Risk Management Approaches

Risk is bad, isn’t it? Not always. Some risks are bad, but others you want to embrace. Why? Because they add value and allow you to serve your customers better. A little over a decade ago, in 2012, Robert S. Kaplan and Anette Mikes wrote a Harvard Business Review article “Managing Risks: A New Framework.” In this article they lay out a useful typology of three types of risk: Type 1: External Risk Definition: Risks outside your control, coming from external sources Examples: Climate change, recession, pandemic Mitigation: Reduce impact in case the event occurs  Tools: Scenario-planning, war games, stress-testing Type 2: Preventable Risk Definition: Risks arising from what happens within an organization Examples: accidents, mistakes, fraud Mitigation: Eliminate or prevent to minimize occurrence  Tools: Standard operating procedures, audits, norms and values Type 3: Strategic Risk Definition: Risks taken to create better strategic returns Examples: credit risk, R&D investments, location risk Mitigation: Reduce likelihood and impact in a cost-effective way Tools: Risk-maps, key risk indicators, Risk-based resource allocation In a nutshell: external risks you want to prepare for, preventable risks you want to avoid, and strategic risks you manage carefully. Of the three categories, I find Strategic Risk the most interesting type. Because, unlike the other two, it can add substantial value to a company and be an important part of its strategy. This means it comes with an interesting question: → Can we take on MORE risk to improve the performance of our organization? While seemingly unnatural from a risk management perspective, it’s more common than we might think. Because, taking over risk from your customers is a very common way of adding more value for them. Here’s some examples: - Any type of insurance - Any type of payment arrangement, especially no-cure-no-pay - Any type of leasing and renting model - Any type of X as a service approach To finalize, here’s a high-level risk approach based on the three types 1. List all the risks your organization faces 2. Categorize them in each of the three types 3. Reduce the possible impact of the external risks 4. Reduce the likelihood of the preventable risks 5. Investigate which strategic risks make sense to add 6. Manage likelihood and impact of strategic risks #riskassessment #forecasting #managementdevelopment

Sustainability Risk Management Framework 🌎 This framework, adapted from Deloitte and illustrated by Antonio Vizcaya Abdo, presents a clear and structured approach to managing climate-related risks and opportunities in business. As sustainability becomes integral to decision-making, frameworks like this are increasingly essential for ensuring long-term resilience and value creation. The process begins with strategic alignment. It is crucial to evaluate future investments, clarify roles and responsibilities, define risk appetite, and ensure alignment with broader objectives such as the Sustainable Development Goals (SDGs). The next step focuses on identifying and prioritizing climate-related risks and opportunities. This involves collecting data, consulting stakeholders, defining objectives, and analyzing both physical and transition risks as well as emerging opportunities. A key strength of this framework lies in its integration of metrics, targets, and risk management processes. This ensures that assessments are not isolated but embedded in the organization’s broader strategy and governance structures. Once risks and opportunities are identified, the framework shifts to response design. This phase involves creating tailored mitigation actions and seizing opportunities through short-, medium-, and long-term solutions. To support these actions, the development of key risk indicators (KRIs) is essential. These indicators provide the means to track progress, adjust strategies, and maintain accountability across functions and business units. The final step emphasizes communication and transparency. Whether through standalone reports or integrated sustainability disclosures, clear communication of findings and progress is essential to meet stakeholder expectations and regulatory demands. Effective sustainability risk management is not just about protecting value—it is also about enabling new forms of growth, innovation, and resilience in a changing climate context. Frameworks like this offer a pathway to move from intention to implementation, turning risk into strategic opportunity through structure, foresight, and rigor. #sustainability #sustainable #business #esg #risks

🚨 AI Privacy Risks & Mitigations Large Language Models (LLMs), by Isabel Barberá, is the 107-page report about AI & Privacy you were waiting for! [Bookmark & share below]. Topics covered: - Background "This section introduces Large Language Models, how they work, and their common applications. It also discusses performance evaluation measures, helping readers understand the foundational aspects of LLM systems." - Data Flow and Associated Privacy Risks in LLM Systems "Here, we explore how privacy risks emerge across different LLM service models, emphasizing the importance of understanding data flows throughout the AI lifecycle. This section also identifies risks and mitigations and examines roles and responsibilities under the AI Act and the GDPR." - Data Protection and Privacy Risk Assessment: Risk Identification "This section outlines criteria for identifying risks and provides examples of privacy risks specific to LLM systems. Developers and users can use this section as a starting point for identifying risks in their own systems." - Data Protection and Privacy Risk Assessment: Risk Estimation & Evaluation "Guidance on how to analyse, classify and assess privacy risks is provided here, with criteria for evaluating both the probability and severity of risks. This section explains how to derive a final risk evaluation to prioritize mitigation efforts effectively." - Data Protection and Privacy Risk Control "This section details risk treatment strategies, offering practical mitigation measures for common privacy risks in LLM systems. It also discusses residual risk acceptance and the iterative nature of risk management in AI systems." - Residual Risk Evaluation "Evaluating residual risks after mitigation is essential to ensure risks fall within acceptable thresholds and do not require further action. This section outlines how residual risks are evaluated to determine whether additional mitigation is needed or if the model or LLM system is ready for deployment." - Review & Monitor "This section covers the importance of reviewing risk management activities and maintaining a risk register. It also highlights the importance of continuous monitoring to detect emerging risks, assess real-world impact, and refine mitigation strategies." - Examples of LLM Systems’ Risk Assessments "Three detailed use cases are provided to demonstrate the application of the risk management framework in real-world scenarios. These examples illustrate how risks can be identified, assessed, and mitigated across various contexts." - Reference to Tools, Methodologies, Benchmarks, and Guidance "The final section compiles tools, evaluation metrics, benchmarks, methodologies, and standards to support developers and users in managing risks and evaluating the performance of LLM systems." 👉 Download it below. 👉 NEVER MISS my AI governance updates: join my newsletter's 58,500+ subscribers (below). #AI #AIGovernance #Privacy #DataProtection #AIRegulation #EDPB

All risk is enterprise risk. Cybersecurity Risk Management (CSRM) must be part of Enterprise Risk Management (ERM). Many companies think managing cyber risks is: ╳ Just an IT problem. ╳ Isolated from other risks. ╳ A low-priority task. But in reality, it is: ☑ A key part of the entire risk strategy. Here are the key steps to integrate cybersecurity risk into enterprise risk management: 1. Unified Risk Management ↳ Integrating CSRM into ERM helps handle all enterprise risks effectively. 2. Top-Level Involvement ↳ Top management must be involved in managing cyber risks along with other risks. 3. Contextual Consideration ↳ Cyber risks should be considered in the context of the enterprise's mission, financial, reputational, and technical risks. 4. Aligned Risk Appetite ↳ Align risk appetite and tolerance between enterprise management levels and cybersecurity systems. 5. Holistic Approach ↳ Adopt a holistic approach to identify, prioritize, and treat risks across the organization. 6. Common Risk Language ↳ Establish a common language around risk that permeates all levels of the organization. 7. Continuous Improvement ↳ Monitor, evaluate, and adjust risk management strategies continuously. 8. Clear Governance ↳ Ensure clear governance structures to support proactive risk management. 9. Digital Dependency ↳ Understand how cybersecurity risks affect business continuity, customer trust, and regulatory compliance. 10. Strategic Enabler ↳ Prioritize risk management as both a strategic business enabler and a protective measure. 11. Risk Register ↳ Use a unified risk register to consolidate and communicate risks effectively. 12. Organizational Culture ↳ Foster a culture that values risk management as important for achieving strategic goals. Integrating cybersecurity risk into enterprise risk management isn't just a technical task. It's a strategic necessity. 💬 Leave a comment — how does your company handle cyber risk? ➕ Follow Andrey Gubarev for more posts like this

