Risk Management Approaches

Operational Risk Management: “Why did no one see this coming?” That was the question echoing across the room during a post-incident review. A critical system had failed—not due to negligence, but because the warning signs were either missed or never measured. That day taught me something valuable: Operational Risk Management isn’t about putting out fires. It’s about building a system that senses the smoke before there’s even a spark. That’s where tools like Risk & Control Self-Assessment (RCSA), Key Risk Indicators (KRIs), Control Assurance (CA), and Incident Management (IM) come into play. These aren’t just checkboxes—they’re the pillars of a proactive risk culture. • RCSA helps us spot weaknesses before they become issues. • KRIs give us the data to predict and prevent risk events. • Control Assurance keeps us honest about what’s working—and what’s not. • Incident Management ensures that when things do go wrong, we learn fast and recover smarter. Operational risk isn’t just about compliance—it’s about business resilience, reputation, and trust. Let’s prioritize it! #OperationalRisk #RCSA #KRIs #ControlAssurance #IncidentManagement #RiskManagement #Governance #Banking #BusinessContinuity #Leadership #ORM

If I could go back and teach myself just one thing to become a better PM, it would be this: Manage risk using feedback. After 15 years, I’ve cracked the code and here's your guide to the Risk-Feedback Matrix: — Before we dive into everything, let’s first understand the 4 types of risk that come with every product decision: Value → Are we solving the right problem? Usability → Can users actually use it? Feasibility → Can we build it? Business Viability → Will this make sense for the business? Let’s talk about the matrix now. — 𝟭. 𝗖𝘂𝘀𝘁𝗼𝗺𝗲𝗿 𝗜𝗻𝘁𝗲𝗿𝘃𝗶𝗲𝘄𝘀 They’re your best tool for tackling: → Value Risk: Understand what users truly need. → Usability Risk: Spot real pain points and frustrations. At Affirm, one hour with a merchant revealed more about needs than weeks of analytics. But let’s be real: interviews can’t solve everything. They’re limited for Feasibility Risk → users can’t tell you what’s technically possible. And for Business Viability → pricing or scalability needs further validation. — 𝟮. 𝗨𝘀𝗮𝗴𝗲 𝗗𝗮𝘁𝗮 It’s the silent witness that tells you how users behave; not just what they say. → Usability Risk: At Apollo, drop-off data pinpointed exactly where users struggled in our workflow. → Value Risk: Validates whether your feature is solving the right problem. But data has its blind spots: It struggles with Business Viability Risk → usage patterns don’t tell you if your pricing works. And Feasibility Risk → it might highlight scale issues, but rarely uncovers the root cause. Pair data with qualitative insights for a full picture. — 𝟯. 𝗦𝘂𝗽𝗽𝗼𝗿𝘁 𝗧𝗶𝗰𝗸𝗲𝘁𝘀 Support tickets are where the rubber meets the road. They’re gold for: → Value Risk: Surface unmet needs. → Usability Risk: Reveal friction points beta tests often miss. Fortnite’s tickets uncovered issues we never spotted in testing. But don’t expect too much from support tickets: They’re limited for Business Viability Risk → volume alone doesn’t explain profitability. For Feasibility Risk → they can highlight bugs but rarely explain technical constraints. So don’t just stop there… — 𝟰. 𝗦𝗮𝗹𝗲𝘀 𝗙𝗲𝗲𝗱𝗯𝗮𝗰𝗸 Sales teams are your direct line to the market pulse. → They crush Value Risk: What’s driving demand and what's not? → They shine for Business Viability: Pricing dynamics, enterprise needs, etc. At Apollo, this led us to reposition our enterprise offering. Sales feedback has its limits. It’s weak for Usability Risk → sales focuses on the big picture, not workflows. And it won’t solve Feasibility Risk → details about implementation rarely come up. — Summarising everything... No single feedback channel solves everything. The Risk-Feedback Matrix balances them all: Customer Interviews → Strategic depth. Usage Data → Behavioral truth. Support Tickets → Unfiltered reality. Sales Feedback → Market pulse.

