How to improve in risk management?

This post is mainly focused in Cybersecurity, but it is perfectly applicable, on its premises, to any market where risk management is a key element in strategy.

Initial ideas

Not sure to say I had the luck (or the disgrace) of being part of several projects where risk management was an important area. From project lifecycle in several contexts, to huge transformation projects, master plans or threat evaluations.

How to manage these projects governance is always the most relevant element: a project with poor management, use to become a disaster. Governance is extremely important: please note here the difference between management and governance. We’ll get back on this.

In all them I saw repeated problems that I’ll enumerate in the following list:

• Inventory of what is relevant: confussing many times, many times impossible to complete (in my opinion, a money pit).
• Threat inventories not making any sense: where they are paying attention to irrlevant things, and other things, with critical impact, are missing.
• Biased or directly fake likehood: it is questionable that someone can have real likehood information about anything. And more questionable even that biased likehood values focused in reducing the official risk level of a threat.
• Sloppy impact evaluations: in a lot of examples impact for a threat is evaluated in a localized, particular and asset-isolated way. Not…