Lootok

Menu

What's new?

Risky business: the risk matrix

Risky business: the risk matrix

In my previous two posts, I explored better ways of capturing your key assets, threats, and vulnerabilities. Now, we will take these ingredients and plot them on a risk matrix.

First, download Lootok’s risk matrix.

The risk martrix
The risk matrix

The risk matrix provides a way to think about the probability and consequences of risks. Typically, risk is measured using two variables: impact and probability, which make up the axes of matrix.

Both of these variables should be specifically defined before using the risk matrix to plot your risks. The first variable, impact, is a measure of how harmed or disrupted your business would be if the risk occurred. Impacts can occur across different areas, such as finance, regulation, or reputation. Within each impact area, a risk can cause a low or high impact.

Read Post

Risky business: Attackers and Defenders™

Risky business: Attackers and Defenders

Welcome back. In my previous post, I presented the first of three activities that Lootok uses to complete risk assessments.

Our second activity, Attackers and Defenders™, identifies threats and vulnerabilities. Remember: threats, vulnerabilities, and assets are the ingredients for a risk. Without these three ingredients, there is no risk. In this post, I will show you how to use this activity to identify your specific threats and vulnerabilities.

At Lootok we love Attackers and Defenders™ because it engages everyone in the room. It is competitive. It involves role-playing. It forces you to think creatively about your business, and most importantly it is fun, which is not a word often used in the same sentence as risk assessments and business continuity!

The Attackers and Defenders™ activity creates an environment for structured dialogue around your organization’s threats and vulnerabilities. The key objective of this activity is to define the threats and vulnerabilities facing your key assets. The activity helps you determine realistic threats to your assets, and the vulnerabilities that allow those threats to cause a disruption. You will also be asked to reach an agreed upon prioritization of your risks, complete with evidence that can be used for reporting, planning, and investment.

Read Post

Risky business: Value Map™

Risky business: Value map

In my previous posts about risk, I discussed why we need to consider it, why we have difficulty assessing it, and how to be more objective.

Next, I will explore a number of the activities that Lootok developed to help measure risk at your organization. The first activity is Lootok’s Value Map™. The Value Map™ helps you identify and visualize your organization’s assets. If you recall from the first post, an asset is one of the ingredients of risk.

The Value Map™ is exactly what it sounds like: a giant map on the wall depicting the environment for which you wish to do a risk assessment. The map can be a campus, a country, the globe, an IT map, a factory, or blueprints—whatever environment you wish to measure risk.

Lootok Value Map
Lootok Value Map™

Read Post

Risky business: Who cares about risk?

Risky business: Who cares about risk?

Welcome back to my series on risk and risk assessments. In my first post I discussed why it is hard to objectively assess risk, and I suggested ways to look at risk more objectively. If you missed it, check out post 1.

This post explores why we need to think about risk in the first place.

Risk is inherent to doing business, and there are only two strategies that organizations can employ when facing risk:

  1. You can accept your risk
  2. You can reduce or eliminate your risk

Read Post

Risky business: What is risk?

Risky business: What is risk?

Risk lurks in all facets of daily life. Luckily, many risks are small: like crossing against the light when there are no cars or trying the new, Ethiopian restaurant down the block. Other risks are high: like quitting your job and doubling down on a new start up. Through our experience working with global organizations, we’ve seen it all. 

In spite of the ubiquity of risks, we rarely analyze them objectively. We are all imperfect, and we rely on past experiences and our emotions to understand the world around us and guide our decision-making. On the one hand, it makes sense that we are wired this way— if we didn’t rely on experience and emotion, we’d have to consciously evaluate every single situation anew, and we’d become paralyzed. On the other hand, there is a downside to the efficiency of this wiring: it makes us awful at objectively estimating risk. For example, bad experiences cloud our ability to accurately measure the impact of risks, as well as their relevance. Other factors, such as media attention, immediacy, control, and choice (Psychologist Paul Slovic) work to further compound that lack of objectivity.

Read Post

How do you create situation awareness—Fresh perspectives with Mica Endsley

I had the privilege of sitting down with Mica Endsley —author of Designing for Situation Awareness: An Approach to User-Centered Design. Mica is the president of SA Technologies. Previously she was the Chief Scientist for U.S. Air Force.

Mica shares with us lessons learned from her book—Designing for Situation Awareness. I asked her nine (9) questions to solicit her thoughts on situation awareness, technology, and mental models.

Mica Endsley
Mica Endsley

Read Post

What is the best way to tell stories as means to communicate - Cliff Atkinson on Fresh Perspective

 

Read Post

How would a physicist approach risk management - Mark Buchanan on Fresh Perspective

 

Read Post

How to use Scenario Planning in Risk Management - Thomas Chermack on Fresh Perspective

 

Read Post

Disaster Recovery for America interview on the Federal News Radio

I appeared on Federal News Radio and shared my thoughts on new approaches to risk management and how to develop an effective approach to business. You can stream the recording for free here: Interview with Sean Murphy

Look forward to hearing your thoughts and comments!

Sean Murphy on Federal News Radio
Sean on Federal News Radio

Read Post

Shaking Up the Status Quo: Innovations in Risk Management

Chris de Wolf (Mars) and I got back together in April at the RIMS’16 conference for an overwhelmingly well-received session where we talked about transforming the risk function from a program to a business.

“Shaking up the Status Quo - Innovations in Risk Management” gave us the opportunity to tell the story of how we reinvented risk management - business continuity. Long story short: We were looking for a better way.

 

Read Post

Fresh perspectives: biggest challenge in risk management – metrics

What’s the biggest challenge in risk management? If you ask risk analysis expert Yossi Sheffi, it’s the lack of an industry metric. For example, when you choose a supplier, how can you quantify how risky your choice is? When it comes to metrics, Sheffi says, risk still remains an area where gut feelings and opinions play a major role. And the biggest challenge for risk managers? Defuse the responsibility for managing risk throughout the whole company.

Read Post

Fresh perspectives: resiliency strategies

Risk analysis expert Yossi Sheffi discusses two fundamental resiliency strategies that organizations can use to recover from an incident: redundancy and flexibility. Using the examples of Intel and Southwest Airlines, Sheffi talks about the role of redundancies, flexibility and interchangeability, and communication and culture to provide risk managers with realistic and practical approaches to consider.

Read Post

Fresh perspectives: risk matrix

Risk analysis expert Yossi Sheffi explores the capabilities and limits of the traditional risk matrix, and adds another axis called “detectability.” Detectability has to do with time dimensions, or how much time we have to prepare and react to a threat. There are some events, such as a cyberattack or theft of intellectual property, that have no warning; you realize their occurrence only after they hit you. While the standard use of the risk matrix is influenced largely by the past, adding detectability means greater opportunity to tackle impending threats.

Read Post

Fresh perspectives: insights

What happens when we’re in a crisis we haven’t seen before, and our experience is insufficient? Such a situation requires us to gain “insight,” or develop new patterns that change the way we understand things and consequently, change the actions we consider. Research psychologist Gary Klein investigated the different ways that people form insights, and the factors that prevent us from having them.

Read Post

Fresh perspectives: crisis management team

There are certain challenges that face a crisis management team in the “Golden Hour,” the moment when team members convene to make critical decisions. Research psychologist Gary Klein discusses the need for team members to size up not only the situation, but also each other’s capabilities, roles, and responsibilities at time of event. That’s why it’s key for a crisis management team to regularly practice and train together.

Read Post

Fresh perspectives: uncertainty metaphors

How do most organizations handle uncertainty? They gather more information. Research psychologist Gary Klein explains why this isn’t always the best course of action. After all, it’s easy to gather information and sit on it; it’s harder to know how to make sense of events, and make a coherent story based on the data we have.

Read Post

Fresh perspectives: recognition-primed decision model

How can leaders make good decisions under the extreme time constraints of a crisis? To find out, research psychologist Gary Klein studied fire fighters to understand their approach to making crucial, complex decisions so quickly. The recognition-primed decision (RPD) process, as he explains, reveals how these professionals assess the situation: they compare familiar patterns and cues to past experiences to know which actions to take.

Read Post

Debunking myth #3: The risk matrix measures risk

The risk matrix is a standard tool commonly used in risk assessments. It’s straightforward to use, and easy to explain. The only trouble is, the risk matrix doesn’t actually forecast or measure risk.

When used as a quantitative tool, the risk matrix is misunderstood. Our challenge as practitioners is to recognize the limitations of the risk matrix, so we can use it in a way that increases understanding of the threats around us. In this eBook, we explore how.

Download The risk matrix measures risk, the third myth in Lootok’s series on the five myths of business continuity management (BCM)!

The risk matrix measures risk
Myth #3: The risk matrix measures risk

See Myth #1: The plan is the promised land.
See Myth #2: You need a business impact analysis (BIA).
See Myth #4: It gets cheaper and easier.
See Myth #5: Best-in-class BCM software exists.

Read Post

Understanding the risk environment: Sean Murphy discusses nonlinear environment with Gary Klein

I had the pleasure to interview Gary Klein the author of “Seeing What Others Don’t,” “Streetlights and Shadows,” “Working Minds,” and “Sources of Power.” His research and experience is invaluable to anyone in the field of risk management. In this interview, Gary talks about the difference between a well-ordered domain (i.e., normal business environment) and complex domain (i.e., crisis environment). Understanding the characteristics and attributes of each environment is critical to understanding what tools, processes, and capabilities needed to be successful in each environment.

Read Post

Dr. Yossi Sheffi on crisis management

Dr. Yossi Sheffi, author of “Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage,” discusses two of his favorite crisis management case studies with Sean Murphy.

Read Post

Why don’t plans work?

Sean Murphy discusses the limitations of plans with renowned author and research psychologist Gary Klein.

Read Post

The missing factor in your risk assessment: detectability

Dr. Yossi Sheffi explains the “detectability axis,” which considers threats you can only detect only after the fact. This concept challenges our conventional methods of measuring risk using probability and impact.

Read Post

Everyone needs a backup plan - just like every company needs a business continuity plan

This video for the Homeland Security Business Continuity Planning Suite communicates core business continuity concepts and highlights the benefits of planning. In just a few minutes, the video manages to cover a variety of disasters including a loss of power, hurricane, fire, and a human threat. It’s perfect to use for kicking off a planning workshop or meeting, or circulating to department leads or plan writers to increase their awareness.

Read Post

A funny take on risk perception

When it comes to risk perception, we are notoriously prone to misconceptions. Whether fearing planes over bikes or elevators over stairs, we have a tendency to misjudge just how dangerous certain situations are.

Read Post