CERM® Risk Insights

Personal Risk and Big Data

Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

I usually write about risk as related to projects, but several of the comments I received on my article on “Can Your Pacemaker be Hacked” made me realize that we are all faced with risk management in our personal lives.

Continuing on the medical topic, think about how many options you’re faced with when your doctor recommends a procedure, whether adding a pacemaker, replacing a joint or a prescription drug.

Hopefully you have a doctor that you trust and knows you, but how would you respond to the doctor recommending a procedure? If we use a risk process then we’d have to consider the possibility of the identified risk occurring, the impact on our life(style), the benefits of mitigating the risk.

To support our decision we could get a second opinion, do on-line research or check with family/friends that have had the same procedure. Then just like a manager assigning a risk we’d have to review the data we collected and make a decision. The advent of Electronic Medical Records should make life easier, but also lead to more challenges for managing/securing data. [Read more…]

by Greg Hutchins Leave a Comment

Could Your Pacemaker be Hacked?

Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Hack a pacemaker? Is this a real problem?

Some recent experiments have been able to hack a pacemaker and other medical devices including an insulin pump. The weakness of these systems was the analog sensors attached to the body to gather information. These analog inputs bypass the internal security and are converted directly to digital signals.

From a risk perspective is this something medical device manufacturers , insurance companies and the medical professionals need to worry about? It was part of a conversation at the Black Hat @Design West Conference where considerable discussion was held on building defensive walls. [Read more…]

by Greg Hutchins Leave a Comment

Space Tourism

Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

After writing several articles about topics related to medical devices and big data, thought I’d explore a new area, risk and space tourism.

Though I will include one interesting note about medical devices, on the October 20^th episode of 60 Minutes former VP Dick Cheney admitted that he had the external programming capability for his defibrillator turned off to prevent it from being hacked. So, even as people question the possibility of this occurring we have a real world example of the steps taken to prevent this from happening. Think risk mitigation. [Read more…]

by Greg Hutchins Leave a Comment

Using Risk and Safety Analysis as Part of the Requirements Process

Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Frequently in my work as a systems engineer I’m faced with producing several artifacts for a project, typically a system architecture, model(s), requirements, safety analysis and risk analysis (management plan).

The challenge is many of these are treated as serial activities, items to be completed but not necessarily tied together. To produce an architecture and requirements that reflect all of the known/identified issues we should be working on all of these activities concurrently or at the least have a first cut at the safety and risk analysis before starting the requirements. From a project planning stand-point how these are shown on a schedule are driven by the size of the team and the project schedule. “What do we need to complete a phase/gate review” is how the schedule ends up being built versus what do we need to proceed with the systems design and architecture. [Read more…]

by Greg Hutchins 2 Comments

Requirements Development and Risk Management

Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

One of the keys to a successful project is having a set of requirements that are well defined and stable. We’ve all worked on projects where a lack of defined and controlled requirements has led to scope creep which result in schedule delays.

The requirements development process must also include mitigations for the risks identified in the Risk Management Plan. To accomplish this the initial risk assessment must be completed before the requirements development process begins. [Read more…]

by Greg Hutchins Leave a Comment

UAV’s Coming to Your Neighborhood

Guest Post by Paul Kostek (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Here in Seattle we’ve had several interesting incidents/accidents with personal UAVs (unmanned aerial vehicles) or drones.

In one case a person flew their UAV into the Space Needle, no damage and no one was hurt; at a parade an operator lost control and hit and knocked out a parade attendee and the operator was cited by police; UAV stuck on power lines over a lake, result – power turned off and UAV recovered at a cost of $35K and the operator was not found; and just recently a UAV was flown into the Ferris wheel on the waterfront, no damage to the wheel though a table on a nearby deck was destroyed.

In the first two of these cases the operators were identified and contacted by Seattle Police. No one has stepped forward in the third and fourth, and since the FAA database is not in place yet, the only means to track them may be through the manufacturer. [Read more…]

by Greg Hutchins Leave a Comment

Cascade Effect Thinking — Disruptive Paradigm Shifting

Guest Post by David Parishkoff (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

If Knowledge is Power, then understanding the cascading factors that shape our destiny can potentially offer Disruptive Knowledge and Decisive Power. Cascade Effect Thinking (CET) is a new paradigm that dynamically discovers the truth about interacting threats and opportunities in unique, analytical and gamified ways. [Read more…]

by Greg Hutchins Leave a Comment

Risk Management and Fear

Guest Post by Ed Perkins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Risk Management is like vitamins; we know it is good for us, but we don’t always want to take it.

