At Risk Awareness Week 2020, Julian Talbot, risk author and consultant, shared his top insights from over twenty years in risk management.

1. It’s never what you think

Key example: “One example, is the world of high reliability organisations which is a well-studied area looking at things like nuclear aircraft carriers, power plants, and air traffic control.

“These are highly complex and inherently dangerous systems with constant activity and things that could go wrong and yet they’re often one of the safest places to work. They are one the lowest risk environments.”

Lessons: “A lot of it comes down to culture. You manage risk at the point at which it occurs and a simple example is if you look at an aircraft coming into land, the pilot is in charge of the aircraft… but there’s no question that if somebody down there at the point in which the risk is occurring called a halt or wants to change something, they have the power to make that decision right there and that’s a really key part of this.”

2. Risk is not the effect of uncertainty on objectives

The problem: “I love ISO 31000 for its elegance and I really liked the definition of risk as the effect of uncertainty on objectives. It’s not perfect by any means, but I love that it includes a broad church… that includes positive and negative consequences.

“The problem is that outside ISO 31000 the rest of the world thinks risk is bad, risk is negative. Pick up any dictionary and look for risk and you’ll find it’s all about adverse outcomes.”

Talbot’s solution: “We need to think about how we define risk and a new lexicon.

“Perhaps we need to think of the medical approach where they use words like tension pneumothorax which only means one thing to a medical professional or an ambulance officer. For anybody working in that space it is immediately obvious what it is.”

3. Risk management equals future management

Talbot says: “We are trying to shape the future and trying to create the future… So, for me, risk management is about future management.

“We know so little about our known universe – that the potential for where we go with this discipline of risk management now is unlimited and we need to be thinking about that.”

4. Blind spots

Talbot says: “Part of my success in life and self-awareness has been this journey of constantly looking for my blind spots. My friends who know me well, will see things about me that I don’t see and vice versa I see things that seem obvious to me but are invisible to them and when we’re doing risk management it’s the same.”

Lesson for risk managers: “As part of a risk study you will be interviewing executives and frontline managers and all sorts of people to find out what’s going in the organisation. Throw that question in there, ask them – What are the blind spots? What is the boss not seeing? etc.”

5. RIP Black swan events

Talbot says: “One of the blind spots we think about are Black Swan events, so this concept of events which come out of nowhere, that are unanticipated, or that perhaps couldn’t be calculated by probability calculations but have a large effect on history.

“My view is it’s 2020, we’ve had catastrophic bushfires in Australia and California we’ve had locust plagues in East and Central Africa, we’ve had pestilence, we’ve had plague, we’ve got Covid-19. We’re facing what may be the biggest depression in recorded history. I don’t think we can afford to say anymore ‘oh sorry boss a Black Swan came out of nowhere.”

Lesson for risk managers: “It’s our job as risk managers to make the black swans visible… Swans come in all colours and we either need to be predicting them or using our imagination to see them. It’s lazy risk management to say sorry that was a Black Swan, I didn’t see it coming boss, better luck next time. The public and the world deserves better.”

6. Swiss cheese = causal chains

The swiss cheese model: “One of the more interesting aspects is Swiss cheese as a model with barriers being modelled as slices of cheese and if all the holes line up then you get this scenario where risk manifests.

“But more interestingly, in every fatal or significant mishap that I’ve looked at, multiple things had to ‘go wrong’ or barriers had to fail, any one of which, if that link had been broken in that chain, would have reduced the magnitude.”

Example: Piper Alpha was an oil rig. In 1988 in the North Sea, a series of failures caused first a major oil fire and then a catastrophic gas explosion. This took a dozen things going wrong before this manifested as a major risk and a tragic fatality for 167 men and their families and their friends.

Lesson for risk managers: Putting this to a causal chain model with bow ties and a whole range of other things is a great way of looking at risks. Even if you use this concept to model near-miss events – a really thorough analysis is probably going to prevent major fatalities.”

7. Rock pools of risk

The concept: “The idea is that if your enterprise is a rock pool there are high points where you can stand on a rock and you’ll be out of the water. There will be points where you’re walking through the sandy base and there’s a level of risk that’s up to your shins and you’re happy with that. And then is as you walk through the rock pool there are going to be bits of coral and hidden holes where you could turn an ankle or injure yourself severely.”

Applied for risk managers: “People often have this idea that risk management at an enterprise level is about documenting all the risks, putting in place a piece of software, and sending people out around the world to look at your facilities and all the exposures. That’s playing whack-a-mole really. You’re going to see death by a thousand cuts really trying to treat enterprise risk by that way.

“What you need to do is aggregate the risks in a way that you can say OK here’s my risk criteria, my risk appetite, my tolerance – and wherever my facilities are, or my people are operating, or whatever my projects are I want them to have more or less the same risks.”

“The idea is not to bring a truck load of sand to fill this rock pool up so that you’re not walking through any water because that’s a wasteful use of resources. What you’re trying to do in this analogy is understand that topography.

“Then you can say: this is the high ground, it’s way safer than the rest of my financial portfolio, for example, so I might move some of that money or some of those resources, some of those people, by metaphorically rolling one of those rocks into a hole.”

8. Thank you, Covid-19

Talbot says: Covid-19 is tragic in terms of the deaths and the economic impact and the illness that it’s causing and the stress for people… but it is preparing us for what we know is inevitably going to be a worse pandemic – a higher risk and worse disease load.

“My key insight into this is anything we treat for a known event has got downstream consequences for a Black Swan, a Green swan etc. Things we don’t anticipate will always benefit from steps we take now and sometimes it’s worth spending a little extra or thinking about the possible additional benefits of these risks.”

9. Fooled by randomness

The problem: “We attribute success to our own skill when quite often it’s actually luck.”

Example: “When you put your money into a managed fund you try to pick one that’s been successful and has outperformed. But if we think about the index for a stock market, 95% of managed funds fail to beat the index.”

10. Geniuses they may be

The problem: It’s tempting to believe that other people know more than you. Especially when they are very confident.

Case study: “Long-Term Capital Management was a hedge fund, where a series of geniuses, Nobel laureates and PhDs started an options hedge fund. They made 40% a year for five years, fantastic returns, money was piling in, everybody wanted to be part of this.

“After year five the Russians defaulted on the Rouble and Long-Term Capital Management almost brought down the entire financial market.”

RISK-ACADEMY offers online courses

+ Buy now

+ Buy now

+ Buy now

Related

California construction company uses OpenText EnCase and OpenText Security Services to reduce risk.

WATERLOO, Ontario, Nov. 24, 2020 /CNW/ — OpenText (NASDAQ: OTEX), (TSX: OTEX), today announced that Webcor, a premier provider of commercial construction services throughout California, worked with OpenText to improve their security expertise, find and mitigate threats, and reduce the company’s cyber risk profile. During a presentation today at Enfuse On Air 2020, the companies discussed how OpenText experts helped Webcor improve their overall cyber resilience.  

“OpenText was very effective in risk mitigation, and in defining the scope of work necessary to improve our security posture,” said Kim Bates, Vice President, CIO at Webcor. “They gave us the security framework that we needed to implement at Webcor. Without OpenText, our risk profile would be much higher.”

Early in 2020, Webcor knew it needed to investigate potential threats across the organization’s endpoints and devices, including: laptops, desktops, and servers. Webcor initially engaged OpenText Managed Security Services to augment the Webcor IT staff and increase its security expertise.

“To effectively and…

Read More…

While most of us have been understandably focused on the presidential election, the State of California has passed significant new privacy legislation that may have a substantive impact on your business. Specifically, Californians voted to pass Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The CPRA will replace the California Consumer Privacy Act (CCPA) beginning January 1, 2023. While many may be quick to label this as “CCPA 2.0,” the CPRA has a much broader set of rights and obligations than the CCPA, which may create new compliance hurdles for covered businesses.

Timing

The CPRA takes effect on January 1, 2023. However, it will have a “look back” period to January 2022, meaning that personal information collected by businesses starting January 1, 2022 will be subject to the CPRA’s requirements. Until that time, the CCPA remains in force.

Key Provisions

The CPRA appears to be moving California’s privacy regulations even closer to the requirements of the European Union’s General Data Privacy…

Подробнее…

SUNNYVALE, Calif., Nov. 16, 2020 (GLOBE NEWSWIRE) — Proofpoint, Inc. (NASDAQ: PFPT), a leading cybersecurity and compliance company, today announced that it has been named the winner of the “Overall Enterprise Email Security Solution Provider of the Year” award in the fourth annual CyberSecurity Breakthrough Awards program conducted by CyberSecurity Breakthrough, a leading independent market intelligence organization that recognizes the top companies, technologies and products in the global information security market today.

“Proofpoint is a pioneering leader in the cybersecurity industry and their continued commitment to innovation and breakthrough detection and protection techniques are unparalleled,” said James Johnson, managing director, CyberSecurity Breakthrough. “We fully anticipate that business email compromise (BEC) and other enterprise email threats will continue to increase in volume and complexity, and we are pleased to see Proofpoint tackle this challenge head-on with an extremely powerful and targeted platform to keep email communications flowing. Congratulations to Proofpoint on their continued success and well-deserved 2020 CyberSecurity…

Read More…

St Mel School, a Catholic academy of the LA Archdioceses for kindergarten through 8th Grade students has partnered with California-based tech company, Heed Consulting Group, to take on the responsibility of Cyber Risk Management and IT Support.

The partnership enhances the school’s cybersecurity awareness with Heed, bringing to the table years of experience, expertise, and success in preventing cybercrimes.

As more schools adopt online classes due to the pandemic, cyber-attacks are prone to increase. In one of the most recent cyberattacks on schools, Fairfax County Public Schools in Virginia, one of the country’s largest school districts, was attacked during the first week of classes. The hackers successfully exfiltrated student, staff, and faculty data from the network. As proof, the group uploaded about 2% of the data they stole and demanded payment to restore the systems and the data.

