Risk Management Solutions

Climate Change Risk Assessments 🌎 Climate-related financial disclosure requirements are expanding across jurisdictions, increasing expectations for companies to assess and report on climate-related risks and opportunities. A structured climate change risk assessment (CCRA) is central to meeting these evolving regulatory demands. CCRAs evaluate both physical risks—such as extreme weather events, water stress, and sea level rise—and transition risks, including policy changes, carbon pricing, and shifts in market or technology landscapes. They also help identify potential opportunities linked to decarbonization, energy efficiency, and new revenue models. Scenario analysis is a core component. It enables companies to test strategic resilience under divergent climate pathways, including high-emissions futures and low-emissions transitions aligned with the Paris Agreement. Most regulatory frameworks now require both perspectives. Benefits of a robust CCRA include improved risk management, reduced exposure to disruptions, and strengthened alignment with investor expectations. Insights from these assessments can be embedded into enterprise risk systems, capital planning, and strategic roadmaps. Key challenges include short-term thinking in risk registers, limited access to forward-looking climate data, and misalignment between climate risk analysis and existing sustainability goals. These gaps can reduce the effectiveness of disclosures and slow organizational response. Recommended approaches include leveraging established scenarios (e.g. IPCC, IEA), integrating outputs into ERM systems, using frameworks like ISSB and TCFD for structure, and applying competitive benchmarking to validate assumptions. Cross-functional engagement improves practical relevance. As regulatory standards converge, CCRAs are becoming a baseline expectation. Those who develop structured, forward-looking assessments will be better positioned to adapt business models, manage uncertainty, and align with capital markets under increasing climate scrutiny. Source: Ramboll #sustainability #sustainable #business #esg #climatechange #risk

It’s easy as a PM to only focus on the upside. But you'll notice: more experienced PMs actually spend more time on the downside. The reason is simple: the more time you’ve spent in Product Management, the more times you’ve been burned. The team releases “the” feature that was supposed to change everything for the product - and everything remains the same. When you reach this stage, product management becomes less about figuring out what new feature could deliver great value, and more about de-risking the choices you have made to deliver the needed impact. -- To do this systematically, I recommend considering Marty Cagan's classical 4 Risks. 𝟭. 𝗩𝗮𝗹𝘂𝗲 𝗥𝗶𝘀𝗸: 𝗧𝗵𝗲 𝗦𝗼𝘂𝗹 𝗼𝗳 𝘁𝗵𝗲 𝗣𝗿𝗼𝗱𝘂𝗰𝘁 Remember Juicero? They built a $400 Wi-Fi-enabled juicer, only to discover that their value proposition wasn’t compelling. Customers could just as easily squeeze the juice packs with their hands. A hard lesson in value risk. Value Risk asks whether customers care enough to open their wallets or devote their time. It’s the soul of your product. If you can’t be match how much they value their money or time, you’re toast. 𝟮. 𝗨𝘀𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗥𝗶𝘀𝗸: 𝗧𝗵𝗲 𝗨𝘀𝗲𝗿’𝘀 𝗟𝗲𝗻𝘀 Usability Risk isn't about if customers find value; it's about whether they can even get to that value. Can they navigate your product without wanting to throw their device out the window? Google Glass failed not because of value but usability. People didn’t want to wear something perceived as geeky, or that invaded privacy. Google Glass was a usability nightmare that never got its day in the sun. 𝟯. 𝗙𝗲𝗮𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 𝗥𝗶𝘀𝗸: 𝗧𝗵𝗲 𝗔𝗿𝘁 𝗼𝗳 𝘁𝗵𝗲 𝗣𝗼𝘀𝘀𝗶𝗯𝗹𝗲 Feasibility Risk takes a different angle. It's not about the market or the user; it's about you. Can you and your team actually build what you’ve dreamed up? Theranos promised the moon but couldn't deliver. It claimed its technology could run extensive tests with a single drop of blood. The reality? It was scientifically impossible with their tech. They ignored feasibility risk and paid the price. 𝟰. 𝗩𝗶𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗥𝗶𝘀𝗸: 𝗧𝗵𝗲 𝗠𝘂𝗹𝘁𝗶-𝗗𝗶𝗺𝗲𝗻𝘀𝗶𝗼𝗻𝗮𝗹 𝗖𝗵𝗲𝘀𝘀 𝗚𝗮𝗺𝗲 (Business) Viability Risk is the "grandmaster" of risks. It asks: Does this product make sense within the broader context of your business? Take Kodak for example. They actually invented the digital camera but failed to adapt their business model to this disruptive technology. They held back due to fear it would cannibalize their film business. -- This systematic approach is the best way I have found to help de-risk big launches. How do you like to de-risk?

