April 30, 2015

April 10, 2015

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Improving Our Risk Model

May 2, 2012

One of the more fun parts of designing your own software is watching it evolve as you get smarter. Explicit feedback says one thing, observing people says another, software gets used, ignored, or used in ways you never intended. With this background, we have enough evidence to redesign our model to prioritize and communicate risk. Actually I should say reorganize since the core principles are holding true.


Our risk and spend prioritization tool, Risk Communicator, is a couple years old. The value of the tool is efficiency and consistency in organizing evidence to drive risk treatment decisions. At a high level we found:

  • Folks struggle finding evidence to justify an impact or likelihood assertion

  • Constructing an oral narrative around your evidence is critical to drive decisions

  • Sometimes folks rely too much on visuals to communicate a narrative

In response to these observations and more, we're reorganizing how the risk narrative is created and how evidence is communicated. I'm most excited to hear feedback on changes to the likelihood side of the risk statement. Observing how people communicate likelihood (or frequency if defined within a time period e.g. ARO), decisions seem to boil down to two questions:

  • Are we vulnerable to a particular threat?

  • Is there a capable, motivated agent?

If you don't have evidence that resonates with a decision maker for both of these questions, I believe you need to spend time and money to acquire it. I've written before on evidence sources and how much you should spend to get it. When you don't have evidence, I assert you need to highlight that fact as a risk itself and prioritize evidence collection alongside mitigation or other spending. This little management hack works wonders and supports your RACI with risk owners. If a risk owner isn't willing to spend to have a data-driven decision, we should make sure the accountability is explicit and acknowledged.  But I digress...


On the impact side, I had a great conversation this morning how to categorize impacts. Traditionally we see groups like Direct and Indirect. Direct costs are more straight forward e.g. fines, outages, response, and recovery costs. However the indirect costs are more strategic and long term e.g. customer goodwill, competitive advantage, increased regulatory scrutiny. I hope we can help highlight the differences as impact owners evaluate risks.


Because our industry doesn't have a standard way to prioritize risk, I bet many of you have your own models. That's what I did for many years (risk spreadsheet RIP). If you'd like to share feedback on our approach or comment on our changes, please do reach out. We know we don't know it all and I truly enjoy all kinds of feedback. Note we are a commercial shop so your feedback may be used to help us make money. It might also be used to help fellow practitioners!

Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags