The best security and risk podcast for professionals that care about effectively treating risk
Our listeners are improving their company’s processes and practices to increase business resilience with risk-informed decision making embedded into their daily activities, throughtout the entire organisation. Improving security and risk management practices does not take more time – it actually improves productivity and reduces costs. By reducing errors and costs, and focussing on teh most significant areas for your business, you will increase profitability and project effectiveness.
Whether you are a large or small company, government department, or not-for-profit organisation, govenance, risk, and compliance (GRC) should be embedded into everyone’s work. Listen to our podcast to learn how these industry leaders from aroud the world have successfully managed security and risk in most high risk locations you can imagine. Join us to learn from our international experts how you can remove security and risk barriers and thrive! Learn how you can shift security and risk management from check-box activities to something that is integrated to all processes and really adds value to your team and organisation. Avoid being reactive and position you and your team for proactive positive transformational security and risk management.
Governance, Risk, and Compliance
GRC may not sound like the most exciting topic to listen to, but it really is. Come and listen to our funny, interesting, informative, and world-class leaders about their experiences with GRC.
What is GRC? It is how your organisation manages issues of company govenance, group risk, and compliance with regulatory, privacy, and funding requirements. GCR is the integrated collection of capacilities within your company to consistently and reliabliy achieve your strategic objectives, address uncertainty, and act with integrity and transparency. Properly designed, these systems and structures will improve decision making, allow for highest return investments (in recruitment, project investments, and new innovation), remove unecessary organisational silos, and improve efficiency.
Join our discussions on The International Risk Podcast to learn from our great guests about the risk controls and methods that have used to evaluate potential risk losses and what actions they have taken to reduce and eliminate risk. From Afghanistan, Syria, Bangladesh, South Sudan, Lebanon, the UK, and Americas, our guests share their stories about how they have identified risk factors in their operations and improved the systems and structures to strengthen their projects and organisations. By proactively makign changes to reduce risks, they have limited company losses, retained the best personnel, and removed the obstacles that may have cause damage to their operations or ability to out-compete their competitors.
Learn how The International Risk Podcast guests control risk and improve operations
Our fantastic guests share their stories about how they created the methods that facilitated comprehnsive evaluation of potential risks and took action to reduce and eliminate risk from their operations. Join us to learn how they employed various risk control methods including risk avoidance, loss prevention, risk reduction, risk separation and diversification to treat risk within their organisations.
Risk frequently asked questions
The International Security and Risk Podcast listeners ask a lot of questions about risk terminology. Here are some of the most important risk taxonomy terms that you should understand. Below we will explain and explore terms related to:
- risk management
- risk management process
- risk assessment
- risk identification
- probability and likelihood
- impact and consequence
- risk analysis
- risk evaluation
- risk treatment
- risk monitoring and measurement
- risk communication and consultation
These explanations are relevant for anyone involved in managing risks, compliance, people developing national or industry-specific standards, guides, procedures and codes of practice relating to the management of risk; people who evaluate or commission risk assessment, people who need to understand risk and risk assessments, and people who need to choose an appropriate risk assessment technique to understand a threat, or an operational objective or environment; anyone who wants to compare risks, establish priorities and decide on risk treatment options. Similarly, anyone trying to understand and meet risk-related regulatory requirements will benefit from these interviews. Through our interviews, we will unpack a variety of important risk considerations including:
- capabilities of the organization in terms of resources and knowledge
- information flows and decision-making processes
- internal stakeholders
- objectives and the strategies that are in place to achieve them
- perceptions, values and culture
- policies and processes
- standards and reference models adopted by the organization, and
- structures including roles, governance, and accountability
Our internationally experienced practitioners will help you by sharing interesting, and sometimes humorous stories about how they have decided:
- whether an activity should be undertaken
- how to maximize opportunities
- whether all risks need to be treated
- choosing between options with different risks
- prioritizing risk treatment options
- the most appropriate selection of risk treatment strategies that will bring adverse risks to a tolerable level
What is risk
Risk is the effect of uncertainty on your business objectives. This effect is any deviation from the expected and can be positive or negative in outcome. The business objectives affected can be work place health and safety objectives, they could be financial objectives, or they could be implementation timelines. And the risk effects can occur at all levels including strategic, project level, product level, process level, or at the individual employee level. Risk is often characterized by the likelihood of the risk occurring and the expected consequence. This consequence and likelihood can be further impacted by your organisation, project, or employee’s particular vulnerability to that particular risk. Risk is accompanied by a degree of uncertainty. This level of uncertainty is related to the deficiency of information related to certain knowledge of a risk related event’s consequence and likelihood. There are various methods for reducing the uncertainty and these are discussed by many of our guests in The International Security and Risk Podcast.
What is risk management
Risk management is the coordinated activities to direct and control an organization, project, or personnel with regard to risk.
What is risk treatment
Risk treatment can involve risk avoidance by suspending, stopping, or not commencing an activity that may give rise to a risk beyond the risk appetite of the risk owner or organisation. Risk treatment can also including removing the risk source, or reducing the likelihood or consequence of a particular risk. Risks can also be treated by sharing or outsourcing the risk to another party. This can be done partly via insurance, or by sub-contracting. The effectiveness of risk transfer is influenced by the terms of the contract and legislation in the area of implementation. Terms associated with risk treatment include risk mitigation, risk prevention, risk reduction, and risk elimination. Risk treatment processes can create new risks, and modify existing risks, and the treatment plan and risk environment must be continually monitored.
What is a risk management framework
A risk management framework is the set of parts that provide the foundation and arrangements for designing, implementing, monitoring, learning, and improving risk management throughout the organisation or project. The risk management framework includes the organisation or project risk tolerance and culture, formal policies, project objectives, and risk appetite. The risk management framework should be integrated within the organisation or projects strategy, policies, and practices, and should include roles and responsibilities and consistent accountability.
What is a risk management policy
A risk management policy is a corporate statement explaining the overall intentions and direction of an organisation related to risk management.
What is a risk management plan
A risk management plan specifies the approach, management components and resources to be applied to the management of risk within the organisation or project. This normally includes procedures, expected practices, and timing of key risk management events including monitoring, evaluation, and audits.
What is a risk management process
A risk management process is the methodological and systematic application of risk management policies, procedures and practices. It includes the activities of communicating, consulting, analysing the risk environment and context, as well as identifying, analyzing, evaluating, treating, monitoring and reviewing specific risks.
What is risk communication
Risk communication is the ongoing and iterative processes that an organisation or project personnel conduct to provide, share or obtain information, and to engage in dialogue regarding risk management. These conversations including the identification, assessment, acceptance, learning, and treatment of risk. These discussions should be based on information and influence, not power, however organisation and project decisions will be influenced by risk communication. Risk communication should be considered input to and informing decision making, and not decision making itself. Decision makers and senior leaders should be involved in risk communication to ensure communication reaches and influences decision makers. Risk perception is very different within and across the organisation. Risk perception is influenced by an individual’s needs, knowledge, beliefs, values, education, and experience and these vary greatly from person to person.
What is the risk environment
Establishing the context of the environment you are working in is essential to understanding your risk exposure and risk profile. Defining the external and internal influencers on your vulnerability and the likelihood and consequence of various risks is an essential step in your risk treatment plan. The external environment that you and your company operate in includes social, political, legal, financial, economic, industrial, technological, cultural, and natural factors. The internal environment of your company and project that impacts your vulnerability to different risks includes organisational structure, governance, roles and responsibilities, competence, business and project objectives, resources and knowledge (including capital, people, time, technology, and relationships), your information systems (including information flows, decision making processes, and decision making processes), and contracts and relationships with partners, sub-contractors, and clients.
What is a risk assessment
A risk assessment is the process of risk identification, analysis and evaluation. Risk analysis is about developing an understanding of the identified risks. Risk identification is the process of finding, recognizing and describing risks and their sources, causes, and the potential consequences. Risk identification usually involves consideration of historical trends, theoretic analysis (political, security, environmental analysis), collection of expert and stakeholder needs and opinions. A risk source may be tangible or intangible, and has the potential to create risk. The analysis process provides inputs to risk assessment and to decisions about whether risks need to be treated and about the most appropriate treatment strategies and methods that will be employed. Risk analysis consists of determining the consequences and their probabilities for identified risk events, taking into account the presence and the effectiveness of any existing controls, and internal vulnerabilities. The consequences and likelihood are combined to determine a level of risk. Risk analysis involves consideration of the causes and sources of risk to determine potential risk avoidance activities. Factors that affect consequences and probability should also be identified. The degree of detail required will depend upon the particular project or scope of activities, the availability of reliable data, your analysis capacity, and the decision-making needs of your organisation. Risk assessments can be quantitative, qualitative, or a combination. Purely quantitative analysis may not always be possible or desirable due to insufficient information about the system or activity being analysed, lack of data, influence of human factors, or because the effort of quantitative analysis is not required. Support conducting the information collection and analysis by risk specialists, knowledgeable in their respective field and geographic location is usually advisable.
What is a risk owner
A risk owner is a person or position with the accountability and authority to manage a risk. This management includes ensuring that the risk and associated risk indicators are being monitored, as well as the creation and implementation of a specific and tested risk treatment plan.
What is risk exposure
Risk exposure is the extent that an organisation, project, or person is subjected to a particular event.
What is risk likelihood
Likelihood refers to the change of an event happening. It can be measured, and described using general terms or explained mathematically including probability and frequency over a specific time. Likelihood is often referred to between various ranges of impossible, and absolute certainty.
An important step in determining likelihood is use of relevant historical data to identify events or situations which have occurred in the past and hence be able to extrapolate the likelihood of their occurrence in the future. The data used should be relevant to the type of system, project, organisation or activity being considered and also to the operational standards of the organisation and project. For example, a simple project being completed by an experienced team in the same environment will have a different risk profile that an experienced team conducted a more complex project in the same area. If historically there is a very low frequency of occurrence, then any estimate of likelihood will be very uncertain. Low frequency does not always mean low likelihood. This applies especially for zero occurrences, when one cannot assume the event, situation or circumstance will not occur in the future. Forecasting likelihood using predictive techniques such as fault tree analysis and event tree analysis when historical data are unavailable or inadequate, is more complicated and usually requires the support of expert risk specialists. Simulation techniques may be required to generate more robust likelihood analysis. There are many formal methods for eliciting expert judgement which provide an aid to determining risk likelihood. Some of the methods available include paired comparisons, category rating and probability judgements, and the Delphi approach. When quantitative data is available, this input is combined to produce an estimate of the likelihood of the event being considered.
What is risk consequence
Consequence is the outcome of an event. The consequence can be certain (definitive) or uncertain (undetermined), and have positive or negative effects on your organisation, project, and people. Initial consequences can have second and third order effects that should be considered during the analysis process. Consequence analysis determines the nature and type of impact that could occur assuming that a particular event, situation, or circumstance has occurred. An event may have a range of impacts of different magnitudes, and affect a range of different objectives and different stakeholders. The types of consequence to be analyzed and the stakeholders affected should be determined at the beginning of the risk analysis process. Consequence analysis can vary from a simple description of outcomes to detailed quantitative modelling or vulnerability analysis. Impacts may have a low consequence but high likelihood, or a high consequence and low likelihood, or some intermediate outcome. Consequence analysis should involve taking into consideration existing controls to treat the consequences, together with existing vulnerabilities. Consequence should also be considered in light of the organisation and project objectives.
What is risk appetite
Risk appetite, risk tolerance, and risk acceptance is the readiness of risk owners and organisations to bear the residual risk, that is, what is left of the risk after treatment. Risk appetite is influenced by potential project benefits, as well as risks to financial outcomes and reputation. Legal requirements in certain industries also influence appropriate levels of risk tolerance for residual risk.
If you are interested in being interviewed on The International Risk Podcast, submit an expression of interest and someone will respond to you very soon.