What gets protected firstΒΆ

Risk management decides what is worth protecting, what realistically threatens it, and where limited capacity goes. Run as a series of workshops rather than a document, it produces decisions the people accountable for them actually understand and own. The full process lives in risk assessment; the question here is where it sits among the analytical processes.

Its familiar failure is not analytical. A risk assessment can describe the landscape accurately and then be set quietly aside, not because the description was wrong but because nothing was in place to act on it: no one owned the decisions, nothing rewarded reducing risk, and the whole thing was pitched at an audience of auditors rather than at the people doing the work. An assessment that takes those conditions seriously tends to produce something more durable than one that only gets the numbers right.

It draws on the others and hands off to them. Threat modelling supplies the adversaries and the paths; risk management asks which of them an organisation will actually address, in what order, and how. A forward-looking session feeds it the risks that are still forming, the ones an assessment updated only after incidents will always trail. And working back from a desired posture is how a treatment plan finds its order and its likely obstacles.

The habit is the whole of it. A register reviewed once a year is out of date for most of the year; the aim is to shorten the gap between when reality moves and when the assessment notices, which asks for a shorter cycle and a room that holds the people who actually operate the assets, not a model of them.

Last updated: 8 July 2026