All risk is enterprise risk. Cybersecurity Risk Management (CSRM) must be part of Enterprise Risk Management (ERM). Many companies think managing cyber risks is: ╳ Just an IT problem. ╳ Isolated from other risks. ╳ A low-priority task. But in reality, it is: ☑ A key part of the entire risk strategy. Here are the key steps to integrate cybersecurity risk into enterprise risk management: 1. Unified Risk Management ↳ Integrating CSRM into ERM helps handle all enterprise risks effectively. 2. Top-Level Involvement ↳ Top management must be involved in managing cyber risks along with other risks. 3. Contextual Consideration ↳ Cyber risks should be considered in the context of the enterprise's mission, financial, reputational, and technical risks. 4. Aligned Risk Appetite ↳ Align risk appetite and tolerance between enterprise management levels and cybersecurity systems. 5. Holistic Approach ↳ Adopt a holistic approach to identify, prioritize, and treat risks across the organization. 6. Common Risk Language ↳ Establish a common language around risk that permeates all levels of the organization. 7. Continuous Improvement ↳ Monitor, evaluate, and adjust risk management strategies continuously. 8. Clear Governance ↳ Ensure clear governance structures to support proactive risk management. 9. Digital Dependency ↳ Understand how cybersecurity risks affect business continuity, customer trust, and regulatory compliance. 10. Strategic Enabler ↳ Prioritize risk management as both a strategic business enabler and a protective measure. 11. Risk Register ↳ Use a unified risk register to consolidate and communicate risks effectively. 12. Organizational Culture ↳ Foster a culture that values risk management as important for achieving strategic goals. Integrating cybersecurity risk into enterprise risk management isn't just a technical task. It's a strategic necessity. 💬 Leave a comment — how does your company handle cyber risk? ➕ Follow Andrey Gubarev for more posts like this

Compliance isn’t choosing one framework, it’s understanding how they work together. Many organizations view SOC 2, ISO 27001, and GDPR as competing obligations, but the reality is far more integrated. SOC 2 validates data security controls for US-based service providers voluntary but expected by enterprise clients. ISO 27001 provides a globally recognized ISMS foundation with comprehensive risk management and continuous improvement. GDPR legally enforces personal data protection for EU citizens with significant financial penalties for non-compliance. The strategic advantage lies in their overlap: access controls, incident response, vendor risk management, encryption, and breach notification requirements align across all three. Organizations that map controls once and satisfy multiple frameworks simultaneously reduce audit fatigue while strengthening their overall security posture. Rather than treating compliance as separate silos, mature GRC programs build unified control environments that address shared requirements, turning regulatory burden into operational excellence. What’s your approach to managing overlapping compliance frameworks? #GRC #SOC2 #ISO27001 #GDPR #Compliance #InformationSecurity #DataProtection

CISA has released its new Operational Technology (OT) Cybersecurity Guide, and it deserves board-level attention. For years, OT systems, the technology behind our power grids, water systems, manufacturing plants, and pipelines, were designed for reliability and safety, not cybersecurity. But as IT and OT environments have converged, the attack surface has expanded dramatically. We’ve already seen what this means in practice: ⚠️ Colonial Pipeline (fuel supply disruption) ⚠️ Oldsmar Water Plant (attempted poisoning) ⚠️ Ransomware groups are increasingly threatening physical operations to force payment. The CISA guide is a practical step forward, outlining what every OT-dependent organization should do: ✔️ Know your assets. Visibility is the foundation of OT security. ✔️ Segment IT and OT networks. Strong separation is essential. ✔️ Secure remote access. Enforce MFA, monitor, and log everything. ✔️ Patch with care. Use compensating controls when downtime isn’t possible. ✔️ Prepare for incidents. OT-specific monitoring, response plans, and recovery options must be in place. ✔️ Build resilience. Backups, redundancy, and even manual controls as a fallback. ✔️ Train people. Both IT and OT teams need a shared understanding of cyber risk. This isn’t just a technology problem. It’s a resilience problem. For executives, OT risk belongs on the same agenda as financial, legal, and regulatory risk. The impact of failure isn’t just data loss; it’s downtime, safety hazards, and national security implications. CISA’s guide is a reminder that OT security is no longer optional. It is a core part of modern business continuity. Please feel free to contact me if you need help or want more information on this. 🔔 Follow me for more real-world takes on cybersecurity, leadership, and tech strategy ♻️ Useful? Share to help others! #CyberSecurity #OperationalTechnology #RiskManagement #CriticalInfrastructure #CISA #BusinessContinuity

