Three Steps Starting Effective and Efficient Risk Management according to ISO 31000

Author: Dr. Frank Herdmann

In a thin book of 70 pages, the author explains ISO31000 in both English and German. Yet another handbook you will say. Yes, but this time it is about version 2018 and in this booklet there is some emphasis on small and medium-sized organizations. In the end, it should not be forgotten that implementing an ISO standard such as ISO 31000 for a small or medium-sized organization is a relatively much greater effort than for a large organization that can set up a FTU (Full Time Unit) or a whole team. That is why some simplifications are necessary, without however touching the core of the message of the norm. With this, this approach is suddenly a Quick start for the bigger ones. The Quick Start is realized in three steps that the company must take:

“Establishing the Framework”

“Establishing the Process”

“Implementing and Executing the Risk Management Loop”

But why do we have to do this? The aim of risk management according to this new standard is value creation and value protection. You read that correctly. Risk management can be regarded as an added value and not as a cost. Also as a protection factor, among others by avoiding costs or minimizing it, it yields. That added value can be enormous. Also due to the obligations and liabilities of the management for negligence of the organization, for example by supporting good, correct governance.

The booklet starts with a fairly extensive introduction, starting with the ISO 31000 version 2009 and the success that came with it.

The aim of the book is not to give a detailed description of the implementation of ISO 31000 as it has to be elaborated by the large organizations (with its three pillars: framework, principles and process).

The principles, in fact, are the success factors or success criteria of risk management and serve the ultimate goal: creating and protecting value.

According to the author, the two most important principles are “Integrated” and “customized”.

The intention is to make the first acquaintance with ISO 31000 more accessible for small and medium-sized organizations. There is therefore no extensive or detailed advice. However, a number of issues that need to be elaborated in order to be able to speak of a full risk management, but often with the knowledge, skills and resources are already present in the organization. This makes this project bearable for a small organization. For them, this manual is therefore already a first step towards a tailor-made approach method.
Let us look at these three steps.

Setting up the Framework: This piece is perhaps the part of the standard that is most open to customization.

After all, the framework must be tailored to the organization, that goes without saying. The author emphasizes two pillars of this, namely leadership (effectiveness requires a strong and persistent commitment of all levels of management by means of a policy document or something, that makes clear what the objectives of the oranization are, as well as its commitment) and organizational culture. The so-called ETTO principle is important here. ETTO stands for “Effectivity – Thoroughness Trade Off”. There must be a balance between effective business and how well-considered risk management is. If there is too much “thinking through” according to the risk management map, this is detrimental to the effectiveness of the business. If, however, the business draws too much of an effective and efficient action, for example by exaggerating with “lean”, this can harm the risk handling and prevention. E.g. by eliminating any form of redundancy. Trade Off actually means that a golden mean must be found. Risk management must therefore be brought within the boundaries of the ETTO principle in the organization, in all its processes and at all levels in a supported manner. So it must be tailored to the organizational needs and culture.

Furthermore, the author motivates that risk management can also be mapped on all organizational activities as a plug-in dongle.

Setting up the Risk Process: The risk management process must be an integral part of all structures and activities. I.e. of the organization chart, the operations, the business model, and the processes. The framework must therefore, in principle, be reviewed with each change to a business process. However, the core of the risk management process is risk assessment and implementation of the measures: risk identification, risk analysis, risk assessment and risk treatment. This happens in an iterative process. In fact, it consists of two processes: the PDCA cycle for adapting the risk management process on the one hand and the operational risk management that must take place in all organizational processes and projects on the other.

This risk assessment is further discussed in detail in terms of possible technologies in ISO 31010: 2009. The decisions that can then be made can be summarized by:

Avoid the risk
Take or increase the risk
Remove the risk cause
Changing the probability
Changing the consequences
Share the risk with one or more other parties
Retain the risk with an informed decision

Parallel to these cycles, reporting takes place, where too many details can cause confusion or a false sense of security. Here, therefore, “less is more” applies.

