Musings by the Tao Of Risk

Risk Scenarios

risksyntax smallRisk scenario is an analysis technique consisting of five components that help people visualize and understand risks. The five components of a risk scenario are: actor, threat type, risk event, assets or resources, and time.  The actor is who or what generates the risk.  Actors can include internal staff, competitors, regulators, nature, and the market. Threat type describes the nature of the threat and can include malicious events, accidental events, natural disasters, equipment or process failures, and external requirements. The event is what causes project or organizational objectives to be impacted.  Events can include disclosure (e.g. confidential information), interruption (of services or production capability), theft, destruction, ineffective design, ineffective execution of processes, compliance or regulatory changes, and inappropriate use. Assets or resources are objects of value that can be affected by the event and lead to impact to project or organizational objectives.  Assets and resources include the organization, personnel, process assets, infrastructure (e.g. facilities, networks, equipment, communications), and information. There are two dimensions to the time component: duration of the event and timing of when the event occurs.  

Risk Policy and Governance

Effective risk management must include a strategic element as well as an operational element.  The strategic element includes, among other things, effective governance based on a comprehensive risk policy that provides specific guidance about the organization's risk appetite and risk tolerance.  An Enterprise risk management plan (ERMP) that directly aligns with the organizational risk policy is the foundation for the operational risk management element. 

A recent report by the Organization for Economic Co-operation and Development (OECD) on risk management and corporate governance indicates risk historically has not been managed on an enterprise wide basis and not adjusted to corporate strategy. The report goes on to state that risk managers were often kept separate from management and not regarded as an essential part of implementing the company’s strategy (OECD, 2014).  Disconnecting strategic risk management elements from the operational element sets the stage for catastrophic failure.  The Deepwater Horizon disaster in 2010 clearly demonstrates what can happen when operational and strategic risk management elements are disconnected.

Attack of the Spam Bots

My website recently encountered a Spam Bot attack that brought the site down several times because of excessive CPU and bandwidth usage.  The number of page requests increased 33 times more than normal from an average of 54,000 to over 1.8 million. Many thanks to my web host ( for all their help and support to foil the Bots and getting my site back online.  I took three steps to solve the problem; 1) required all users to register and login in order to access any website content, 2) require a CAPTCHA response when adding article comments, 3) upgrade the site from Joomla 2.5.17 to Joomla 3.3.6 .

I was quite surprised how simple and seamless the Joomla 3.3.6 upgrade was.  The upgrade took less than an hour and that included a test installation.  After upgrading to Joomla 3.3.6 I had to upgrade the site template and one component. The Joomla 3.x administration is a significant improvement over Joomla 2.5 and I strongly recommend anyone who has not yet upgraded to do so.  I also like the fact that Joomla 3.x supports two factor authentication which I plan to rollout shortly to improve security even further.