Risk, Security, Safety and Resilience Newsletter - Week of 21 Jul 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 21 Jul 22.
Key themes for this week include:
----------------------------------------------------------
Critical infrastructure is not only increasingly more complex and networked, but remains ultra reliant on each other.?
That is, even a rudimentary unpacking of critical infrastructure and systems of state/national significance demonstrates the highly dependent and interdependent relationships not only between infrastructure but that of society.?
In other words,?one or more don't work without the other.
"#Riskmanagement?is the process of identifying, assessing, and controlling risks arising from operational factors and making decisions that balance risk costs with mission benefits. Leaders and Marines at all levels use risk management. It applies to all missions and environments across the wide range of Marine Corps operations. Risk management is fundamental in developing confident and competent leaders and units. Proficiency in applying risk management is critical to conserving combat power and resources. Commanders must firmly ground current and future leaders in the critical skills of the five-step risk management process.?"
Whereas Enterprise Risk Management (ERM) asserts the management of risk across an entire business, organisation or enterprise; Enterprise Security Risk Management (ESRM) posits the necessity to include?security?as a posterior inclusion on the premise that ERM omits adequate consideration for dynamic, agile, adaptive human threats seeking to circumvent or intentionally breach controls, preventions, policies and protective measures applied to assets across tangible and intangible realms.?
"Enterprise security risk management?(ESRM) is a strategic approach to security management that aligns an organisation's security practices to its overall strategy using globally established and accepted risk management principles" - ASIS International
"The primary purpose of a?#riskassessment?is to inform the risk manager's decision-making process. The primary purpose of a risk assessment is not to make or recommend any particular decision; rather, it gives the risk manager information to consider along with other pertinent information"
Cybersecurity Skills, Risk Management & Resilience chat between?Ema Rimeike, MSc Cyber Security?and?Tony Ridley, MSc CSyP MSyI M.ISRM?
"ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk, and that controls are implemented to protect key assets and enhance cyber resilience. Failing to do so could cause you to fall foul of your regulatory obligations."
In her judgment in ASIC vs RI Advice Group, Justice Helen Rofe acknowledged that while
“it is not possible to reduce cybersecurity risk to zero... it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls”.
Natural disasters and emergencies present an exercise in hubris and humility for crisis, safety, security and risk management professionals on a routine basis.?
That is, our collective human ability to accurately forecast natural events that cause major damage, disaster or delay is rarely entirely accurate and most visible with the next occurring natural disaster.?
Moreover, our collective ability to accurately forecast and prepare the full footprint of impact, including the cost of loss, is rarely entirely accurate either, even after the most recent event.?
领英推荐
Part of this reality lays with adequate imagination and projection of what may happen one one or more system is disrupted in an ever growing network of complexity.
"Considering the?#risks: Consider how you can best minimise overall risk: 1) Consider whether the requirement has implications for overall policy direction, and therefore would be better suited to internal delivery. 2) What is the operational impact if consultants are not engaged? 3) What are the risks to value or benefit realisation associated with the potential delivery models??"
The protection of assets from damage, harm, exploitation or loss remains the prevailing specified and implied task for security risk management.?
However, scales of protection, negotiated outcomes and trade-offs along with economic choices obfuscates what is defined as an?asset?and?protection?that is specific to each organisation or department.?
In other words, assets?vary?in value and significance. Subsequently so to do protection measures. Therefore, there is no one universal protection of assets formula or solution for practitioners and businesses.?
Here lays the the true value of security and risk management professionals.
"Critical in today’s information centric environment is the subject of ‘information security’, whether for reasons of?#safety,?#security, legal, ethics or compliance. The management of such information is of paramount importance and an essential element of good organisational practice in today’s rapidly evolving world. This is equally important in both the private and public sectors.?"
Risk-based decision making remains fundamentally flawed and in many instances misleading and dangerous.?
Because it is predicated on the static, complete, perfect and unassailable notion that the prevailing risk assessment has no flaws, limitation or is even close to accurate.?
In other words, risk-based decision making assumes perfection and completeness of 'risk' views, analysis and ratings...which is universally unlikely or true.?
Conversely, risk-informed decision making acknowledges that information, perspectives and views on risk are provisional, transient and subject to change based on new information, knowledge or findings.?
The key differentiator is that of status in terms of risk findings and views.
"Think of?#riskmanagement?as a stepped process of identifying hazards, assessing?#risks, controlling those?#risks?and then reviewing the efficacy of control measures over time or in response to an even?"
Consulting, research, analysis and study means you come across a lot of material, resources, ideas, concepts and theories. I thought I'd share a very small portion of these along the way. Overtime, I set up a page to analyse the results, engagement, reach and interest. Well, a couple of years later and that page now has 30,000 followers!
??????
Tony Ridley, MSc CSyP MSyI M.ISRM
Risk, Security, Safety, Resilience & Management Sciences
------------------
Bachelor of Commerce - BCom from Nizam College at Hyderabad Public School
2 年????