Julian Talbot

OK
About Julian Talbot
Julian is an industry leader in security, risk management and strategic management. He is a Graduate of the Australian Institute of Company Directors, Fellow of the Risk Management Institution of Australasia, recipient of The Australian Security Medal, and holds a Master of Risk Management from Monash University.
Julian has lived and worked on five continents with jobs in resources, government, IT, and not-for-profit sectors ranging from construction worker to CEO, company director, and Chairman.
Writing books, traveling to places that most sensible people avoid, adventures, motorcycling, working with startups, and time with family are his main passions. He is typically found outdoors, or if indoors will be reading, writing, consulting, or speaking at conferences.
His LinkedIn profile and other websites can be found at www.bit.ly/JulianTalbot
Customers Also Bought Items By
Are you an author?
Author Updates
-
-
Blog postTL;DR: It's about culture. If you have to 'operationalize' risk management, whatever you're doing isn't risk management.
Risk management isn't self-licking ice cream, and it shouldn't (in theory) exist for its own sake. The clue is in the name. Management is a process, and like any other process, there should be an input, process, output, and a feedback loop.
Risk assessments (should) lead to treatment plans, and these treatment plans become management systems (e.g., procedure4 months ago Read more -
Blog postI've just finished giving a presentation at the ISC2 2021 Security Congress and several people asked for a copy of the slides.
I hope they are useful. Please feel free to use them and adapt them. I would appreciate if if you reference www.juliantalbot.com but my main mission is to get some useful tools out into the world where they can be applied.
You can find some more templates and the like under the DOWNLOADS menu above as well as at www.srmam.com. The Security Risk Managem7 months ago Read more -
Blog post“An expert is someone who has made all the mistakes in a field that can possibly be made.” - Niels Bohr There is an entire industry built around the idea of risk management consulting. The industry is perhaps more than just an idea, but arguably it is not yet a mature profession. It can be challenging to find people who are genuinely subject matter experts, not just in risk but also in developing real-world solutions to business risks.
So how do you find a subject matter expert (SME)8 months ago Read more -
-
Blog postUsually, when I come across a flawed piece of research, I note it and move on. Occasionally, however, I find a piece of research with such fundamental flaws and far-reaching consequences that I feel obliged to say something.
One such paper was published recently by the CDC. "SARS-CoV-2 Infections and Hospitalizations Among Persons Aged ≥16 Years, by Vaccination Status — Los Angeles County, California, May 1–July 25, 2021."
The CDC paper looks excellent at face value.9 months ago Read more -
Blog postIf you missed the webinar, you can watch a recording of it below or on Youtube.
In his 2008 book 'Fooled by Randomness' Nassim Nicholas Taleb introduced the theory of Black Swan events. He then turned that into the highly successful book 'The Black Swan' which is where the idea really caught the public imagination.
https://youtu.be/-BENJmseXIA For those of you who aren't familiar with the concept already, Wikipedia summarizes it as follows.
"The black swan theory ... is9 months ago Read more -
Blog postWell-conceived and researched business cases play a pivotal role in improving the quality of organizational decision-making. The business case doesn't stand by itself, but is part of a toolbox for analyzing and making decisions about proposed risk treatments.
Whatever risk treatment you're considering, and whatever means you used to identify it, the business case determines and enunciates the value of that treatment. In Figure 1, I've used the ISO31000 Risk Management Standard process1 year ago Read more -
-
Blog post"Without clear objectives ... there is no business case to justify resources for risk management." It should be no surprise that a clear, well-written risk management policy is an essential part of any risk management framework. It establishes the foundation and mandate for implementing risk management within an organization. Ideally, it should be a succinct document reflecting the organization's context and written in a style that can be easily understood and applied.
If y1 year ago Read more -
Blog postI've seen policy documents that were 50 pages long, which is crazy because nobody reads them. They often end up including procedures, details from other activities, and telephone numbers of people to contact. Who has time to update a policy every time the contact person changes?
Policy documents should be succinct.
"A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and is implemented as a procedur1 year ago Read more -
-
Blog postWe are programmed to seek certainty wherever we can. Some people (we call them forecasters or influencers) seek fame and fortune by selling certainty as a product. I've you've read my article that talks about the Dunning-Kruger effect, you'll know what I think of such overconfidence. A better solution is to have a good handle on some risk management strategies and be resilient. The Scout motto of 'be prepared' is good advice.
Risk management was probably never a simple thing. Perhaps1 year ago Read more -
Blog postWhen I joined the Department of Health and Ageing (yes, that's the correct spelling), my mandate was to "build a risk management framework and embed it across the Department." Easy to say - not so easy to do.
In my view, a good RMF is essential. ISO31000 risk management standard (in the 2009 version) opens Section 4 with the following assertion.