Implementing and Executing the Risk Management Course: It is best for several reasons to use the risk management course during the design and implementation of the (core) processes of an organization: lower costs, less effort, and synergy between the processes and the risk loop. Ideally these processes have already been brought together in a manual of the organization. This risk loop is best integrated into the processes at the start of the process using information or estimates. It is best repeated when new information is added, whether new estimates are made, or changes to the process. The risk owner for this process or this part of the process is best considered before executing the first steps of the business process or when an uncertainty influences or can influence the process and its outcomes and objectives.

A first level of maturity of risk management by introducing the risk management course using check lists will be a gigantic first step to start effective and efficient risk management. An equally large step is possible by integrating risk management of a silo activity that simply registers risks on a regular basis to a proactive and integrated risk management according to ISO 31000: 2018.

Internal Audit must also be integrated, or in other words, aligned, with risk management and that in all areas: all activities and all processes. This also affects the planning of projects and processes and operations. It monitors the execution of the risk management course within the business processes and activities. Conversely, the results of risk management can influence the planning of Internal Audit.

A risk register is a commonly used method for monitoring, revising, registering and reporting risks.

Continuous Improvement

Applying the PDCA cycle, also known as the Deming cycle, will improve and refine the risk management course over time. As a result, it will eventually achieve a higher level of maturity. Risk management, like all skills, also requires training, experience, knowledge and expertise and is also open to continuous improvement, precisely because of the PDCA cycle. This will systematically improve skills by using more complex but better-suited assessment techniques from ISO 31010: 2009. (10000 Hours of Malcolm Gladwell: Outliers The Story of Success, New York 2008)



Author: Hans Rosling with Ola Rosling and Anna Rosling

In this book the author tells about indicators about the world. He thereby asks the following thirteen questions as multiple choice:

  1. How many girls in the low-income countries finish the primary school? 20%, 40% or 60%?
  2. Where does the largest part of the world population live? In low-income countries, in middle-income countries or in high-income countries?
  3. During the past 20 years, the proportion of the world’s population living in extreme poverty has almost doubled, remained about the same, or almost halved?
  4. What is the average life expectancy in the world? 50 years, 60 years or 70 years?
  5. There are now 2 billion children from 0 to <15 years in the world. How many children will there be according to the United Nations in the year 2100? 4 billion, 3 billion or 2 billion?
  6. According to the UN’s forecast, the world’s population has increased by another 4 billion by 2100. What is the main cause of this? More children under 15, more adults between 15 and 74, or more old people aged 75 and older?
  7. How has the number of people who perish during the past 100 years changed due to natural disasters? More than doubled, about the same or decreased to less than half?
  8. There are now around 7 billion people in the world. Where do these people live? Americas-Europe-Africa-Asia: 1-1-1-4, 1-1-2-3, 2-1-1-3 billion people?
  9. How many children of one year or younger in the world are now vaccinated against a disease? 20%, 50% or 80%?
  10. Thirty-year-old men around the world have spent an average of 10 years at school. How many years have women of that age been on average at school? 9 years, 6 years or 3 years?
  11. In 1996, tigers, giant pandas and black rhinos were on the list of endangered species. Wow many of these three species are now even more seriously threatened? 2 out of 3, 1 out of 3 or none of 3?
  12. How many people in the world have any access to electricity? 20%, 50% or 80%?
  13. Climate experts around the world think that the average temperature in the next 100 years will increase, stay the same or decrease?

These thirteen questions are better answered by chimpanzees with marked bananas according to a thought experiment. Even people who call themselves experts in a specialist field, answer wrongly in large numbers to questions about neighboring disciplines. Even the great leaders of the world systematically give wrong answers. The question is why. Because that is the question that can lead to a change. It turns out that we are people with at least 10 instincts that bother us. 10 is a large number. Which are they? This is explained in as many chapters, richly laced with examples and events from his own life and events in the world.

