The Art of Risk Management

TL;DR

Risk management has become overly focused on controls and metrics. Companies are losing sight of its true purpose: facilitating conversations that drive business objectives. Instead of getting stuck in complicated frameworks and regulations, companies should create systems that make managing risks easy and practical. This will help them avoid slow decision-making and improve resilience. Simplifying risk assessment and prioritisation, along with focusing on an enterprise approach to risk, can help businesses effectively manage their most critical risks.

Context

Risk management has been a part of organisational strategy for decades, evolving in complexity as new risks have emerged in the global market.

Traditionally, risk management has been heavily driven by compliance, regulatory frameworks, and an ever-growing emphasis on controls. With increased regulations like GDPR or PCI-DSS, companies feel pressure to prove that they are "managing" risk, often leading to bureaucratic processes that focus on checking boxes rather than meaningful decision-making.

The increasing number of high-profile data breaches has put cyber security risk in the spotlight, further driven by the SEC's stricter regulations and enforcement actions. According to IBM's Cost of a Data Breach report, the global average cost of a data breach in 2024 was $4.88 million, a 10% increase over the previous year and the highest total ever recorded. In a 2023 Ponemon study, 71% of companies reported experiencing between 21 and more than 40 incidents per year, up from 67% in 2022.

Such statistics underscore the financial and operational threats of poor risk management practices.

Yet, many companies are bogged down in processes that focus more on mitigating controls than addressing the core risks. Organisations often find themselves buried in data, struggling to prioritise threats and make timely decisions.

Traditional risk management frameworks, while comprehensive, can be cumbersome and difficult to implement effectively. This has led to a growing need for more agile, practical approaches like the one described in this collaborative conversational article, written by Benjamin Stephan , CISO, and Dan Haagman , CEO of Chaleit .?

Together, the authors tackle current challenges by proposing a more pragmatic and actionable perspective on risk management.

The problem with traditional risk management

Traditional risk management often falls into the trap of over complication. Many companies focus on measuring risk, often through complex and quantitative methodologies, which can make the process impractical for decision-makers.

Moreover, organisations frequently get lost in the minutiae, focusing on an overwhelming number of controls and metrics rather than the core issues that truly matter to the business.?

Another common pitfall is the misuse of the inherent risk concept. Many people make the mistake of assuming that when evaluating inherent risk, they should ignore existing controls. This mistake can lead to a distorted view of the actual risks and decision paralysis, Benjamin explains.?

However, a more practical approach is to assume that current controls are in place when thinking about inherent risks. Most organisations would never completely remove their existing controls, so it's easier to assess the current state based on the functioning controls already in place. From there, you can evaluate the inherent risk more accurately without overcomplicating the process.

A prevalent problem is also the lack of perspective and context. In the authors' experience, companies look at risk management as a time-based exercise. The "point-in-time" approach is static and fails to capture the dynamic nature of risk.

The control obsession

The authors point to the industry's obsession with controls and regulatory compliance as a key reason for the lack of meaningful risk conversations. As businesses became more regulated, the focus shifted to proving compliance rather than managing risk.

This checkbox mentality means companies focus more on adhering to frameworks — whether ISO 27001, NIST, or others — than on delivering tangible value and effective outcomes through tailored risk management practices. Many executive committees are overwhelmed with lists of hundreds of controls, metrics, and key indicators, but few meaningful decisions emerge from this data deluge.

Benjamin emphasises that while compliance is essential, it should not overshadow the broader risk discussion. Controls are an important component, but they should not be a distraction from the value of the crucial risk conversations. One of the major reasons cyber programs fail is data overload. When decision-makers are inundated with too much information, it becomes difficult to prioritise threats and take appropriate action.?

The cost of indecision

A critical aspect is recognising the cost of indecision. According to Benjamin, when companies fail to decide on a particular risk, they effectively accept that risk by default.?

Many executives postpone risk decisions, especially when overwhelmed by the sheer volume of data and metrics. However, inaction is itself a decision — one that could lead to catastrophic outcomes.?

The solution is to streamline the risk management process, so executives have the information they need to make timely decisions rather than getting bogged down by irrelevant data. This requires focusing on the top 10 or 15 critical risks, not on hundreds of low-level risks.

A better approach to risk management

Unlike traditional point-in-time assessments, the authors view risk management as an ongoing cycle. As Benjamin explains, "Risk management is a conversation about the life of the risk."

A more cyclical approach allows organisations to continually reassess their risk landscape, adjust their strategies, and make informed decisions based on current information.

To adopt a more holistic approach to the process, companies must first define risk correctly.

