Something went wrong. Please try your request again later.
Follow to get new release updates and improved recommendations
About Julian Talbot
Customers Also Bought Items By
Are you an author?
Help us improve our Author Pages by updating your bibliography and submitting a new or current image and biography.
Author Updates
-
-
Blog postTL;DR: It's about culture. If you have to 'operationalize' risk management, whatever you're doing isn't risk management.
Risk management isn't self-licking ice cream, and it shouldn't (in theory) exist for its own sake. The clue is in the name. Management is a process, and like any other process, there should be an input, process, output, and a feedback loop.
Risk assessments (should) lead to treatment plans, and these treatment plans become management systems (e.g., procedure -
Blog postI've just finished giving a presentation at the ISC2 2021 Security Congress and several people asked for a copy of the slides.
I hope they are useful. Please feel free to use them and adapt them. I would appreciate if if you reference www.juliantalbot.com but my main mission is to get some useful tools out into the world where they can be applied.
You can find some more templates and the like under the DOWNLOADS menu above as well as at www.srmam.com. The Security Risk Managem -
Blog post“An expert is someone who has made all the mistakes in a field that can possibly be made.” - Niels Bohr There is an entire industry built around the idea of risk management consulting. The industry is perhaps more than just an idea, but arguably it is not yet a mature profession. It can be challenging to find people who are genuinely subject matter experts, not just in risk but also in developing real-world solutions to business risks.
So how do you find a subject matter expert (SME) -
-
Blog postUsually, when I come across a flawed piece of research, I note it and move on. Occasionally, however, I find a piece of research with such fundamental flaws and far-reaching consequences that I feel obliged to say something.
One such paper was published recently by the CDC. "SARS-CoV-2 Infections and Hospitalizations Among Persons Aged ≥16 Years, by Vaccination Status — Los Angeles County, California, May 1–July 25, 2021."
The CDC paper looks excellent at face value. -
Blog postIf you missed the webinar, you can watch a recording of it below or on Youtube.
In his 2008 book 'Fooled by Randomness' Nassim Nicholas Taleb introduced the theory of Black Swan events. He then turned that into the highly successful book 'The Black Swan' which is where the idea really caught the public imagination.
https://youtu.be/-BENJmseXIA For those of you who aren't familiar with the concept already, Wikipedia summarizes it as follows.
"The black swan theory ... is -
Blog postWell-conceived and researched business cases play a pivotal role in improving the quality of organizational decision-making. The business case doesn't stand by itself, but is part of a toolbox for analyzing and making decisions about proposed risk treatments.
Whatever risk treatment you're considering, and whatever means you used to identify it, the business case determines and enunciates the value of that treatment. In Figure 1, I've used the ISO31000 Risk Management Standard process -
-
Blog post"Without clear objectives ... there is no business case to justify resources for risk management." It should be no surprise that a clear, well-written risk management policy is an essential part of any risk management framework. It establishes the foundation and mandate for implementing risk management within an organization. Ideally, it should be a succinct document reflecting the organization's context and written in a style that can be easily understood and applied.
If y -
Blog postI've seen policy documents that were 50 pages long, which is crazy because nobody reads them. They often end up including procedures, details from other activities, and telephone numbers of people to contact. Who has time to update a policy every time the contact person changes?
Policy documents should be succinct.
"A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and is implemented as a procedur -
-
Blog postWe are programmed to seek certainty wherever we can. Some people (we call them forecasters or influencers) seek fame and fortune by selling certainty as a product. I've you've read my article that talks about the Dunning-Kruger effect, you'll know what I think of such overconfidence. A better solution is to have a good handle on some risk management strategies and be resilient. The Scout motto of 'be prepared' is good advice.
Risk management was probably never a simple thing. Perhaps -
Blog postWhen I joined the Department of Health and Ageing (yes, that's the correct spelling), my mandate was to "build a risk management framework and embed it across the Department." Easy to say - not so easy to do.
In my view, a good RMF is essential. ISO31000 risk management standard (in the 2009 version) opens Section 4 with the following assertion.
