CISO2CISO.COM & CYBER SECURITY GROUP

GUIDE TO EFFECTIVE RISK MANAGEMENT 3.0 – ALEX SIDORENKO – ELENA DEMIDENKO

FOREWORD
One thing that has become commonplace in the last fifteen years is the unexpected. 9-11 was
unexpected. Hurricane Katrina was unexpected. The rise of ISIS was unexpected. Target
Corporation’s point of sale hack, valued at more than $1 billion total impact, was unexpected.
Donald Trump’s 2016 election to President of the United States was unexpected (just ask
Hillary Clinton). Thus the unexpected or commonly considered “emerging risks” are now less
unexpected. Another way to think about this is that those “black swans” that were at one time
unknown to exist, have increasingly been discovered in their hiding places, often too late to
prevent and sometimes too late to effectively mitigate their impact.
While most risk practitioners have come around to agreeing that one of the better synonyms
for risk is “uncertainty,” there is little agreement about how to better get ahead of the new
reality of this increasing uncertainty. Yet the most common question I received from senior
management and boards was “tell me what I don’t know or can’t see or have no idea is
coming that could destroy the plan or even the organization itself.”
And so risk leaders are increasingly challenged with the expectation of identifying and
addressing those risks that few if anyone can see or understand and yet can either be
massively destructive or on the flip side, represent sizable lost opportunity. Putting more rigor
and discipline around risk processes must be part of the response. This Guide to Effective
Risk Management 3.0, authored by Alex and Elena enables not only this rigor, but also allows
for the flexibility all practitioner needs to meet the needs of the organization for which they
work. This is not unlike the flexibility offered by ISO31000, a flexible, adaptable standard that
refuses to acquiesce to the myopic “one right way.” To be clear, there is no such thing.
If I had to pick only three key objectives as a risk leader, those chosen by these two risk
experts are exactly what I would have selected; namely, drive risk culture, help integrate risk
management into business and become a trusted advisor. If each of us could get even two of
these executed successfully, our strategy would come alive and the long term process of
getting stakeholders risk aware and enabled would be more likely.
I teach risk management and related subjects regularly. Through these commitments, I see a
lot of content, formal and informal running a wide gamut of quality and usefulness. These
among others represent plentiful reference resources for getting risk management done well.
Unfortunately, too many remain stuck at the conceptual and/or strategic and make difficult the
translation of concepts and strategic goals into actionable tactics. This Guide is different.
Whether it’s the streamlined design of this Guide or the references to additional resources or
pointing to where you can find more help, this is one of the best resources I’ve come across.
No doubt it is a function of the depth of knowledge and understanding of its authors who
know what they’re talking about. This is clearly demonstrated in the way this Guide focuses on
the things that truly matter most and can make a difference when deployed. After all, risk in a
box is usually A to Z. Too bad most organizations don’t need A to Z. They need what
management and governance expects to drive their strategies and thus, it likely is only a
portion of what the “experts” might say you must do to implement effective risk management.
Thus the design is towards usability and clarity of understanding and use. Nothing matters
more than that in finding good solutions to risk management challenges.

Leave a Reply

Your email address will not be published.