I’m so happy to see this! Yesterday, the ISO published a new standard, ISO/IEC 42001:2023 for AI Management Systems. My suspicion is that it will become as important to the AI world as ISO/IEC 27001 arguably became the most important standard for information security management systems. The standard provides a comprehensive framework for establishing, implementing, maintaining, and improving an artificial intelligence management system within organisations. It aims to ensure responsible AI development, deployment, and use, addressing ethical implications, data quality, and risk management. This set of guidelines is designed to integrate AI management with organisational processes, focusing on risk management and offering detailed implementation controls. Key aspects of the standard include performance measurement, emphasising both quantitative and qualitative outcomes, and the importance of AI systems’ effectiveness in achieving intended results. It mandates conformity to requirements and systematic audits to assess AI systems. The standard also highlights the need for thorough assessment of AI's impact on society and individuals, stressing data quality to meet organisational needs. Organisations are required to document controls for AI systems and rationalise their decisions, underscoring the role of governance in ensuring performance and conformance. The standard calls for adapting management systems to include AI-specific considerations like ethical use, transparency, and accountability. It also requires continuous performance evaluation and improvement, ensuring AI systems' benefits and safety. ISO/IEC 42001:2023 aligns closely with the EU AI Act. The AI Act classifies AI systems into prohibited and high-risk categories, each with distinct compliance obligations. ISO/IEC 42001:2023's focus on ethical AI management, risk management, data quality, and transparency aligns with these categories, providing a pathway for meeting the AI Act’s requirements. The AI Act's prohibitions include specific AI systems like biometric categorisation and untargeted scraping for facial recognition. The standard may help guide organisations in identifying and discontinuing such applications. For high-risk AI systems, the AI Act mandates comprehensive risk management, registration, data governance, and transparency, which the ISO/IEC 42001:2023 framework could support. It could assist providers of high-risk AI systems in establishing risk management frameworks and maintaining operational logs, ensuring non-discriminatory, rights-respecting systems. ISO/IEC 42001:2023 may also aid users of high-risk AI systems in fulfilling obligations like human oversight and cybersecurity. It could potentially assist in managing foundation models and General Purpose AI (GPAI), necessary under the AI Act. This new standard offers a comprehensive approach to managing AI systems, aiding organisations in developing AI that respects fundamental rights and ethical standards.

Important reminder for fire safety professionals: Many assume drone technology is just a fancy add-on to firefighting operations. It's not. It's rapidly becoming the backbone of modern fire response. Don't think of drones as merely "cool tech." Think of them as essential lifesaving tools that fundamentally transform how we approach wildfires. I get it — some of you might work in departments with limited budgets. But for most of us, this technology is becoming essential. Don't be hesitant.  Don't be resistant to change.  Remember, your primary responsibility is protecting lives and property in the most effective way possible. The fire response landscape is shifting rapidly. While drones are making headlines today for: ↪ Reaching hotspots faster than human crews ↪ Deploying fire retardants with precision ↪ Mapping fires with AI-powered sensors Tomorrow will bring even more revolutionary tools. Think night-vision drones that can operate 24/7. Think drone swarms that can create water vapor barriers. Think predictive AI that can forecast a fire's path hours in advance. The integration of robotics, AI, and advanced materials is creating firefighting systems we could only dream of a decade ago. Stay tuned over the next week for precise details on how these emerging technologies are being tested and implemented across the country! What firefighting technology beyond drones are you most interested in learning about? ✍️ Your insights can make a difference! ♻️ Share this post if it speaks to you, and follow me for more.