Why? Human nature is to avoid discomfort and unpleasantness. What does this have to do with risk? What is the real impact of consequence of a Risk? Why do we not want to face it? If you think about it, it is the underlying of risk – it is Fear. [Read more…]

by Greg Hutchins Leave a Comment

Risk Decisions and Human Nature

Guest Post by Ed Perkins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

One area that does not receive much emphasis in risk management is the human factor. In risk assessments, risk events, likelihoods and consequences, vulnerabilities are the usual focus. People are viewed as ‘weak links’ in risk prevention, but what about risk mitigation? Your risk planning depends on people to respond when an event occurs. How good is their risk decision-making under stress? There is the weak link.

In 1996, IEEE published a book on “Probabilistic Risk Assessment and Management for Engineers and Scientists” by Kumamoto and Henley[1]. This book is about using probability to assess reliability and safety risks in an industrial environment. The book introduces some interesting concepts, such as risk perception and ‘Human Reliability’. [Read more…]

by Greg Hutchins Leave a Comment

How Not to Make Bad Risk Decisions

Guest Post by Ed Perkins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Why are there “bad” decisions? No one starts out to deliberately make a bad decision. If you look into available thought papers and reports, you can find some evidence that can provide some understanding of how bad decisions are made.

COSO in 2012, commissioned a report on “Enhancing Board Oversight”[1] focusing on challenges and biases in making professional judgments.

More recently, several HBS faculty authored a study an “attribution error”[2], where decisions are biased by unjustified attributions of goodness to applicants based on “luck” rather than ability. [Read more…]

by Greg Hutchins Leave a Comment

How to Make Smarter Decisions

Guest Post by Greg Hutchins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Did we get it all wrong? Wow! This could break our business model. Let me explain:

We developed Certified Enterprise Risk Manager® and all of our risk IP based on a simple fact. We live in VUCA time (volatility, uncertainty, complexity, ambiguity). We based our business business model on providing:

Risk-based, problem-solving.
Risk-based, decision-making.™

So, what’s the problem? [Read more…]

by Greg Hutchins Leave a Comment

Making Decisions That Work For You!

Guest Post by Ed Perkins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

There is a lot of literature written on decision making, ‘how to’, best practices, process, factors and so to follow to make ‘good’ decisions. We have been exploring ‘risk based’ decision making in these blogs. We have looked at factors, process, frameworks, psychology and bias.

But we have not discussed perhaps the most important aspect of any decision – implementation or that double edged word ‘execution.’ (Of course this assumes that the decision maker wants something to actually happen as a result of the decision, but that is a topic for another day).

Let’s use the nicer word – Implementation – which implies there is a course of ACTION, with a timeframe for results to be produced or to occur. [Read more…]

by Greg Hutchins Leave a Comment

How Well Do Risk Assessments Inform Decision Makers?

Guest Post by Chris Peace (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Sometimes, it seems that every newspaper edition, news broadcast or news website carries yet another story about a disaster – an event that might have been avoided by better decision making.

But do we ask whether such decisions were informed by risk assessments? And if so, how effective were those risk assessments for informing the decision makers about the risks? Which techniques were used in the risk assessments? Were the results presented in a way that made sense to the decision makers? Do risk assessors follow a good process and so achieve some consistency in results, or do they just get lucky? [Read more…]

by Greg Hutchins 2 Comments

Basics: Project Risk Management

Guest Post by Rod Farrar (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

The project management body of knowledge generally focuses on scope management, time management, and cost management. Risk management generally comes in at about 8th place out of the ten.

However, risk management is potentially the biggest part of the project management planning process.

Often organizations assign resources, dollars and time to project objectives to know exactly when the project is going to finish, how much it is going to cost and what resources are needed.

The problem with doing this is they have not identified risks. [Read more…]

by Greg Hutchins Leave a Comment

Solution Aversion

Guest Post by Ed Perkins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

There is no end to helpful advice about making decisions.

Most of this advice assumes that decision-making is fact-based, procedural, and decision-makers can follow a process. You need to have proper “framing”, know desired outcomes, be objective, evaluate alternatives, etc.

In theory, this is very good advice. [Read more…]