  1. The gap instinct: the instinct that paints an image of two separate groups with a gap between them. To keep it in control, it is best to look for the majority. In this situation you have to be careful to compare averages, extremes, … and watch for a look from above because that distorts the view.
  2. The negativity instinct: negative news reaches us much easier because positive things have too little news value. To keep it in control you best count on bad news. Remember, too, that something that “something is going better” is not ”something is going well”. The past is often represented in a pink distorted image.
  3. The straight-line instinct: We often think further in terms of linear extrapolations. Continue straight on the line. Remember, however, that most lines are not straight lines. Do not just go out of a straight line.
  4. The fear instinct: Terrifying things are often not the most dangerous things. Calculate the risks. The world seems scary because the scary messages are passed on better. Do not make decisions when you are anxious.
  5. The size instinct: when a separate number is given, compare it best with other numbers within the context. Look at the proportions. They have more meaning. Use the 80/20 rule when you get a long list. Record the largest topics first.
  6. The generalization instinct: this is working with conclusions based on categories. This can be misleading. Therefore look for differences within groups, for similarities between groups, differences between groups. Beware of ‘the majority’. That can also be only 51%. Beware of examples if you do not know whether they are the rule or the exception. Start from the idea that other people are smart too.
  7. The fate instinct: Know that something is not constant when it changes slowly. Because that is also change. Follow the small changes closely. In the long term, these become big changes. Do not let your knowledge get outdated. Talk to your grandfather to know what has changed. Let culture renew itself.
  8. The one-shot instinct: having one perspective can limit your imagination. Find a 360 ° view of your business. Let people who disagree with you test your ideas. Be honest with yourself about what you do not know. Be open to ideas from other fields. Provide facts in addition to the figures. Do not go through (too) simple ideas and (too) simple solutions.
  9. The scapegoat instinct: If someone is to blame, the attention goes away from other aspects. Therefore do not point with a finger but look for solutions. Find the cause without looking for the guilty. Search for the systemic background. If you do not seek villains, you do not need any heroes either.
  10. The urgency instinct: Needing an urgent decision is often unjustified. Make a step-by-step plan with small steps to make improvements. Before you start you take a deep breath. Request the dates of the facts. Beware of fortune tellers. Their statements are about the future and therefore have a great uncertainty. Do not proceed too fast. Ask yourself what the immediate and long term consequences and the side effects will be.


Future Crimes

Author: Marc Goodman

The author gives a tour in this book in a world that is online 24/7/365. It is about a new story of what can go wrong. And it is not an old wine in new bags. They are all new crime possibilities. Who is a potential customer? You ! What is a potential product that is traded in the crime world? You too ! Why? Because you have a laptop or a smartphone, or a credit card, for example. Or an e-mail address. Everything about us is interesting. Everything can be sold. Everything can yield money in some criminal context. Who can defend us? We ourselves must do that!
That is very briefly told what it is about.

Now told more broadly.

Chapter 1 begins with an unpleasant experience of Mat Honan. He was hacked by a teenager, for fun. But the damage was enormous. The impact of the first viruses on the world is also outlined. And the fact that citizens think they are safe, while the world relies on security software that is lagging behind. The influence on the stock market is regular and huge. And yet the world continues as if nothing is going on.

Chapter 2 makes it clear that not only computers need to be the target. The security of public infrastructure is so bad that a fourteen-year-old teenager could hack a complete network of tram lines in the Polish city of Lódz with a self-built infrared remote control.

Strictly speaking, most information networks are not of better quality in terms of security. The citizen is therefore not safe. What can be done with tram lines can be done with scada systems of water treatment plants, power stations, etc. And it is nice to know that all necessary knowledge for this and many other crimes can be found on the internet. There you will also find books such as The Mujahideen Poisons Handbook and the thick Encyclopedia of Jihad. But not only children and adolescents are criminals on the internet, the criminals as well as nation states play an important role.

Chapter 3 makes it clear that the lawless have Moore’s law on their side. Because they choose where they attack and when, they can maximize the exponential growth of technology, while the defense line has to secure everything, which in the best case allows linear growth.

This brings the author in chapter 4 to another point: the “good people” are often not a customer, but a product for the benefit of the criminals. Because they have a disease, or an e-mail address, or a credit card, or a car, or a job, or a smartphone, or a child, etc …

And the crime is not far to find, even social media organizations such as facebook and Google or hotmail sometimes make mistakes with regard to the trust that their customers have in them. They do so by offering their services such as webmail, chat, storage space etc free of charge. But in reality they become owners of the data that people put on it, and can they trade it. Why can they do that? Nobody reads the terms of use before they sign it. Moreover, these conditions are written and formatted in such a way that they are almost illegible.