See how a small drone can cause big problems! ✈️⚠️ This slow motion clip shows the danger of flying drones near airplanes. A collision can cause severe damage to the aircraft and put lives at risk. These types of incidents not only compromise the structural integrity of aircraft, but can also lead to critical emergency situations.  Advice: 1. Keep your drone away from airports and flight paths:   - Regulations: Make sure you know and follow local regulations regarding the use of drones. Most countries prohibit flying drones near airports and over densely populated areas.   - No-fly zones: Use available applications and maps that show areas where flying drones is not allowed. 2. Responsible flying:   - **Line of sight**: Always keep your drone within your line of sight. This will allow you to react quickly to any obstacles or imminent danger.   - Altitude: Don't fly your drone too high. Most regulations establish a maximum altitude limit to avoid interference with air traffic. 3. Education and training:   - Piloting courses: Consider taking a drone piloting course. These courses teach you essential skills and familiarize you with regulations and good practices.   - Constant updating: Stay informed about new regulations and technologies related to the use of drones. The industry is constantly evolving, and staying up to date will help you fly safer. 4. Technology and equipment:   - Drones with geofencing: Use drones that have geofencing technology, which automatically prevents the drone from entering restricted areas.   -  Maintenance: Perform regular maintenance on your drone to ensure all systems are working properly. A drone in poor condition is more prone to failures that can cause accidents. Remember, flying irresponsibly is not only illegal, but it also endangers many lives. Safety is the responsibility of all drone operators. Always fly responsibly! #DroneSafety #AviationSafety #FlyResponsibly

"Now is an especially important time for Western nations to address AI data center security...Because AI data centers are of such high strategic importance, the threats they face will be substantial. Chinese cyber operations are particularly capable. State-sponsored Chinese hacking groups have demonstrated the ability to penetrate critical US networks and infrastructure and remain undetected for months or even years. Because private firms do not bear the full societal costs of a cyber breach—including harm to national security and competitors—they are likely to underinvest in security. However, even high-security government systems are frequently breached by foreign actors. Drawing on interviews with and input from 21 experts in cyber and hardware security, this report assesses the state of AI data center security and offers four recommendations for policymakers. To accelerate AI data center security, Western nations should: Develop an AI data center security standard. No security standard exists specifically for AI data centers despite their unique vulnerabilities. A standard should be developed in phases, beginning with a baseline of current best practices before advancing to levels sufficient to protect against sophisticated nation-state attackers. An AI data center security standard would enable governments to set procurement and export requirements while allowing companies to credibly signal security posture to investors, insurers, and customers. Fund and incentivize key R&D projects. Important defensive technologies against advanced nation-state threats remain underfunded. Governments can accelerate this technological development through a mixture of funding mechanisms, including Defense Advanced Research Projects Agency (DARPA)-style programs. The research should prioritize neglected but critical areas, including hardening AI chips against side-channel attacks, securing hardware supply chains, and preventing model weight exfiltration. Establish cyber incident and near-miss intelligence sharing between AI companies and governments. Most AI companies are not currently required to report incidents. OpenAI, for example, chose not to notify authorities after a significant 2023 breach, having judged the attacker to be acting alone, without any connection to a foreign government. Visibility into security incidents would enable governments to better understand the threat landscape and share declassified threat intelligence with companies. Identify key AI data center components that are now sourced from China, and shift those supply chains to more trusted locations. AI data centers are currently dependent on some components manufactured in China, which creates persistent supply chain attack vulnerabilities and constitutes a chokepoint that adversaries can exploit. Governments should comprehensively map these dependencies and then take steps to decouple. " Erich Grunewald Asher Brass Gershovich Institute for AI Policy and Strategy (IAPS)

Operational Risk Management: “Why did no one see this coming?” That was the question echoing across the room during a post-incident review. A critical system had failed—not due to negligence, but because the warning signs were either missed or never measured. That day taught me something valuable: Operational Risk Management isn’t about putting out fires. It’s about building a system that senses the smoke before there’s even a spark. That’s where tools like Risk & Control Self-Assessment (RCSA), Key Risk Indicators (KRIs), Control Assurance (CA), and Incident Management (IM) come into play. These aren’t just checkboxes—they’re the pillars of a proactive risk culture. • RCSA helps us spot weaknesses before they become issues. • KRIs give us the data to predict and prevent risk events. • Control Assurance keeps us honest about what’s working—and what’s not. • Incident Management ensures that when things do go wrong, we learn fast and recover smarter. Operational risk isn’t just about compliance—it’s about business resilience, reputation, and trust. Let’s prioritize it! #OperationalRisk #RCSA #KRIs #ControlAssurance #IncidentManagement #RiskManagement #Governance #Banking #BusinessContinuity #Leadership #ORM

Risk Based Inspection in the age of Industry 4.0 Traditional Risk Based Inspection has served industry well, but the actual risk is not static. We assess risk at a point in time, then wait months or years before reassessing → hoping nothing significant changes in between. In the age of Industry 4.0 and Predictive Analytics, that approach is rapidly becoming obsolete. The evolution from traditional to monitoring-enhanced RBI represents more than just technological advancement → it's a fundamental shift in how we understand and manage asset integrity. Traditional RBI Foundations: Built on API 580 and 581 standards, traditional RBI provides structured frameworks for calculating Probability of Failure (PoF) and Consequence of Failure (CoF). These periodic, static assessments create inspection schedules based on risk rankings at specific moments in time. The monitoring enhanced Evolution: Modern RBI integrates real-time sensor data, predictive analytics, and machine learning to create dynamic risk profiles that evolve continuously. Instead of waiting for scheduled reassessments, risk calculations update automatically as conditions change. Here are the key technological enablers: → Smart sensors and IoT networks providing continuous condition monitoring → Data-driven FMEA models that identify failure patterns humans might miss → Predictive Analytics simulate degradation scenarios under various operating conditions → Risk visualization platforms that make complex data accessible to decision-makers API Standards Integration: This evolution aligns with existing API frameworks → 580/581 for quantitative risk modeling. The transformation delivers tangible benefits: earlier anomaly detection, optimized inspection planning, reduced costs, and enhanced regulatory compliance. Most importantly, it transforms risk management from a periodic exercise into a continuous capability. The technology exists today to make this transition. The question is not when but how fast the organizations will adopt this evolution or wait for others to prove its value. How is your facility preparing to integrate real-time data into your risk-based inspection strategy?

𝐑𝐞𝐟𝐥𝐞𝐜𝐭𝐢𝐧𝐠 𝐨𝐧 𝐚𝐥𝐥 𝐭𝐡𝐞 𝐬𝐮𝐩𝐩𝐥𝐢𝐞𝐫𝐬 𝐈’𝐯𝐞 𝐬𝐨𝐮𝐫𝐜𝐞𝐝, 𝐨𝐧𝐞 𝐭𝐡𝐢𝐧𝐠 𝐢𝐬 𝐜𝐥𝐞𝐚𝐫: 𝐩𝐫𝐨𝐜𝐞𝐬𝐬 𝐦𝐚𝐭𝐭𝐞𝐫𝐬. Taking shortcuts can lead to wasted money and a world of headaches downstream. (𝘙𝘢𝘪𝘴𝘦 𝘺𝘰𝘶𝘳 𝘩𝘢𝘯𝘥 𝘪𝘧 𝘺𝘰𝘶'𝘷𝘦 𝘦𝘷𝘦𝘳 𝘣𝘦𝘦𝘯 𝘢𝘴𝘬𝘦𝘥 𝘵𝘰 𝘧𝘢𝘴𝘵-𝘵𝘳𝘢𝘤𝘬 𝘙𝘍𝘗 𝘳𝘦𝘲𝘶𝘪𝘳𝘦𝘮𝘦𝘯𝘵𝘴, 𝘰𝘳 𝘩𝘢𝘥 𝘭𝘦𝘢𝘥𝘦𝘳𝘴 𝘱𝘶𝘴𝘩 𝘧𝘰𝘳 𝘤𝘦𝘳𝘵𝘢𝘪𝘯 𝘴𝘶𝘱𝘱𝘭𝘪𝘦𝘳𝘴, 𝘪𝘨𝘯𝘰𝘳𝘪𝘯𝘨 𝘮𝘢𝘵𝘦𝘳𝘪𝘢𝘭 𝘳𝘪𝘴𝘬𝘴?!) 𝐖𝐡𝐚𝐭 𝐈'𝐯𝐞 𝐥𝐞𝐚𝐫𝐧𝐞𝐝: 💡 𝙁𝙤𝙘𝙪𝙨 𝙛𝙞𝙧𝙨𝙩: Be specific about your needs in RFx docs. If you’re unclear, suppliers will be, too. Before going to RFP, always have quantifiable evaluation criteria finalized and approved by the Spend Owner. 💡 𝙄𝙩’𝙨 𝙣𝙤𝙩 𝙟𝙪𝙨𝙩 𝙥𝙧𝙞𝙘𝙚: The cheapest option often costs the most in the long run. Prioritize value over price. Suppliers who price things materially lower than benchmark norms usually cut corners somewhere to meet margins. 💡 𝘾𝙝𝙚𝙘𝙠 𝙧𝙚𝙛𝙚𝙧𝙚𝙣𝙘𝙚𝙨 𝙩𝙝𝙤𝙧𝙤𝙪𝙜𝙝𝙡𝙮: Source independent references via your network. Past performance tells the real story. Ask the right questions and listen closely to the answers.  💡 𝙏𝙝𝙞𝙣𝙠 𝙖𝙝𝙚𝙖𝙙: Can the supplier grow and evolve with your business? Are they innovative and flexible? Does their company culture and ways of working align with yours?  💡 𝙆𝙣𝙤𝙬 𝙩𝙝𝙚 𝙧𝙞𝙨𝙠𝙨: Most suppliers come with some level of risk, the key is understanding and managing it. Conduct due diligence on short-listed suppliers. Outputs should inform the down-selection process, with material deficiency action items included in the contract. 💡 𝘾𝙝𝙤𝙤𝙨𝙚 𝙥𝙖𝙧𝙩𝙣𝙚𝙧𝙨, 𝙣𝙤𝙩 𝙫𝙚𝙣𝙙𝙤𝙧𝙨: The best suppliers care about your long-term success and aligning with your goals.  Look at proposals holistically, thinking beyond the transaction and into value creation. 𝐇𝐞𝐫𝐞’𝐬 𝐭𝐡𝐞 𝐭𝐡𝐢𝐧𝐠: Looking back, I’ve been at firms in seasons where costs were prioritized over total value, often leading to short-term gains but long-term challenges. There were times I should’ve taken a firmer stance about material supplier risks identified and bias in the selection process.  As procurement peeps, we provide recommendations based on long-term value, risk management, and partnership potential. This includes having the courage to speak up with informed and actionable guidance when things don't pass muster. The goal is to ensure sourcing outcomes build a foundation for success, not just a quick win. 📢 𝙋.𝙎. 𝙒𝙝𝙖𝙩 “𝙨𝙘𝙝𝙤𝙤𝙡 𝙤𝙛 𝙝𝙖𝙧𝙙 𝙠𝙣𝙤𝙘𝙠𝙨” 𝙨𝙤𝙪𝙧𝙘𝙞𝙣𝙜 𝙡𝙚𝙨𝙨𝙤𝙣𝙨 𝙬𝙤𝙪𝙡𝙙 𝙮𝙤𝙪 𝙨𝙝𝙖𝙧𝙚 𝙬𝙞𝙩𝙝 𝙮𝙤𝙪𝙧 𝙮𝙤𝙪𝙣𝙜𝙚𝙧 𝙥𝙧𝙤𝙘𝙪𝙧𝙚𝙢𝙚𝙣𝙩 𝙨𝙚𝙡𝙛?

