NoFuss Consulting

Two approaches to managing risk

Sun, 29 Mar 2026 00:00:00 +0100

In the previous post we adopted a view on risk grounded in decision theory: risk represents the basis on which rational decisions are made. We also aligned with ISO 31000 by accepting their definition of risk as the effect of uncertainty on objectives.

The ultimate common mode failure would be a failure of the risk management process itself. A weak risk management approach is effectively the biggest risk in the organization. — Douglas W. Hubbard, “The Failure of Risk Management” second edition

Below we will discuss a common problem in risk management practice and make an argument for what we believe is the right approach forward. But since this series is intended for readers who may not be fluent in risk management, we first need to provide an overview of how risk management activities relate to each other.

Risk management overview

While risk management frameworks differ in specific aspects, almost all share a common view on the high-level concepts involved. The following diagram (inspired by Open FAIR™ ) illustrates how risk management activities relate:

Risk governance provides the overall steering for the rest of the management process. In it, leadership sets the organisation’s thresholds for what is acceptable and oversees whether the risk management process is functioning as intended. Governance does not manage risks directly; it sets the rules and ensures they are followed. To the outside world, those involved in governing risk are typically those held accountable.

Risk management operates within the framework set by governance. It is the ongoing process of understanding, deciding on, and responding to risks, as well as reporting to those responsible for governance, monitoring whether the responses are working, and occasionally re-evaluating identified risks.

Risk assessment is part of the management process and groups the analytical steps: identifying what risks exist, analysing how likely they are and what impact they could have, and evaluating whether the resulting level of risk is acceptable given the thresholds set by governance. It is common for people to use “risk assessment” and “risk analysis” interchangeably, but the diagram above should make the distinction clear.

We will work through each of these areas in detail throughout this series. But before we do that, we need to look at an issue that underpins all the activities mentioned — the way risk is expressed and communicated. Most risk management frameworks are agnostic to it, but as we will see, it is critical for the overall success of a risk management system.

A red herring: qualitative vs. quantitative methods

Among the first decisions a risk practitioner needs to make when adopting a risk management framework is whether to express risk quantitatively or qualitatively.

Quantitative methods are rooted in statistics. When adopted, risk properties are expressed and analysed using well-established quantities such as probability of an event occurring and loss expressed in financial terms.

Qualitative methods, on the other hand, use descriptive (nominal) or ranking (ordinal) scales to convey the properties of a risk. Most commonly, matrices with 3–7 steps in each dimension are used to rank or classify a risk’s likelihood and impact.

We consider this framing a red herring because it forces the discussion to be about methods, distracting from the real issue: what do we try to achieve by adopting a risk management framework? Arguing whether to express risk quantitatively or qualitatively is like arguing whether to wear brown or black boots on our next hiking tour; if neither provides proper support for the route, the colour is irrelevant.

Risk matrices are worse than useless

Before we lose half our readers with that statement, let us qualify it: risk matrices are worse than useless if our goal is rational decision-making and due diligence.

Researchers and practitioners, such as Douglas W. Hubbard from whose work we draw extensively in our practice, have dedicated several books to this topic. The core of the argument is that labels such as “Rare”, “High”, or “Low-Medium” are too vague to convey what an assessor actually believes about the properties of a risk.

Further, studies in psychology and behavioural economics, including those by Nobel laureate Daniel Kahneman, have shown that human judgement is subject to biases that systematically distort how we perceive and evaluate uncertainties. These biases affect quantitative estimates as well, but when an assessor’s judgement is masked behind a layer of vague labels, there is no way to objectively monitor — and therefore improve — the quality of the risk management system over time.

Even ISO, which otherwise accepts qualitative methods as a viable option, acknowledges:

Qualitative and semi-quantitative techniques can be used only to compare risks with other risks measured in the same way or with criteria expressed in the same terms. They cannot be used for directly combining or aggregating risks and they are very difficult to use in situations where there are both positive and negative consequences or when trade-offs are to be made between risks. — ISO/IEC 31010:2019

What ISO doesn’t state, however, is that measuring risks “in the same way” or with “criteria expressed in the same terms” is practically impossible the moment more than one person is involved in the process. Our “Medium” is almost certainly different from your “Medium”.

Risk matrices are not just useless, but they actively harm both the organisations that use them and the risk management field in general. If you engage with any community of people involved in enterprise or security risk management, outside of formal settings, you will encounter a significant amount of cynicism about the practice. Many consider the whole exercise to be corporate and regulatory charade. Even when adopted honestly, risk matrices inevitably end with people providing arbitrary input to arrive at a desired, already-decided output.

It’s not all doom and gloom for qualitative methods

You might have noticed that we began by discussing “qualitative methods” but then proceeded to criticise risk matrices specifically. This is neither because we are sloppy with terminology, nor because we have maliciously set up a straw man to attack. Where qualitative methods fail is in how risks are scored and communicated. Risk matrices dominate this area by a large margin, which is why we singled them out.

Information can be gathered from sources such as literature reviews, observations, and expert opinion … It is common to encounter problems where there is both data and subjective information. Bayesian analysis enables both types of information to be used in making decisions. — ISO/IEC 31010:2019

For the rest of this series, as in our practice, we adopt a subjective interpretation of probability in which instead of frequency or propensity of some phenomenon, probability is interpreted as reasonable expectation representing a state of knowledge or as quantification of a personal belief.

