment to understand our risks and build mitigation measures. But these are snapshots in time and can quickly become overtaken by events. That’s when we move from risk management to incident management or at minimum, we have to review our mitigation.

November is risk management training month

Sun, 25 Oct 2020 00:00:00 +0000

What’s a Black Swan & why you need contingency plans

Sun, 14 Jun 2020 00:00:00 +0000

I’m sure you’ve heard people referring to COVID-19 as a ‘Black Swan’ – something that no-one could have seen coming – but is that actually the case?

Terrible though it is, I don’t think it’s accurate to describe the current situation as a Black Swan because we’ve had to deal with highly contagious, deadly diseases before.

Calling this a ‘Black Swan’ is, therefore, a way to excuse a confused response: ‘how could we have prepared for something that no-one could see coming?’

They Might Not Want a Hammer: How to Understand an Organization

Tue, 28 May 2019 00:00:00 +0000

One of the things I’ve enjoyed most as a consultant is having the opportunity to learn about organizations from a wide variety of sectors. These have ranged from schools, NGOs and the private offices of high net-worth individuals to Fortune Five oil and gas companies and governments. On the one hand, I’ve discovered that there are considerable similarities in all organizations, no matter their sector or size. However, I’ve also become acutely aware that the things that make the most significant difference – good or bad – are often very subtle.

This time it isn’t different

Mon, 17 Sep 2018 00:00:00 +0000

Two major events are going to happen in US within the five years. One is a replay of the US subprime mortgage collapse which spawned the 2008 financial crisis. The other will occur when the bubble of college debt bursts. Both events – one of which may well trigger the other – will cause massive strain on US banks with potential global repercussions.

This isn’t a bold claim. There are lots of people, all of whom much more familiar with this kind of risk than I am, sounding similar alarm bells. For example, the day after I started writing this, the Financial Times’ editorial was on a similar topic. And there may be other significant events that occur in addition to these but making forecasts about what’s going to happen isn’t the point of this article.

If it looks like a duck (or a snake)….

Sun, 29 Jul 2018 00:00:00 +0000

“The first rule of snakes [problems] is, if you see a snake, you kill it….Just take care of it” Jim Barksdale, former CEO Netscape

It’s rare for an event to be truly unexpected.

We know that our personal habits affect our health. We know that incorrect use of tools and machinery can cause injury. We know that small-scale corner-cutting leads to more serious infringements. We know that running complex systems – like drilling rigs or nuclear power stations – beyond established safe parameters can be catastrophic.

DCDR is live

Wed, 20 Jun 2018 00:00:00 +0000

(This post was updated on Nov 7, 2018 to reflect the discontinuation of the free SOLO plan.)

Launch day!

For about 15 months now, I have been working on a project to build a better piece of risk management software. This is something I have been thinking about since 2002 and I think now, more than ever, we need – and deserve – a better piece of software for risk management. Why?

ISO 31000 – a review of the 2018 standard

Tue, 05 Jun 2018 00:00:00 +0000

Yawn!

Aside from GDPR-inspired emails with news of updated terms and conditions , this will be the most boring thing you will read all week….

*However, it might be one of the more important if you are a risk manager because one of the core risk management references has just been updated and there are a few changes to be aware of. *

I had to review these documents to ensure that my material was up to date so I thought I should keep some notes as I want to save you from having to go through the same ‘compare and contrast’ exercise. Plus, I love standards. : )

Meet the expert – a conversation with Nick Smart

Thu, 24 May 2018 00:00:00 +0000

Risks don’t just arise from operational incidents. Often the conduct of the organization and its senior leaders result in a type of risk that is very different but just as threatening as a large, physical event.

In this conversation with Nick Smart we explore the intersection of risk, ethics and governance. Nick is an independent strategic risk advisor and was the chief ethics and compliance officer (CECO) for a global energy services company, before which he designed and built the security risk management function for the same company in his capacity as chief security officer (CSO).

10 quick thoughts on risk

Sun, 01 Oct 2017 00:00:00 +0000

I’m trying to improve my videos so apologize for the quality but here’s a quick video with 10 quick thoughts on risk management.

[Video: https://video.wordpress.com/embed/zX8wUAWO?hd=0&autoPlay=0&permalink=1&loop=0&preloadContent=metadata&muted=0&playsinline=0&controls=1&cover=1]

Let me know what you think!

A KISS Approach to Enterprise Security Risk Management

Tue, 12 Sep 2017 00:00:00 +0000

Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years. ASIS International has identified it as a strategic focus. However, after a review of the literature, beginning with the 2010 CSO roundtable paper on ESRM, two issues are raised that could make ESRM implementation difficult.

The initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO).

Integrating a Risk Management System into Your Organization

Wed, 16 Aug 2017 00:00:00 +0000

*Integrating a risk management system into your department or organization will be a major endeavor and while there are significant benefits to making this change, the degree of effort required should not be underestimated. Moreover, the overall workload of the organization and other major initiatives that might also be underway are major considerations when planning ERM implementation. This article will refer to ERM systems but the same principles will apply if the implementation is for a less expansive risk management system. Importantly, as a supporting function and not an operational activity, risk management must be shaped to fit the organization. It should not try to shape the organization to fit it. Implementing a risk management system requires thorough planning, a careful combination of change and project management and a high degree of cultural sensitivity. *

WDYMB…Address Risks?

Fri, 28 Apr 2017 00:00:00 +0000

Once an organization’s risks are understood, it is important that appropriate action is taken to address these risks to ensure that the organization’s objectives are protected or enhanced. Some risks are severe enough to require immediate action. Others can be dealt with in the short term whereas some risks require longer-term attention over months or even years. This essay explores the key ideas and terms associated with addressing risks and outlines the steps to take to ensure that the appropriate action is taken once a risk is identified concentrating on five main options: avoid, tolerate, treat, transfer and terminate.

WDYMB…Risk Perception and Risk Communication?

Mon, 03 Apr 2017 00:00:00 +0000

Complicated, subtle factors affect how we perceive risk and these can be exacerbated by the way we receive risk information. We refer to the ways we think about and react to risks as risk perception, and the processes for discussing risk as risk communication. Even when people are in the same or very similar situations, they may perceive the risks very differently. Similarly, different people listening to the same risk information will react to it differently depending on several factors that affect their perspective. The overall result of this is “the general frustration experienced by both risk managers and affected parties in conveying and understanding risk information”.[i]

Risk Assessments Grading and Metrics

Fri, 24 Mar 2017 00:00:00 +0000

When we are conducting a risk assessment, we need a way to assess, grade and order risks to allow us to use this information for decision-making and to prioritize our actions. This article outlines some basic techniques that can be used for risk assessment grading and matrics. These basic examples lay the foundation for more complex sets of metrics that can be adapted for your organization and the specifics of the assessment. An example of the metrics used in the r = tvi construct and the risk calculation tool are included along with links to online tools that you can copy and use in your own assessments.

How to Conduct a Risk Assessment

Sat, 18 Mar 2017 00:00:00 +0000

*The risk assessment lies at the core of risk management. Without a clear understanding of the risks faced, none of the other risk management activities can be undertaken. This means that the organization will remain reactive instead of being able to take proactive steps informed by risk-based decision making. However, risk assessments have the potential to become hugely complex, sometimes becoming the only risk management activity that is undertaken, as organizations become exhausted by the assessment process and don’t conduct any of the follow-up activities. Detailed here is a four-phase risk assessment process that can be used for most non-technical assessments. *

A Foundation for Risk Management

Fri, 10 Mar 2017 00:00:00 +0000

In the simplest of terms, risk management helps you function in the real world. Organizations are under constant assault from both anticipated and unanticipated events which threaten to derail their plans. Risk management is what helps them understand, prepare for and react to these events. The largest firms will spend thousands of hours and billions of dollars on risk and compliance annually and there are dozens of different standards or methodologies to help guide the risk manager. But what do you do if you are a small organization and there is no money for training or consulting? Or if risk management is the second or third responsibility on your job description – the one you never quite get around to?

What is Risk?

Fri, 24 Feb 2017 00:00:00 +0000

Risk and risk discussions are often hampered by inconsistent terminology and a high degree of subjectivity. To overcome this, we need to understand what we mean when we ask ‘what is risk?’. This article lays out a concept for risk using the ISO definition – the effect of uncertainty on objectives. It breaks individual risks into their three main components: threat, vulnerability and impact for downside risks or opportunity, and exposure and impact for upside risks. These concepts form the basis for all subsequent risk discussions and lay the groundwork for a risk assessment methodology.