Risk management as a workshop process¶

Risk management is a structured process for deciding what to protect, understanding what threatens it, and making deliberate choices about where to invest limited capacity. Done as a series of workshops rather than as a documentation exercise, it produces decisions that the people responsible for them actually understand and own.

The full risk management process lives in its own section of this documentation. What follows is its place in the family of analytical processes.

What kind of process it is¶

Risk management works with the organisation’s assets and asks which threats are realistic, how likely they are to materialise, and what the impact would be. This makes it the process for translating the outputs of threat modelling and scenario planning into prioritised action.

The ChangeShop framing applies directly here. Risk management processes often produce documentation that accurately describes the organisation’s risk landscape and is then quietly set aside. The documentation was not the problem. The conditions for acting on it were not in place: no one owned the decisions, the incentive structures did not reward risk reduction, and the process was designed for a compliance audience rather than for the people doing the work. A risk management process that accounts for these dynamics produces different and more durable outputs.

Where it fits with the other processes¶

Threat modelling identifies the attack paths and the adversaries. Risk management uses those findings to ask: given what we know about how this organisation works, which of these threats are we actually going to address, in what order, and with what approach?

The forward-looking process feeds into risk management by surfacing emerging risks that the current assessment does not yet cover. A risk register that is only updated in response to incidents is always behind the threat landscape. A risk management programme that includes a regular forward-looking session can identify and account for risks that are developing but have not yet materialised.

Backward planning is useful within risk management for the treatment planning step: starting from the desired risk posture and working backwards to identify what needs to change, in what order, and what obstacles are likely to appear along the way.

Running it as a workshop¶

The risk management section of this documentation covers the full process: asset identification, vulnerability identification, risk assessment, treatment options, the risk register, risk modelling, and the path to operations. These are designed to be worked through with the people who know the organisation’s assets and the people who are responsible for protecting them.

The workshop format is not optional here. Risk assessments that happen in isolation from the people who operate the assets they describe are assessments of a model of the organisation, not the organisation itself. The workshops surface the gap between the documented architecture and the lived reality, and that gap is usually where the most important risks are.

The SEM connection is central: risk management is an ongoing process of testing and updating models. A risk register that is reviewed annually is a risk register that is wrong eleven months of the year. The goal of a well-designed risk management process is to make model drift visible and to shorten the cycle between when reality changes and when the assessment reflects that change.