To tell all the chapters here would lead us too far. But what more can you expect in the book?

Crime happens on the deep web. You can install a TOR on your PC for that. That way you can buy the craziest things through the right social media there: weapons, drugs, child pornography, malware to measure, contract killers, extortion, …

But the question is, “What are the future crimes? Because we know all this already today “.

Well, how about crime tailored to your DNA? Biosynth crimes such as viruses that are tailored to your DNA, and that kill only you or almost only you.

And what about Internet-controlled terrorist attacks, which eventually make use of artificial intelligence? Or the threat posed by the combination of robotics and general artificial intelligence?

And how about hacking your domotics? Because so-called petty thieves must also go along with their time. And refrigerators that indicate that the milk box is empty, and place an order. Cars without a driver.

Or of plants that give light at night? Or single-celled organisms that are reprogrammed to make drugs. Or DNA technology used for data storage.

The problem of technology is that it is a double-edged sword. On the one hand it can be a blessing to mankind, but on the other hand it is a curse, once in the hands of the criminals. And crime is always on the front row to find applications for new tecnology, while governments are often on the last line.

In one of the last chapters, the author places an important responsibility with the citizens. They can not expect that the government can offer protection against everything. That is not realistic. That is why these last two parties have to work together. Crowdsourcing and gamification can play a role in this.


PRAGMATIC Security Metrics

Authors: W.Krag Brotby and Gary Hinson

The book is about how to make security metrics, assess, for whom to use them, but above all that it is useful to use them.

PAGMATIC stands for:

  • Predictive
  • Relevant
  • Actionable
  • Genuine
  • Meaningful
  • Accurate
  • Timely
  • Independent
  • Cheap

And these are the criteria on which each indicator must be assessed.

My personal favorite is the first: Predictive. An indicator must be able to tell something about what can be expected in the near future. The second is Actionable for me, because an indicator must be able to provide a measure that can adjust the indicator. Meaningful is important, because too often the owners of the indicators are disappointed, because too easy indicators are made, which are quickly and easily measurable, but tell us only a little bit about the security of the organization. Meaningful, in my view, is diametrically opposed to Cheap, which had to be “Complex”, because more complex indicators carry more information, but are more difficult to obtain, more difficult to interpret and therefore more expensive to use.

Accurate then reminds me of the fact that indicators best yield figures that are correct. A lot of discussion must be allowed, which is difficult when the indicators are not defined and / or measured accurate.

The seventh characteristic, Timely, indicates the natural characteristic that the management has no message from indicators that have already passed their time. This is also important for the predictive nature of the indicator.

The book opens with an office memorandum: the CEO of the company briefly asks the CSO to argue why Information Security is important. An answer that is due ‘tomorrow’.

The book then begins with a chapter that is indispensable: a lot of inspiration to make clear to the various target groups in the organization why working with Security Indicators is important, besides the fact that they already have the habit to use many other indicators, mainly financially.

This is followed by chapters on amongst other things, why we want to measure Security. This too can be motivating to help convince people in the organization.

The next important chapter is Chapter 6, which gives us an introduction to the mnemonic PRAGMATIC. Ultimately, however, the reader is free to choose other criteria.

However, the main chapter is claimed in Chapter 7 by applying the PRAGMATIC criteria to 150+ indicators, with a discussion of each one of them. This is to immerse the reader in the principle of thinking according to these criteria.

Then the book goes on to set up an Information Security Measurement System and the things that can be used for this. An introduction is given in Key Indicators, the disadvantages of metrics, and the practice is highlighted in, among other things, a chapter dealing with the case of the office memorandum in the beginning. This is followed by a not too complex conclusion. The book concludes with a reply from the CSO to the CEO’s question at the beginning of the book.

Crisis management strictly spoken: mini exercises

Author: Manu Steens

In the context of training, both large and regular small exercises are very important. The main objective of these 30-minute exercises is to learn to work together in a crisis situation. The emphasis is therefore also on getting to know each other in these kinds of circumstances. But also to learn to brainstorm together.

Here are some small exercises: