Becoming a risk manager can seem to be more art than science. There’s not a clear pathway from degree to junior risk manager to senior risk manager to CRO (Chief Risk Officer) in the same way that you can chart the progress from freshly minted CPA (Certified Public Accountant) to head of Ernst & Young. (Financial risk management is the exception here as there is usually a clear path there.)

So why is the risk manager career path fuzzy compared to other professions?

Risk management is a less structured profession

First, I think there are many risk managers for whom risk is a secondary element of their…

Security is a guiding principle for DCDR, and protecting user data has been baked in from the start. However, there’s more to data security than restricting access and managing user permissions. I’ve used the INFOSEC abbreviation CIA — confidentiality, integrity, and availability — as a guide to help determine the steps required to protect your data while also ensuring that the system does what it’s supposed to. Overall, the intent is to ensure:

• Confidentiality — only those authorized by the owners of the data can see it.
• Integrity — the data in the system can be trusted to be accurate…

Googling ‘what is a risk manager?’ will get you variations on ‘it’s the person who manages that organization’s risks,’ which is a pretty weak answer. It’s certainly not enough to help anyone who’s just starting in the role to understand what they’re supposed to do. Similarly, if someone’s thinking about this as a career, we need a bit more.

So here’s a more detailed answer.

‘A risk manager is a person who helps an organization achieve success by understanding, managing and responding to its risks.’

That’s a lot better, but I want to go deeper and see what that means…

This is a very short post which should work because it’s a very simple idea. Obviously, I’m a fan of simple ( this is KISS risk management after all) but, as with lots of simple ideas, the trick is sticking to the idea and seeing it through without getting distracted.

The idea is that you use the Pareto principle, or 80 / 20 rule, when you’re thinking about your risk management system. In short, the principle or rule is:

80% of X arises from 20% of Y

There are countless blog posts and books about the principle and you can…

How can you spot the point where a risk — a thing that could occur — becomes an event that is occurring? I’d argue that you don’t need to identify the specific point of change, and you’ll waste valuable time trying to spot the exact moment of transition. Most importantly, if you wait to see the transition point, your response will be on the back-foot from the get-go.

Phase transitions (I): water to ice or steam

Phase transition is the point where a gas turns into a liquid or a liquid to a solid: it’s the point where the state of matter changes. …

I looked back at some of my degree notes the other day and came across something I’ve been meaning to work on for a long time. (By long time, I mean about 10 years*.)

It’s based on two concepts. First, the work that Brian Toft, Simon Reynolds and Barry Turner did with respect to how disasters evolve and how we can learn from them. The second concerned how to differentiate between emergencies and crises. Bringing these concepts together gives us a model or framework for how risks become events and how these events can become disasters.

There might be bigger…

I realized a while back that it can be too easy to mistake ‘simple’ with ‘easy’ and I’ve been concerned that promoting a simple approach to risk management might lead people to think that this makes everything easy. Unfortunately, even though a KISS approach makes risk management easier, it doesn’t do away with the need for hard work altogether. Worst of all, it can be easy to mistake shortcuts for simplification.

I made the same mistake myself recently with my running.

I’m hoping to tackle a longer race this fall (although to be honest this seems less and less likely…

As risk managers, we spend a lot of time working out how to get things done.

After all, the risk assessment is just the start of the process. Once you’ve identified your risks and worked out how to address them, you need to get down to work: then the actual management part begins.

Determining ownership for many risks will be relatively straightforward and departments will often fight very hard to maintain ownership of risks that fall within their remit.

(This is why we also need good governance. Even though the subject matter experts (SMEs) are often best placed to manage…