"The success of risk management will depend on the effectiveness of the management framework providing the foundations and -
Blog postMany people ask the wrong question when they are trying to grow a business. New entrepreneurs often start with a good business idea, and then as the business grows, they ask questions such as "How can I get to 20,000 subscribers?" or "How can we grow revenue to $20 million?"
Those are the wrong questions. Revenue is easy. Just undercut everyone else, and you'll have revenue. But you won't last long. For most businesses, a better question would be, "How and whe -
-
Blog postI've written about my version of what a fully featured enterprise risk management (ERM) system should, or at least could, look like. During a recent conversation with some colleagues, I was reminded that most people's primary problem with ERM is still the same 'hours in the day' (aka resources & funding) problem.
There is so much I could say about software and frameworks, and perhaps I'll write about that in another article, but in terms of finding the resources that you know you -
Blog postI often find people have varying ideas about 'enterprise risk management' and many managers think it means identifying and treating every risk across an organization. While that sounds nice in theory, the reality of ERM is that we need to understand the organization has a whole. The idea is to understand and manage the risks for the overall organization, not the individual parts.
In explaining (my view of) enterprise risk management over the years, I've evolved this mental model. Hope -
Blog postIt could be my childhood upbringing and influences in life that steered me into risk management. My father fled communist Russia at 10 with his brother and whatever he could carry on his back. He eventually made it to China but his father, brother, cousins, and grandparents weren't so lucky. My father-in-law had a similar experience fleeing partition in Bengal with his life. Perhaps those stories and experiences have colored my thinking. I'm sure they have, and perhaps th
-
Blog postThere are better tools for risk assessment than risk matrices.
But, contrary to some opinion, they are not without some utility. So if your organization still insists on using them, here are at least two basic issues that are easy to fix when using a risk matrix.
The first is failing to identify the risk. You can't calculate a likelihood and consequence for a one-word risk such as 'Terrorism'. Even a short phrase such as 'loss of funding' or 'inadequate resources' will have di -
Blog postI used to believe in climate change.
Growing up in the 1960s, our backyard abutted the grounds of one of the largest sugar mills in Australia. My brother and I spent many happy hours fishing for tadpoles with mates in the lime pits and building forts among the long grasses of 'our' 5-acre paddock. Our father was Chief Chemist at Milliquin Sugar Mill, and the creator of Bundaberg Rum, still the most popular rum in Australia.
In the 1960s, information about diabetes and the risk -
Blog postThis looks like an article on risk management. And it sort of is. But actually, it's about business management. A challenge and an invitation to organizations that want to go to the next level.
Culture
When it comes to risk management we often make our decisions based on emotions. We get wrapped up in processes, compliance, and guesstimation of risks. Tools, such as quantitative risk analysis (QRA) are helpful of course, but they are just tools. In the end, risk management is -
Blog postIf you have been thinking about writing a non-fiction book, here is the process I use:
1. Block out a few weekends to write the book. How hard can it be? Right?
2. Discover, too late, that you need another hundred weekends and late nights.
3. Press on, and write until the entire thing blurs together and the the the, typos are invisible too ewe.
4. Breathe deep, take a walk around the room, and reach for (another?) whiskey.
5. Finally, hold your head in -
Blog postI pressed the phone hard to my ear and leaned forward, trying in vain to reduce the 6,000 km gap and said “Sorry, could you repeat that question please.”
I was in Sumatra and the interview team were in Canberra, Australia. It was the early days of satellite IP telephony. Sometimes it worked well. One of the interviewers replied, “Of course. Can you … when … risk management … And how … main … Thanks.”
I had only the vaguest idea of the question but this was the fifth time they -
Blog postBowTie is one of my favorite risk management tools. It supports a complex analysis but is so simple that can even a five-year-old can understand it. It is also visual which makes it a great communication tool.
BowTie analysis draws its name from its shape reminiscent of a traditional necktie. The precise origin of this method is unclear, but it seems to have evolved from cause and consequence diagrams in the 1970s. A major limitation of ‘cause-event-consequence’ diagrams is
Titles By Julian Talbot
Business Cases for Risk Management: How to write a killer business case that gets your risk treatments funded!
Jun 25, 2014
$9.99
Other Formats:
Paperback