The recent regulatory guidelines, viz RBI Master Directions of Nov 2023 and SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) of Aug 2024 lay added importance to cyber resilience, business continuity and disaster recovery, incident response and recovery from cyber incidents. Boards are being increasingly attentive and seeking deeper insights on the organizations' preparedness to respond to and recover from cyber incidents. Being part of the Boards of regulated entities, I saw this quarter's IT Strategy and Technology Committee meetings, as well as the Board meetings delve deep and enquiring with the security and technology leadership and sometimes, directly from the MD/CEO, on : 1. Cyber incidents reported, their impact and root-cause assessments. Note : for the organizations, these were mostly hits or false positives. 2. Resilience scores, with Q-o-Q and Y-o-Y comparatives 3. Business Continuity Drills and results 4. Disaster Recovery exercises and results 5. Health check report on the primary as well as the recovery sites, including cloud DR assessments 6. Cyber / technology risk assessments 7. Compliance and reporting (technology) 8. Ongoing governance and improvement around the Cyber Crisis Management Plan (or similar plan, by whatever nomenclature it's defined) 9. Adequacy of technology & security resourcing and training 10. Data protection, with special emphasis on vendor / third party access to critical data & resources and controls around the same The above were some of the top discussion points, but not the only ones. As Boards are made more and more involved and responsible over governance of the organizations' cyber security, resilience, technology governance and risk assurance, Board members will engage more regularly on discussions about cyber risks, inquire of the management their capacity-capability-readiness to respond to and recover effectively from cyber incidents. And above all, the Board would like to ensure compliance to all the relevant regulatory provisions, including on technology and #cybersecurity. To all Technology and Security leaders - the message is very clear, the regulators and the Boards would like to see much more than mere tick mark exercise, specially if you're a regulated entity. - read through each clause in the directions & circulars from regulators - assess thoroughly your current status, including process, operations, technology architecture, procedures, documentation et all - perform risk assessment - technology and operations, over each part of your business - conduct data flow analysis, ascertain your data protection strategy - analyze your third party / vendor connections at all business touchpoints Once you analyze your current state, compare with the requirements given by regulatory directions. Then, step-by-step, put in the measures, updates, upgrades. These are critical steps and require expert acumen - take help from external experts, as required. #technologygovernance

🧪 How To Drive Product Decisions When Data Disagrees? With practical techniques on how to triangulate and reconcile data. Discovered via Stéphanie Walter ↓ 🤔 Data always tells a story — but it’s never just a single story. ✅ Quantitative data ← What/When: behavior patterns at scale. ✅ Qualitative data ← Why/How: user needs and motivations. ↳ Quant usually comes from analytics, surveys, experiments. ↳ Qual comes from tests, observations, open-ended surveys. 🚫 When data disagrees, it doesn’t mean that either is wrong. ✅ Different perspectives reveal different parts of a bigger story. ✅ Usually it means that there is a missing piece of the puzzle. ✅ Reconcile data: track what’s missing, omitted or overlooked. ✅ Triangulate: cross-validate data with mixed-method research. 🚫 Teams often overestimate the weight of big numbers (qual). 🚫 Designers often overestimate what people say and do (quant). ✅ Establish quality thresholds for UX research (size, sample). ✅ Find new sources: marketing, support, customer success. ✅ Find pairings of qual/quant streams, then map them together. People tend to believe what they want to believe. This goes for personal decisions, but also for any conducted research. If it shows the value of a decision already made, there will be people embracing it at full swing and carrying it forward fiercely, despite obvious blunders and weak spots. And sometimes, once a decision has been made, people find a way to frame insights from the past into their new narrative, inflating value of their initiatives. The best thing you can do is to establish well-defined thresholds for research — from confidence intervals (95%) and margin of error (<5%) to selecting user profiles and types of research. Risk-averse teams tend to overestimate the weight of big numbers in quantitative research. Users tend to exaggerate the frequency and severity of issues that are critical for them. So as Archana Shah noted, designers get carried away by users’ confident responses and potentially exaggerate issues, sometimes even the wrong ones. Raise a red flag once you notice decisions made on poor research, or hasted conclusions drawn from good research. We need both qual and quant — but we need both to be reliable. And: it’s not that one is always more reliable than another — they just tell different parts of a whole story that isn’t completed yet. Useful resources: What To Do When Data Disagrees, by Archana Shah https://lnkd.in/ejt2E-Cc Mixed-Method UX Research, by Raschin Fatemi https://lnkd.in/eb3xsQ-B A Step-by-Step Framework For Mixed-Method Research, by Jeremy Williams https://lnkd.in/eUpbf5uZ [continues in the comments ↓] #ux #research

The best CEOs plan for 3 different scenarios at once (this transformed my approach to uncertainty): I used to create one "realistic" forecast each year. Then spend 12 months explaining why we missed it. Everything changed when I learned this framework from a mentor who'd scaled multiple companies: Plan 3 scenarios. Execute 1. Adapt quickly. 📊 BASE CASE (95% likely) "What happens if we maintain current performance?" - Focus on core strengths - Maintain spending discipline   - Protect 12+ months runway 🎯 STRETCH CASE (50/50 shot) "What can we achieve with focused execution?" - Expand into 1-2 new areas - Invest in proven ROI initiatives - Keep 6-12 months buffer 🚀 BOLD CASE (25% moonshot) "What's possible if everything goes right?" - Transform multiple areas - Accept lower margins for growth - Operate with 3-6 months runway The magic isn't having 3 spreadsheets. It's what happens when reality unfolds: Q1 tracking to BASE? → You've already planned for efficiency → Team knows exactly what to protect → No panic, just execution Q2 hitting STRETCH markers?  → Green light those strategic hires → Unlock the growth investments → Everyone knows the playbook Q3 approaching BOLD territory? → Time to accelerate aggressively → The plan is already approved → Full speed ahead Instead of surprising your team with pivots, they know all 3 paths from day one. Instead of emergency board meetings, you just point to which scenario you're tracking. Instead of reactive decisions, you make proactive moves based on clear triggers. The result? - Your team trusts the plan - Your investors respect your risk management - You sleep better knowing you're prepared Most importantly: You stop being surprised by reality. And start being ready for it. Every successful scale-up I know uses some version of this. Because uncertainty isn't the enemy. Being unprepared for it is. P.S. Ready to build your 3-scenario plan? Download my framework free:  https://lnkd.in/dhn9y3zq ♻️ Repost to help a leader in your network. Follow Eric Partaker for more planning insights. — 📢 Want to lead like a world-class CEO? Join one of my FREE TRAININGS THIS WEEK: "How to Develop the Mindset Shared by the World's Best CEOs" Wed, July 16th, 12 noon Eastern / 5pm UK time https://lnkd.in/dJRpFXnb "How to Successfully Scale Your Company & Become a World-Class Leader" Fri, July 18th, 12 noon Eastern / 5pm UK time https://lnkd.in/djt83NUz 📌 LAST CHANCE TO APPLY for the CEO Accelerator cohort, starting July 23rd. Learn more here and join 40+ Founders & CEOs: https://lnkd.in/dbE5rkYB

Audit, Risk & Compliance (ARC): The Three Pillars of Strong Governance "Let me explain why Audit, Risk, and Compliance aren’t just checkboxes—they’re your governance backbone." I’ve had this conversation many times with peers, clients, and boards. And here’s what I often say when someone asks, “How do you build strong governance?” You start with ARC: - Audit - Risk Management - Compliance Each has its role, but when aligned, they become a strategic force. Let me walk you through it from experience: 🔍 Audit is your independent lens. Think of Audit as the team that tells you what’s happening. Their job is to verify that controls are working not just existing on paper. ▶ Example: I once saw an internal audit uncover a $500K billing discrepancy no one had noticed. That wasn’t just cost savings it was a control failure caught before it became reputational damage. The best audit teams today use data analytics and real-time assurance tools to stay ahead. Traditional static audits no longer suffice. ⚠️ Risk is your radar. Risk Management isn’t about stopping risk, it’s about knowing which risks matter, and how much risk you can take to grow. I’ve seen risk teams run scenario analyses ahead of market expansion that flagged FX volatility. With a solid hedging plan, they avoided a 7% EBITDA hit. That’s what proactive risk management looks like. And right now? The strongest risk programs I’ve seen are integrating AI, ESG risk, and third-party oversight into their frameworks. ✅ Compliance is your moral and legal compass. Compliance isn’t just about avoiding fines. It’s about building trust internally and externally. A solid compliance program is the reason one company I worked with navigated new data privacy regulations across multiple countries without missing a beat or getting penalized. What’s changing? Compliance is becoming more automated, more behavior-driven, and more global. And that means compliance officers need better tech and a seat at the strategy table. Now here’s the key: ARC only works when it's integrated. When Audit, Risk, and Compliance operate in silos, things fall through the cracks. But when they collaborate sharing insights, aligning priorities, and using common platforms governance becomes a value driver. A recent PwC survey backs this up: - 73% of execs say ARC alignment improves decision-making - 65% plan to invest in integrated GRC platforms - Over half say Internal Audit is now a transformation partner If you’re leading or supporting ARC functions, my advice is simple: Don’t build walls, build bridges. The future of governance isn’t in functions. It’s in how those functions work together. Let me know how ARC works in your organization today. Do the functions collaborate, or still operate in silos? #Governance #InternalAudit #RiskManagement #Compliance #GRC #BoardEffectiveness #OperationalResilience #Leadership #3prm #tprm #GovernanceExcellence #RiskStrategy #ComplianceCulture

Many medical device development teams still rely on Design Failure Modes and Effects Analysis (DFMEA) as their primary risk assessment tool.  Unfortunately, there are serious shortcomings to this method for medical device risk management: 🔹 Hazardous situations and harms can occur without any hardware or software failures (for example, due to use errors). Therefore, even a very detailed design FMEA is not comprehensive. 🔹 Typical DFMEA methods (per the IEC 60812 standard) focus on single point failures and do not capture sequences leading to harm.  🔹 DFMEA depends on details of hardware and software design that may not be available until later stages of development so there is a strong incentive to wait until later before beginning risk analysis. 🔹 DFMEA doesn’t align well with the requirements of the ISO 14971 risk management standard. DFMEA analyzes the reliability of a system, which may or may not cause Harm in a medical device. And RPN values used in a DFMEA can be misleading if they depend on detectability for reducing risk. 🔹 In a complex, software-intensive medical device there are many, many potential hardware/software failures but only a fraction of them may lead to serious Harm (it’s easy to lose focus in a large set of data). 🔹 DFMEA is an inefficient way to support complaint handling because users tend to complain about hazardous situations but not failures of hardware and software. I’m not saying there’s no role for DFMEA in medical device risk management, just that it shouldn’t be the primary method of risk assessment. Instead, I recommend starting early in product development with a top-down, high-level, comprehensive approach such as a System Hazard Analysis (sometimes called Preliminary Hazard Analysis) or Fault Tree Analysis (FTA) or similar method. This initial high-level analysis quickly produces a broad picture of the new product’s risk profile and can point to areas that deserve detailed bottom-up analysis with one or more focused DFMEAs. By starting early in development with a high-level risk analysis and following it with one or more DFMEAs, the product team makes the best use of complementary risk analysis tools. To better suit medical device safety risk management, it’s important to modify the standard DFMEA methodology and format.  Columns for Hazardous Situation and Harm should be added to the FMEA table to align with the ISO 14971 risk model. And I recommend dropping RPN calculations altogether and just using a lookup table based on Severity and Probability of Harm to determine a Risk Level. What’s been your experience with DFMEA for medical devices?  Any tips you would recommend to medical device teams? See comments for links to more detailed discussions of why DFMEA is often misused in medical device risk management.

Some useful examples of ‘weak signals’ and ‘mind traps’ (from shell). Chronic Unease = Alertness to Weak Signals and to Mind Traps What are the Signals? Weak Signals are signs or indications from our surroundings that things may not be all right, and that some of the barriers intended to prevent an incident are starting to fail or are missing. Some examples are: • Corrosion where we didn't expect it…. • An unusual smell when we visit a production unit.... • A pump vibrating in an unusual way...
• A new employee looking puzzled by a vital piece of equipment….
• A meter is giving an unexpected reading...
• Paperwork supporting critical tasks not being completed….
• Procedures being incorrect or out of date…. • Decisions not to comply with standards or normal practices. • Supervisors repeatedly not taking concerns of junior staff seriously. What are Mind Traps? (also known as Cognitive Biases) The term refers to a natural tendency for human thinking to be unduly influenced by existing mental models (what someone wants, expects, or thinks is going to happen) despite evidence that suggests something else, by emotion or by a reluctance to apply mental effort, so jumping to easy conclusions without giving a decision proper attention. These Mind Traps can affect our thinking from the perception and interpretation of information from our senses, through to judgement and decision making. Some examples of Mind Traps are: • The tendency to under estimate a risk that has become familiar, and is associated with tasks that we undertake regularly without incident (risk normalisation). • The tendency to search for or interpret information in a way that confirms our preconceptions. A willingness to ignore, or find alternative explanations that allow us to rationalise away information that does not fit with our mental model of the situation (confirmation bias). • The tendency to be over-optimistic, overestimating the likelihood of success, also known as wishful thinking (optimism bias). • The tendency to want to continue on a course of action once committed to it, even when circumstances change and risks increase (plan continuation). • The tendency to want to agree with the consensus view of a group of peers • The tendency to perceive risks based on the way the problem is stated ('framed'). E.g. the statement "there is a 90%chance of success" will be seen more positively, and with less risk associated than the statement "There is a 10% chance of failure".