Tinkering with the ideas for IRM/ORM to tackle the post heat map world. The one that emerges once all the one’s out there take the truth seriously, which would lead to:
And for the nay-(not…)sayers this post to illuminate the destructive cling-to-failure-mode thinking of many still, in RM.
After which there is still tons of stuff to manage in the IRM/ORM arena [the difference set between those, shrinks fast ..!]. Risk registers cut it as little, slim-to-none, as the heat map fallacies.
Triggered among others by this illuminating post by Graeme Keith that almost matter-of-factly outlines a portfolio approach to operational risks that can be used in so many places, much better than the common list of risks.
Since, e.g., the portfolio approach better suits the complexity of interactions, i.e., correlations, between threats, controls and control weaknesses (including interactions between them, and every control creates its own extra (sic) set of vulnerabilities, etc.), and vulnerabilities in all sorts of non-linear (sic) ways.
And also, this picks up on the (other) strand of ‘quantitative as far as that goes’ of this, this and this posts. The latter being an illustrative example of the vicious circles of ever complexicating methodological troubles that characterise end-of-times thinking in wrong (dead-end alley) directions.
For now, I’ll let you have fun digesting the above. Just remember: Portfolios are the Future ..!
[But it is Art; Tate Modern many years ago]