"The success of risk management will depend on the effectiveness of the management framework providing the foundations and1 year ago Read more -
Blog postMany people ask the wrong question when they are trying to grow a business. New entrepreneurs often start with a good business idea, and then as the business grows, they ask questions such as "How can I get to 20,000 subscribers?" or "How can we grow revenue to $20 million?"
Those are the wrong questions. Revenue is easy. Just undercut everyone else, and you'll have revenue. But you won't last long. For most businesses, a better question would be, "How and whe1 year ago Read more -
-
Blog postI've written about my version of what a fully featured enterprise risk management (ERM) system should, or at least could, look like. During a recent conversation with some colleagues, I was reminded that most people's primary problem with ERM is still the same 'hours in the day' (aka resources & funding) problem.
There is so much I could say about software and frameworks, and perhaps I'll write about that in another article, but in terms of finding the resources that you know you2 years ago Read more -
Blog postI often find people have varying ideas about 'enterprise risk management' and many managers think it means identifying and treating every risk across an organization. While that sounds nice in theory, the reality of ERM is that we need to understand the organization has a whole. The idea is to understand and manage the risks for the overall organization, not the individual parts.
In explaining (my view of) enterprise risk management over the years, I've evolved this mental model. Hope2 years ago Read more -
Blog postIt could be my childhood upbringing and influences in life that steered me into risk management. My father fled communist Russia at 10 with his brother and whatever he could carry on his back. He eventually made it to China but his father, brother, cousins, and grandparents weren't so lucky. My father-in-law had a similar experience fleeing partition in Bengal with his life. Perhaps those stories and experiences have colored my thinking. I'm sure they have, and perhaps th2 years ago Read more
-
Blog postThere are better tools for risk assessment than risk matrices.
But, contrary to some opinion, they are not without some utility. So if your organization still insists on using them, here are at least two basic issues that are easy to fix when using a risk matrix.
The first is failing to identify the risk. You can't calculate a likelihood and consequence for a one-word risk such as 'Terrorism'. Even a short phrase such as 'loss of funding' or 'inadequate resources' will have di2 years ago Read more -
Blog postI used to believe in climate change.
Growing up in the 1960s, our backyard abutted the grounds of one of the largest sugar mills in Australia. My brother and I spent many happy hours fishing for tadpoles with mates in the lime pits and building forts among the long grasses of 'our' 5-acre paddock. Our father was Chief Chemist at Milliquin Sugar Mill, and the creator of Bundaberg Rum, still the most popular rum in Australia.
In the 1960s, information about diabetes and the risk2 years ago Read more -
Blog postThis looks like an article on risk management. And it sort of is. But actually, it's about business management. A challenge and an invitation to organizations that want to go to the next level.
Culture
When it comes to risk management we often make our decisions based on emotions. We get wrapped up in processes, compliance, and guesstimation of risks. Tools, such as quantitative risk analysis (QRA) are helpful of course, but they are just tools. In the end, risk management is3 years ago Read more -
Blog postIf you have been thinking about writing a non-fiction book, here is the process I use:
1. Block out a few weekends to write the book. How hard can it be? Right?
2. Discover, too late, that you need another hundred weekends and late nights.
3. Press on, and write until the entire thing blurs together and the the the, typos are invisible too ewe.
4. Breathe deep, take a walk around the room, and reach for (another?) whiskey.
5. Finally, hold your head in3 years ago Read more -
Blog postI pressed the phone hard to my ear and leaned forward, trying in vain to reduce the 6,000 km gap and said “Sorry, could you repeat that question please.”
I was in Sumatra and the interview team were in Canberra, Australia. It was the early days of satellite IP telephony. Sometimes it worked well. One of the interviewers replied, “Of course. Can you … when … risk management … And how … main … Thanks.”
I had only the vaguest idea of the question but this was the fifth time they3 years ago Read more -
Blog postBowTie is one of my favorite risk management tools. It supports a complex analysis but is so simple that can even a five-year-old can understand it. It is also visual which makes it a great communication tool.
BowTie analysis draws its name from its shape reminiscent of a traditional necktie. The precise origin of this method is unclear, but it seems to have evolved from cause and consequence diagrams in the 1970s. A major limitation of ‘cause-event-consequence’ diagrams is4 years ago Read more
Titles By Julian Talbot
Even without having met you, I'm going to suggest that finding sufficient funds to do what you know you need to do, is probably your biggest challenge right now. This book was designed with one purpose in mind - to help you get the resources you need to support the right risk treatments. It was born when a friend of mine asked me one day, "how can I demonstrate the business case for my risk treatments?" That simple question proved much more difficult to answer than I would have thought. It did however, prompt me to change one of my master's electives to conduct a research project into the business case for investments in risk management. That in turn, lead me to create a training course the topic, and before long, the workbook from that course became this book.