I have recently been asked to share my learnings about Business Continuity (BC) with the IIRSM emerging risk leaders group. I decided to start with some of the common misunderstandings about BC that I have come across in the past year. 1. BC is just a disaster recovery plan Reality: Disaster recovery is a specific term used for IT systems and data recovery after an event but it is often used in error for the recovery of facilities too. While disaster recovery focuses on restoring technology, BC ensures that essential processes, people, suppliers, facilities, and communications can continue during disruption. Why it matters: Focusing on IT means other operations may be missed. BC focuses on the recovery of critical processes and disaster recovery focuses on 'reconstruction' to resume normal operations. 2. BC can sit with our risk management function Reality: Risk management aims to reduce the likelihood of threats. BC assumes that threats will still materialise and focuses on how to operate despite them. When BC sits in the risk management function, less resource may be allocated to the discipline. Why it matters: Risk management without BC is like having fire prevention measures without a fire evacuation plan. 3. A Crisis management team and BC management team are the same Reality: Crisis management is about leading the organisation and making board decisions during an unexpected event. If you have a good BC management team, then an event is less likely to become a reputational crisis! In smaller organisations they may be the same team. Why it matters: Crisis management is the captain steering the ship; BC is the crew keeping the engines running. I see crisis management as the Gold (strategic) level and BC teams as the Silver (tactical) level. 4. BC is just making sure you have contingency plans in place Reality: A contingency plan focuses on specific scenarios, where BC is broader and more strategic, focusing on continuing operations, regardless of the cause of disruption. Why it matters: A contingency plan is an immediate and short term response to a specific problem or risk identified, where a BC plan covers the full timeline - before, during and after a disruption - to minimise operational downtime and maintain essential processes over a longer duration. 5. Resilience and BC are interchangeable terms Reality: BC is the capability to keep essential functions running during disruption whilst Resilience is the capacity to adapt and emerge stronger over time. BC is a tool within resilience-building, but resilience also involves culture, adaptability, and long-term strategy. Why it matters: A resilient organisation can adapt to unknown threats. BC alone may be too narrow. How They Fit Together Risk Management, Crisis Management, Disaster Recovery and Business Continuity are all very different, but interconnected, parts of Organisational Resilience. No one is more or less important than the other to keep a business, in business.