A revised definition of risk

Risk is the potential for an adverse event to occur and the resulting negative impact on an organisation's ability to achieve its objectives.

For example, in cyber security, a ransomware attack that disrupts a company's operations is a risk. The adverse consequence is disruption and the impact on the organisation is potential revenue loss, damage to customer relationships, and increased recovery costs.

Organisations often think of risk in static terms and fail to consider the context and impact. Benjamin emphasises the importance of considering both the likelihood of an adverse event and its potential consequences.?

Imagine driving and focusing on potholes, Dan says. You notice their size and location. But that's not helpful. To drive safely, you need to anticipate potholes, understand that they can break your car or lead to an accident, and decide how to avoid or fix them. It's the same with risks. It's useless talking about them endlessly without getting in the driver's seat and making decisions.

Let's see how organisations can shift gears towards more efficient risk management.

Enterprise Risk Management (ERM) and the role of stakeholders

Risk should be managed at the enterprise level, with different stakeholders, each contributing to their area of expertise, feeding into a central conversation about overall business risk. Stakeholders often lead the conversations for their area of expertise, but it's the aggregate discussion from varying perspectives that provides the greatest value in making decisions to manage the risk.?

For example, a Chief Information Security Officer (CISO) may lead on cyber security risks, a Chief Financial Officer (CFO) on financial risks, and a Chief Risk Officer (CRO) on external and strategic risks.

The key is for each stakeholder to drive a conversation about risk, leveraging metrics but focusing on decisions and outcomes. This requires a process that is integrated into the broader business context and informed by input from various stakeholders, including cyber security. The resulting crucial conversation about the risk enables executives to decide whether to accept, mitigate, transfer, or avoid the risk, simplifying risk management and making it more focused and action-oriented.

A 2022 PwC Pulse Survey confirms that cyber security is increasingly becoming an enterprise-wide issue. 78% of all respondents listed it as a serious or moderate risk, and all roles, from tax leaders to CFOs and CMOs, ranked cyber attacks high on their list of risks.

An enterprise risk management approach helps avoid silos and ensures that business decisions are informed by a broad understanding of risks across all areas. It also reduces the decision paralysis that often occurs when businesses try to address too many risks at once.

Dan introduces a useful metaphor to illustrate effective risk management. In aviation, pilots follow strict procedures with clear decision points and tolerances. The pilot and copilot receive data from various sources, including instruments, flight attendants, and external factors. They must assess this information and decide what is most relevant to their situation. But ultimately, the pilot has the final call.?

Similarly, in enterprise risk management, information from various departments and sources flows upwards to the enterprise risk management committee. This committee, typically composed of the CEO, CFO, and other executive leaders, must make informed decisions based on the most relevant facts.

The key is ensuring the right information reaches the decision-makers at the appropriate time. Here's where simplification and prioritisation come in.

Simplifying risk management

Risk management should be a conversation, not a complex mathematical exercise.

The industry must return to more practical conversations about risk. For example, rather than treating "cyber risk" as a vague term, organisations should break it down:

• What is the specific adverse event?
• What is its likelihood?
• What would the impact be on our ability to deliver our products or services?

This structured yet simplified conversation should drive risk management processes rather than getting lost in frameworks and checklists.

The shift to focusing on conversations that facilitate decision-making is crucial for businesses because it ensures that executives and stakeholders understand not just the technicality of risks but their direct implications for the organisation.

In short, companies should talk more about why something is a risk and what to do about it rather than merely how it's measured.

Prioritisation and risk tolerance

Prioritisation is crucial for effective risk management. "If everything's a priority, nothing's a priority," Benjamin notes.

Organisations need to identify their top risks and focus their efforts on addressing these. This requires understanding the company's risk tolerance and making deliberate decisions about which risks to address and which to accept.

?A strategy is to group risks into categories (e.g., strategic, operational, security, financial, external) and assign champions to each category. These champions then identify the top risks in their area, creating a manageable list of 30-35 critical risks for executive discussion.

Rethinking inherent and residual risk

Benjamin proposes a new framework for thinking about risk that moves away from the traditional concepts of inherent risk (risk in the absence of controls) and residual risk (risk after controls are applied).

He suggests focusing on three key elements:?

• Current state risk (inherent risk) — Assess the risk based on the current state of the organisation, including all existing controls and safeguards.
• Key mitigation activities (KMAs) — Identify specific projects, initiatives, or activities to mitigate identified risks.
• Forecasted risk (residual risk) — Estimate the future risk level after implementing planned KMAs.

This approach offers several advantages, including a more realistic baseline for risk assessment, an action-oriented focus on concrete mitigation steps, and a forward-looking perspective that encourages proactive risk management.

