Checkout my presentation A New Paradigm - Asset Oriented Risk Management for the annual ISACA Ireland Conference.  As usual the ISACA Ireland chapter were excellent hosts and had fantastic keynote speakers.  

A BIG THANKS to Jack Jones for writing the forward for my new book Cultural Calamity: Culture Driven Risk Management Disasters and How to Avoid Them.  

One of the most important factors in successful risk management is organizational culture.  Unfortunately, few organizations take the risk management aspects of their culture seriously or even know how to address them when there are concerns.  There are a number of factors that drive this, including:

Qualitative measures are highly influenced by someone's position and past experience, so something considered "high" to someone can be perceived as low or totally unimportant to the next person. Conversely, quantitative measures are explicit and not open to interpretation. I see risks logs that list the impact as “major,” “significant,” “substantial,” etc. There is no universally accepted definition of “significant” so one person’s “significant” may seem trivial to others. Without quantitative risk impact there is no way for an organization to understand their total risk exposure and whether they are within the risk tolerance levels established by the organizational risk policy. To effectively mitigate risk, its impact to the project must be quantitatively documented so treatment activities can be measured and tracked. It makes no sense to spend $50,000 treating a risk event that represents $10,000 in budget impact. Quantitative risk impact is a frequent topic of debate with pundits who argue that the uncertainty of risk makes it impossible to quantitatively measure.

A Potemkin Village is a term used to describe situations where a thinly veiled facade is created with no underlying substance. Legend has it that Grigory Potemkin became Governor of Southern Ukraine and Crimea after the Russian takeover in 1774. Potemkin was assigned to rebuild the areas after a series of wars between the Ottoman Empire and Russia. In 1787, the Russian Empress Catherine II and her entourage embarked on a six-month trip through the Ukraine and Crimea. To assure his continued favor with Catherine II, Potemkin is reported to have built a fake portable settlement along the banks of the Dnieper River. Each night after Catherine II and her entourage passed the village, Potemkin would have the village disassembled and reassembled further down river to give the impression of a thriving, prosperous economy however, reality was quite different. Many people question the authenticity of the legend but, true or not, the fact still remains that organizations do construct facades with very little substance behind them.

When you are standing in front of the mirror preparing for the day, how many people think to themselves "I will do everything I can to save the company 57 cents including putting customer’s lives at risk." Or how about "I will lie to, deceive, and obstruct anyone who attempts to uncover product faults so our company can save $130 per unit." As bizarre and unthinkable as it may seem these two scenarios occurred recently. Checkout my RIMS 2016 presentation to learn more about these scenarios and how organizational culture can drive organizations to ignore or cover up risk that cost pennies to treat but can result in billions of dollars in exposure if ignored or left untreated.

disciplined smallA disciplined process with emphasis on simplicity and flexibility yields a highly effective process that is dynamic and can quickly adapt to changing market conditions.  An effective risk management program includes both a strategic and a tactical component.  The strategic component of risk management begins with a set of risk management principles that includes management acknowledgement and support, recognition that risk management is an inexact science, and recognition that a disciplined approach yields significant value to the organization.  Another key principle is recognition that, even though risk management is an inexact science, the risk management process must be disciplined and systematic.  A disciplined and systematic risk management program facilitates continual improvement and creates true value for the organization.  A disciplined and systematic risk management approach also helps avoid overspending on risk management.  It doesn’t make sense to spend $100,000 to treat a risk with a $20,000 impact. A disciplined risk management approach will quickly identify cases where the cost to treat a risk exceeds the cost of the impact and can divert the remaining effort to higher priority risks.

simplicity smallMany organizations and tools tend to complicate risk management by utilizing complex prioritization schemes, algorithms, and procedures.  I have found no evidence or studies to indicate that complex prioritization schemes provide more effective risk management capability than simplistic prioritization schemes or processes.   Organizations that focus on simplicity and risk management fundamentals tend to be very successful because they can easily and quickly adapt to changing market conditions.  The ability to quickly adapt to changing market conditions is clearly a critical success factor in our current global economy.  The epic rise and fall of BlackBerry is a striking example of what happens when an organization does not recognize and adapt to rapidly changing industry trends. 

risksyntax smallRisk scenario is an analysis technique consisting of five components that help people visualize and understand risks. The five components of a risk scenario are: actor, threat type, risk event, assets or resources, and time.  The actor is who or what generates the risk.  Actors can include internal staff, competitors, regulators, nature, and the market. Threat type describes the nature of the threat and can include malicious events, accidental events, natural disasters, equipment or process failures, and external requirements. The event is what causes project or organizational objectives to be impacted.  Events can include disclosure (e.g. confidential information), interruption (of services or production capability), theft, destruction, ineffective design, ineffective execution of processes, compliance or regulatory changes, and inappropriate use. Assets or resources are objects of value that can be affected by the event and lead to impact to project or organizational objectives.  Assets and resources include the organization, personnel, process assets, infrastructure (e.g. facilities, networks, equipment, communications), and information. There are two dimensions to the time component: duration of the event and timing of when the event occurs.