Video Link: https://www.youtube.com/embed/qgkJAxlcX_8

Such cyber incidents are a colossal dent to a school’s reputation as it leads to a whirlwind of students’ mass exodus. As a solution, Heed Consulting Group is fighting…

Read More…

SUNNYVALE, Calif.–(BUSINESS WIRE)–Fal.Con 2020 ––CrowdStrike Inc. (Nasdaq: CRWD), a leader in cloud-delivered endpoint and cloud workload protection, announced the latest cloud-native endpoint and workload security capabilities and key partnerships at Fal.Con 2020.

Product Roadmap Takes Limelight at Fal.Con 2020

CrowdStrike expands its product offerings to advance Zero Trust capabilities, introduce a new cloud module, enhance endpoint protection offerings and more to support detection, response and threat intelligence teams in defending against cyber threats.

Highlights include:

• Zero Trust Assessment: CrowdStrike’s newly introduced Zero Trust Assessment (ZTA) capability delivers continuous real-time security posture assessments across all endpoints in an organization regardless of the location, network or user. This announcement builds on CrowdStrike’s investment in advancing its Zero Trust capabilities with the acquisition of Preempt Security.
• Falcon Horizon: The CrowdStrike Falcon Horizon module protects multi-cloud environments by automating cloud security management across the application development lifecycle for any cloud, enabling customers to…

Read More…

]]> https://risk-academy.ru/california-to-expand-cal-osha-authority-in-covid-19-mitigation/ Tue, 13 Oct 2020 11:00:51 +0000 https://risk-academy.ru/california-to-expand-cal-osha-authority-in-covid-19-mitigation/

Last month, California enacted legislation providing greater authority to Cal/OSHA in terms of COVID-19 mitigation efforts. Husch Blackwell’s Donna Pryor highlights AB 685 and explains what it will mean for employers.

On September 17, 2020, California Governor Gavin Newsom signed into law AB 685, effective January 1, 2021 through January 1, 2023. The law authorizes the Division of Occupational Safety and Health of California (Cal/OSHA) to determine that an exposure to COVID-19 at the workplace constitutes an imminent hazard to employees, to prohibit entry into and operations of the business in the immediate area in which the hazard exists and to require private and public employers informed of a potential COVID-19 exposure or infection among its workforce to comply with notice and reporting requirements. The law’s stated objective is to enable workers, agencies and the public to collectively minimize the risk of transmission of COVID-19 in the workplace. Cal/OHSA has published guidelines for employers to assist in compliance.

What is Considered Notice of a Potential Exposure?

Individuals at the workplace who present a risk of infection of COVID-19 that potentially exposes other workers are considered “qualifying individuals” if they have:

• Confirmation by a laboratory that they are positive for…

Подробнее…

]]> https://risk-academy.ru/cyber-criminals-targeting-third-party-service-providers/ Wed, 07 Oct 2020 14:32:13 +0000 https://risk-academy.ru/cyber-criminals-targeting-third-party-service-providers/

“Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”

Read next: Ransomware attacks are increasingly involving data theft

However, since this statement, one class action lawsuit filed against Blackbaud in California on September 11, suggests that the perpetrators did in fact access private information, and that the cyber services provider was “unacceptably cagey with regards to the specifics” of the breach, according to a ClassAction.org report.

Lawsuits aside, one thing is clear. The Blackbaud breach, which impacted Ambrose University in Alberta, is a good example of third-party cyber supply chain risk. Candid Wüest, vice president of cyber protection research at Acronis, commented: “We’ve been talking about supply chain and third-party cyber risk for…

Read More…

]]> https://risk-academy.ru/bassett-lewis-goals-lift-colorado-rapids-past-la-galaxy-2-0/ Sun, 20 Sep 2020 05:31:16 +0000 https://risk-academy.ru/bassett-lewis-goals-lift-colorado-rapids-past-la-galaxy-2-0/

CARSON, Calif. (AP) — Cole Bassett and Jonathan Lewis scored and the Colorado Rapids beat the LA Galaxy 2-0 on Saturday night.

Colorado (4-4-4) rebounded from a 4-1 loss to FC Dallas on Wednesday night. The Galaxy (4-4-3) had their six-match unbeaten streak snapped.

Sam Vines lofted the ball from distance to Bassett, who fired his shot from the center of the 6-yard box in the 40th minute for his third goal of the season. Lewis scored on a right-footed shot at close range from the center of the goal in the 78th.

Sebastian Lletget’s header attempt sailed over the crossbar in the 71st minute for the Galaxy.

William Yarbrough made four saves for the Rapids. David Bingham had two for the Galaxy.

The Galaxy entered having won 24 of 38 all-time meetings at home, outscoring Colorado by more than 2-1.

Copyright © 2020 . All rights reserved. This website is not intended for users located within the European Economic Area.

Read More…

]]> https://risk-academy.ru/drumz-plc-investment-yahoo-finance-uk/ Mon, 07 Sep 2020 06:22:14 +0000 https://risk-academy.ru/drumz-plc-investment-yahoo-finance-uk/ Drumz Plc – Investment  Yahoo Finance UK

Read More…

]]>