Introduction to risk management exercises

Risk management is the practice of deciding what to protect, understanding what threatens it, and making deliberate choices about where to invest limited capacity. Done as a series of workshops rather than as a documentation exercise, it produces decisions that the people responsible for them actually understand and own.

The ChangeShop framing applies from the outset. Risk management processes produce shelfware when the documentation is treated as the output. The documentation is not the output. The output is a shared understanding of what the organisation is exposed to, a set of prioritised decisions about what to do about it, and the conditions under which those decisions will actually be implemented. A risk register that accurately describes the organisation’s exposure and is then not acted upon has not produced risk management. It has produced a description of risk that the organisation chose not to address.

Understanding why this happens is the prerequisite for designing a process that avoids it. The usual reasons are familiar from ChangeShop: unclear ownership (nobody is responsible for implementing a treatment), incentive misalignment (the people who would implement treatments are not rewarded for doing so and bear the cost of disruption if something goes wrong), and the absence of conditions that make safe action possible (implementing a control requires changing a system that nobody has the authority to change, or the budget to test properly, or the time to implement without breaking something else).

A risk management programme designed with these dynamics in mind looks different from one designed as if the organisation were a rational actor that responds predictably to documentation.

Who needs to be in the room

The exercises in this section require the people who know what the organisation depends on (operational knowledge), the people who understand what threatens it (technical and threat intelligence knowledge), and the people who have the authority to make decisions about treatment (decision-making authority).

If the last group is absent, the exercises will produce accurate risk documentation that nobody has the authority to act on. That is the most common failure mode.

How to use this set

Work through the exercises in order: what matters, what could break it, how likely and how bad, what you can do, building the register, building the model, from exercises to operations. Each exercise produces inputs to the next.

The exercises are designed to be concrete and practical. Abstract risk discussions that do not produce specific, owned findings with timelines are not producing risk management. They are producing risk conversation.

Examples

  • ISO 27001 risk assessment shows how the exercise outputs map to the structured requirements of information security management.

  • NIS2 compliance shows how critical asset analysis connects to the proportionate measures required for essential and important entities.