The book draws on research from a range of disciplines and using generous color graphics, is designed to take you through the full process of initiating, researching, developing, analysing, writing and finally presenting a business case. Although the focus is on business cases for risk treatments, you don't need to be a risk expert and the same concepts are applicable to any business case.
It's been designed with simple tips to get you started including:
- The 4C's of defining a problem?
- The 4A's of defining a recommended solution
- ESIEAP (The Hierarchy of Controls) to determine which type of risk treatment is better?
- The 8 simple steps that you can do on a single sheet of paper to determine whether your proposed business case has merit.
- How to use the 4A's, 4C's and ESIEAP to spot a poor business case in under 5 minutes (including self-assessing your business case before the boss does).
If you've been struggling to get your IT project, portfolio planning, safety, security or finance business cases funded, then this is the book for you. In just a few short hours you can know all you need to know to develop a great business case.
The Security Risk Management Aide-Mémoire includes a range of models and tools to help security professionals to brief clients, conduct security risk assessments, facilitate workshops, draft reports, and more. Much of it is from the Security Risk Management Body of Knowledge with some new material reflecting updates such as ISO31000:2018 Risk Management Standard.
The book addresses all domains of security risk management but assumes you are already somewhat familiar with the contents and the specifics of your profession. The tools and models are complementary. Pick the ones that work best for you and ignore the rest or keep them in your back pocket for another day. You can download all the graphics and models for free from www.srmam.com
Security Risk Management Body of Knowledge details the security risk management process in a format that can easily be applied by executive managers and security risk management practitioners. Integrating knowledge, competencies, methodologies, and applications, it demonstrates how to document and incorporate best-practice concepts from a range of complementary disciplines.
Developed to align with International Standards for Risk Management such as ISO 31000 it enables professionals to apply security risk management (SRM) principles to specific areas of practice. Guidelines are provided for: Access Management; Business Continuity and Resilience; Command, Control, and Communications; Consequence Management and Business Continuity Management; Counter-Terrorism; Crime Prevention through Environmental Design; Crisis Management; Environmental Security; Events and Mass Gatherings; Executive Protection; Explosives and Bomb Threats; Home-Based Work; Human Rights and Security; Implementing Security Risk Management; Intellectual Property Protection; Intelligence Approach to SRM; Investigations and Root Cause Analysis; Maritime Security and Piracy; Mass Transport Security; Organizational Structure; Pandemics; Personal Protective Practices; Psych-ology of Security; Red Teaming and Scenario Modeling; Resilience and Critical Infrastructure Protection; Asset-, Function-, Project-, and Enterprise-Based Security Risk Assessment; Security Specifications and Postures; Security Training; Supply Chain Security; Transnational Security; and Travel Security.
Security Risk Management Body of Knowledge is supported by a series of training courses, DVD seminars, tools, and templates. This is an indispensable resource for risk and security professional, students, executive management, and line managers with security responsibilities.
Most of us are promoted however, because we are technically proficient at our core skills, not because we are born leaders. That technical proficiency, plus perhaps a positive attitude and the willingness to accept responsibly, got us noticed, but none of those abilities automatically make you a born supervisor, leader or manager.
I'm certainly not a natural born leader. Most of what is covered in this book was learned the hard way - through trial and error. I think I can safely say that I still continue to make new and inventive mistakes, but because I continue to learn from them, I have many lessons to share. I have also been fortunate to have great mentors, attend some excellent training and have learned much from some terrific books.
This book is designed as a quick and easy read to provide the best of my practical tips to help you:
- Communicate more effectively with your team
- Manage meetings in a way that is more productive and takes less time
- Motivate staff to want to achieve
- Write effective and succinct reports
- Understand the mumbo-jumbo language of management systems
- Make better decisions faster
In a nutshell, this book is designed to reduce your stress, allow you to spend more time with family, improve your sense of job satisfaction and lead you inevitably towards your next promotion. What I have compiled is a book is based on decades of hands-on leadership and management experience. It is quite simply a compendium of... "the things that I wished I had known BEFORE I was first promoted to a leadership role".
Leadership is one of the hardest but most rewarding things you will ever do. For me at least, supporting and helping others to grow, is probably the most rewarding thing that I have done in my career. It is my hope that this book will save you at least a little pain on your own leadership journey, but more importantly, that it will help you to achieve your goals and to develop as a leader. Best of luck to you with your journey of self-discovery.
Because everyone's time is short, we've condensed those 50 years into 50 pages of practical advice that can be applied immediately. It addresses questions such as: "How do I tell if the $x million spent actually delivered benefits or reduced risk?", "How do I know how my organization is performing against its peers in terms of ROI on risk mitigations?" Using illustrations, examples and appropriate tools, this book offers a range of methods and guiding principles to help develop effective Key Performance Indicators and scorecards which align your risk management processes to organizational objectives.