Practical implementation

Here are the steps organisations can follow to put this holistic approach into practice:

1. Identify and contextualise risks. Clearly articulate risk scenarios in terms of potential adverse consequences and their impact on business objectives.
2. Assess current state risk. Based on the organisation's current state, including all existing controls, evaluate the likelihood and significance of each risk scenario.
3. Identify KMAs. Enumerate all projects, initiatives, and activities designed to mitigate identified risks.
4. Estimate forecasted risk. Based on the planned KMAs, estimate the future risk level for each scenario.
5. Prioritise and act. Focus on high-risk scenarios where the gap between current state risk and forecasted risk is significant, especially those with no established KMAs. This indicates a need for increased efforts to mitigate these risks.
6. Engage in risk conversations. Bring together key stakeholders to discuss risk scenarios and mitigation strategies. Make informed decisions about risk acceptance or further mitigation efforts.

Benjamin emphasises that there will always be subjectivity in evaluating risk. The key is to normalise the evaluation process and make it simple, consistent, and repeatable.

Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)? help organisations have informed conversations on the most critical items.

The indicators below presents a perspective on KPIs and KRIs that differs from traditional metrics. Rather than focusing solely on internal performance and risk indicators, this approach integrates both internal and external data. By highlighting internal metrics that assess risk likelihood and significance alongside external metrics that track industry trends and external threats, this approach offers a more comprehensive view of risk management.

Indicator Type: Key Performance Indicator (KPI)

Focus: Internal metrics and data

Role in risk management: Provides quantitative information about the likelihood and significance of risks within the organisation.

Indicator Type: Key Risk Indicator (KRI)

Focus: External metrics and data

Role in risk management: Offers external perspective on industry trends and potential threats, helping to assess the likelihood and significance of risks.

Using a standardised approach to collecting, analysing, and reporting on KPIs and KRIs can improve consistency in risk evaluations. Both KPIs and KRIs should be used to inform the evaluation of likelihood and significance, ultimately influencing decision-making.

?Finally, KPIs and KRIs should be aligned with the organisation's overall objectives and risk strategy.

Challenges and considerations

A recent Deloitte study found that only 61% of companies felt confident about managing cyber security risk.

What stops organisations from adopting a better approach to risk management??

One significant hurdle is overcoming the habits and processes of traditional risk management. As Benjamin explains, many organisations have become accustomed to "heavy, burdensome activities and control statements."

Another challenge is ensuring consistency in risk evaluation across different departments and individuals. While the approach embraces a degree of subjectivity, it's crucial to have a common framework and language for discussing risk throughout the organisation.

Lastly, there's the challenge of cultural change. Moving from a compliance-focused, checkbox approach to a more dynamic, conversation-based model requires a shift in mindset at all levels of the organisation.

Conclusion

Ultimately, Benjamin and Dan agree that risk management should be seen as both an art and a science.?

While data and metrics play an essential role, the value of risk management comes from the conversations that data enables. The art of risk management lies in balancing simplicity with effectiveness.

Despite current obstacles, 87% of organisations plan to improve their cyber security efforts in the next years, according to the Deloitte study cited above.

With a focus on clear communication, actionable insights, and ongoing evaluation, companies can create agile and responsive risk management cultures and more resilient systems.

Managing risk effectively is critical to remaining competitive — or even surviving? — as a company. Prepare your organisation for challenges by turning risk management from a burdensome exercise into a strategic advantage.

If you need help, Chaleit's team is here to build a conversation-led partnership that produces outcomes, not just lists of problems.

#CISO #cybersecurity

About the authors

Benjamin Stephan

Benjamin Stephan is a seasoned cyber security executive with a proven track record of protecting complex global organisations from cyber threats. With a deep technical understanding and a passion for innovation, he has successfully led information security teams at renowned companies such as The Coca-Cola Company, Fiserv, and Western Digital.

Benjamin's expertise spans various cyber security disciplines, including security operations, incident management, IT regulatory compliance, and risk management. Throughout his career, Benjamin has been recognised as a visionary leader and featured as a speaker at industry conferences.

His leadership competencies include strategic planning, IT governance, stakeholder engagement, and policy development. Benjamin has a deep understanding of industry frameworks like PCI-DSS and NIST CSF and has extensive experience in incident response, threat analysis, and data security.

?

Dan Haagman

Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit and a seasoned leader in global cyber security consulting.

With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.

Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.

Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.

Disclaimer

The views expressed in this article represent the personal insights and opinions of Dan Haagman and Benjamin Stephan. Dan Haagman's views also reflect the official stance of Chaleit, while Benjamin Stephan's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.