The Pay Transparency Influencers are here – and we need to talk! I wrote my Pay Transparency book as a DIY guide because I expected that: - companies would wait until the very last minute - experienced advisors and vendors would be fully booked - influencers would jump on the trend to make a quick buck And it’s playing out exactly as I thought. But here's the problem: Getting pay transparency wrong is expensive. It can also be a legal nightmare. I’ve seen influencers get fuzzy on the details too many times. I’m not naming names, but if someone has been in this space for less than a year, do yourself a favor and skip their advice. Just because their posts have hundreds of likes doesn’t mean they know what they’re talking about. They are just being paid to amplify words. But popularity doesn’t equal expertise. Pay transparency isn’t a trend or a buzzword. It’s complex. It requires knowledge of: - HR strategy and compensation design - Labor law and EU directives - Organizational change management - Data privacy regulations and more This isn't content you create between coffee and lunch. It's not something you learn from summarizing a directive. Before you implement advice from that viral post, ask: → Does this person have compensation experience? → Can they explain what happens when the national transposition differs from the EU directive? → Do they know which decisions you can reverse and which you can't? The deadline is six months away. There's no room for trial and error. So, my advice to you: I get that it’s late and you’re in a bind. But do yourself a favor and ask your questions to experts with a proven track record. The people who can’t only summarize the Directive but point out the practical issues you will run into. The snap decisions you’ll have to make because not everything is clear. Real experts will give you compliant advice, and they’ll also tell you what they don’t know yet, because national transpositions are still pending. They’ll be honest about the uncertainties. (If you need a recommendation, let me know.) Apologies for the rant. But pay transparency is just too important to get wrong. #futureofwork #paytransparency #equalpay

If I were starting a new PROJECT today and wanted to plan it with ZERO prior knowledge, I'd do this: Step 1: Define Your Objective • Clearly articulate what success looks like for the project. • Break down the high-level goal into smaller, manageable milestones. • Ensure the objective aligns with stakeholders' expectations to avoid misalignment later. Step 2: Build Your Plan Backwards and Leverage Historical Data Most people skip this step entirely. But this is a huge mistake—because you risk creating a plan that doesn’t align with deadlines, resources, or realistic expectations. Here’s how: • Start from the final deliverable and work backward to define the timeline. • Gather and review historical data or similar project examples to understand typical timelines and challenges. • Identify key dependencies and create a logical sequence for tasks. • Use project planning tools (like Gantt charts or Kanban boards) to visualize your plan. • Clearly define roles and responsibilities for each stage. Pro tip: Don’t forget to account for buffer time—projects rarely go 100% as planned. Step 3: Identify Risks and Create a Mitigation Plan This isn't easy. But if you can do this, you will get: • Clarity on potential roadblocks before they derail progress. • Stakeholder confidence in your ability to deliver. • A proactive, problem-solving mindset that boosts your credibility. Here's a quick way to do this: List out possible risks, evaluate their impact and likelihood, and create a plan to minimize or respond to them. Collaborate with your team to spot any blind spots. Don't skip this step. It took me months of trial and error (and some chaos) to crystallize these steps—hope this helps! 🚀

The recent regulatory guidelines, viz RBI Master Directions of Nov 2023 and SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) of Aug 2024 lay added importance to cyber resilience, business continuity and disaster recovery, incident response and recovery from cyber incidents. Boards are being increasingly attentive and seeking deeper insights on the organizations' preparedness to respond to and recover from cyber incidents. Being part of the Boards of regulated entities, I saw this quarter's IT Strategy and Technology Committee meetings, as well as the Board meetings delve deep and enquiring with the security and technology leadership and sometimes, directly from the MD/CEO, on : 1. Cyber incidents reported, their impact and root-cause assessments. Note : for the organizations, these were mostly hits or false positives. 2. Resilience scores, with Q-o-Q and Y-o-Y comparatives 3. Business Continuity Drills and results 4. Disaster Recovery exercises and results 5. Health check report on the primary as well as the recovery sites, including cloud DR assessments 6. Cyber / technology risk assessments 7. Compliance and reporting (technology) 8. Ongoing governance and improvement around the Cyber Crisis Management Plan (or similar plan, by whatever nomenclature it's defined) 9. Adequacy of technology & security resourcing and training 10. Data protection, with special emphasis on vendor / third party access to critical data & resources and controls around the same The above were some of the top discussion points, but not the only ones. As Boards are made more and more involved and responsible over governance of the organizations' cyber security, resilience, technology governance and risk assurance, Board members will engage more regularly on discussions about cyber risks, inquire of the management their capacity-capability-readiness to respond to and recover effectively from cyber incidents. And above all, the Board would like to ensure compliance to all the relevant regulatory provisions, including on technology and #cybersecurity. To all Technology and Security leaders - the message is very clear, the regulators and the Boards would like to see much more than mere tick mark exercise, specially if you're a regulated entity. - read through each clause in the directions & circulars from regulators - assess thoroughly your current status, including process, operations, technology architecture, procedures, documentation et all - perform risk assessment - technology and operations, over each part of your business - conduct data flow analysis, ascertain your data protection strategy - analyze your third party / vendor connections at all business touchpoints Once you analyze your current state, compare with the requirements given by regulatory directions. Then, step-by-step, put in the measures, updates, upgrades. These are critical steps and require expert acumen - take help from external experts, as required. #technologygovernance

Visualising Construction Project Lifecycle One of the most persistent issues in construction is teams working in isolated silos, despite everyone being part of a larger collective effort. I've seen it firsthand: During pre-sales, the sales team actively coordinates with Quantity Surveyors (QS), Design, and Procurement to craft a winning pitch. Once the deal is secured, the baton moves to pre-construction. Here, Design teams finalize the BOQ, collaborating again with QS and Procurement to produce a detailed Design Docket and Scope with Budget. Then comes the Planning phase—Finance sets cash flow guardrails, Procurement quantifies materials alongside QS, and Project Managers engage suppliers. Ideally, this should flow smoothly into the construction phase, where Project teams take control, maintaining active coordination with Design, Procurement, and Finance. But reality often falls short. Without clearly defined processes, teams begin operating in their own microcosms. Information becomes siloed, multiple conflicting versions of critical documents emerge, and priorities shift inward. Instead of optimizing towards the overarching goal—on-time project delivery with healthy cash flows and strong margins—individual teams start optimizing isolated KPIs. The result? Margins begin to erode. Cash flows turn negative. Worst of all, relationships with clients and vendors deteriorate due to delays, disputes, and unmet expectations. We can't afford to operate this way. It's crucial to break down these silos, ensure consistent communication, and align everyone toward unified outcomes. Transparency and clearly defined processes are not just operational preferences—they’re strategic imperatives for profitability and sustained business relationships. Have you experienced these silos in your projects? I'd love to hear how you're tackling them. #ConstructionManagement #ProjectDelivery #YouAreNotAlone

The imperative to prepare for the transition to quantum-safe cryptography doesn't necessarily mean an immediate switch. Consider these two critical aspects: ☝ Complexity of Cryptographic Algorithm Transition: Transitioning cryptographic algorithms is a complex undertaking. A quick examination within your organization or with your service providers may reveal the use of obsolete algorithms like SHA-1 or TDEA. For example, the payment card industry still employs TDEA, despite its obsolescence was announced in 2019. It's essential to enhance your organization's cryptography management capabilities before embarking on the transition to quantum-safe cryptography. ✌ Scrutiny Required for New PQC Algorithms: The new Post-Quantum Cryptography (PQC) algorithms are relatively recent and warrant careful examination. Historically, we have deployed cryptographic algorithms on a production scale only after several years of existence, allowing comprehensive scrutiny. While PQC standardization offers some security assurances, it doesn't cover the software implementations deployed in your environment. Consider employing phased deployments and hybrid implementations to avoid compromising the existing security provided by classical cryptography. Recent news, as mentioned in this article, highlights the immaturity of implementations of new PQC algorithms. While the title might be somewhat misleading, it's crucial to recognize that occasional flaws in implementations, like those found (and solved) in various instances of Kyber, serve as reminders. As we transition to these new implementations, we must first gain control over our cryptography. Here's a suggested action plan: 🚩 Cryptography Management: Prioritize gaining control over your cryptography. 🚩 Understanding Quantum-Safe Cryptography: Familiarize yourself with the development of quantum-safe cryptography. 🚩 Transition Plan Preparation: Follow recommendations to prepare a comprehensive transition plan. Some of my favourite resources are: - Federal Office for Information Security (BSI)'s "Quantum-safe cryptography" (https://lnkd.in/dqkSAQSP) - Government of Canada CFDIR's "BEST PRACTICES AND GUIDELINES" (https://lnkd.in/d-w_Nbfj) - National Institute of Standards and Technology (NIST)'s "Migration to Post-Quantum Cryptography" (https://lnkd.in/dYMKnqBb) 🚩 Decision-Making: Make informed decisions based on the acquired knowledge. In summary, a thoughtful and phased approach is key to ensuring a smooth transition to quantum-safe cryptography. https://lnkd.in/dxAgF2ac #cryptography #quantumcomputing #security #pqc #cybersecurity