Under this interpretation, both quantitative methods (such as formulas and algorithms) and qualitative methods (brainstorming, bow-tie analysis, causal mapping, and others) are useful, as long as they reduce the uncertainty regarding a risk at hand.

Common arguments against quantitative methods

Much of what follows overlaps with arguments that Hubbard addresses in his books. If you are interested in the details we strongly recommend his work — it is a valuable asset to any risk practitioner, even if you don’t fully agree with the arguments.

Quantitative methods are too difficult

Ⅰ: Maybe to some extent, but probably not as difficult as people think.

Ⅱ: Why do we expect rational decision-making to be easy?

To define and implement a methodology for quantitative risk analysis, one does need familiarity with probability theory, decision theory, and related fields. This is especially true for domains like insurance or pharmaceutical research where precise predictive modelling is required. But for the vast majority of domains where risk matrices are used today, an undergraduate-level familiarity with statistics is sufficient to get started. The users of the system need even less, as long as their roles are facilitated by a competent person.

The more important question is whether it is truly easier to make a rational decision when risks are expressed qualitatively. Imagine you are about to undergo a serious surgery and you have narrowed your choice to two clinics, each offering a different method. Would you rather each told you the risk is “low” and recovery time “decent”, or gave you recovery time in days and complication rates by type?

If a decision is obvious and easy to make, you don’t need risk management to support it.

Quantitative techniques require high-quality data

Ⅰ: Do they really?

Ⅱ: How do qualitative methods compensate for the lack of high quality data?

This one comes straight from ISO/IEC 31010:2019 “Risk management — Risk assessment techniques”. The fact is, however, that decision science applies quantitative methods precisely because we don’t always have high-quality data. If we had such data we wouldn’t need probabilistic models. The decision criteria for such environments are straightforward and well within introductory-level material.

Some will argue that we have more data than most people think, which is true. But the more important question is: how do risk matrices avoid the need for high-quality data if they truly support decisions? Whatever methods one used to form a qualitative score can also be applied to construct a quantitative estimate. The latter would at least enable us to measure our accuracy over time.

Some aspects of risk are intangible and cannot be measured

Couple of Hubbard’s books address exactly this topic. Our reinterpretation of the argument is as follows:

There is no such thing as perfect measurement. Measurement is always an approximation and the objective is to reduce the uncertainty to acceptable levels.
We measure things by making observations.
We are concerned about things because they have observable manifestations we care about.
Therefore things that we are concerned about can, in principle, be measured.

The real challenge is to do so with a satisfactory level of accuracy. But even if we can’t reach such a level, reduced uncertainty is better than making decisions blindly.

Take a common example of an intangible: business reputation. There are different reasons why someone might care about his or her reputation, but in business this almost always connects to gaining or losing market share. So instead of arguing about reputation in the abstract, one can observe more tangible indicators:

Have sales volumes changed?
Has the conversion rate from leads to customers shifted?
Is revenue growing in proportion to marketing investment?

None of these is a perfect proxy for reputation, but each is observable and measurable.

How can we tell what works?

If you base medicine on science, you cure people. If you base the design of planes on science, they fly. If you base the design of rockets on science, they reach the moon. — Richard Dawkins

We are not researchers and cannot claim to have a mountain of evidence on what works. Also, simply adopting quantitative methods does not automatically yield better results. The McNamara fallacy , for example, shows how otherwise sound methods can lead to bad results if misunderstood or poorly implemented.

What we do know, however, is that science’s principle of testing our hypotheses works and has consistently bettered our lives and society. Expressing risk quantitatively is a precondition for monitoring the accuracy of our predictions and improving our system over time.

What’s next

Though a bit extensive and confrontational, in this post we have provided an overview of the landscape of risk management activities and argued that the meaningful distinction is not between qualitative and quantitative methods, but rather between vague and clear expression of risk. We made the case that risk matrices, despite their prevalence, actively undermine the objectives of risk management.

Next we will look at the role of risk governance, and into one of the frequently mentioned but rarely explained concepts in risk management: risk appetite.

What is information security, and why does it matter?

Sun, 22 Mar 2026 00:00:00 +0100

Information security is the practice of protecting information, typically to preserve its confidentiality, integrity, and availability. These three properties, also known as the CIA triad, serve as a foundational set guiding our thinking about security of information.

Confidentiality means information is only accessed by those it is meant for
Integrity means information stays accurate and complete, and is only changed deliberately, by the right people
Availability means information is there when you need it

Every organisation has its own reasons for protecting information, shaped by what the business does, who it serves, and what it is trying to achieve. A payment processor’s security objectives look different from a hospital’s, which look different from a defence contractor’s, for example. What matters is that security objectives must align with what the organisation is trying to accomplish.

This sounds like a cliché, and it’s easy to overlook. But there is a reason every information security framework repeats it.

Information security is a business function

It’s common for people to use the terms “information security” and “cybersecurity” interchangeably, and this is not completely wrong. The practical difference is nuanced for the everyday person. But where the two terms differ significantly is in how they relate to the business.

When people talk about cybersecurity, they typically consider it a technical function. Cybersecurity focuses on securing digital infrastructure (like networks, endpoints, etc.) and data. Traditionally it has been positioned as a sub-function of the IT department.

Information security is broader, taking care of the security of information in all its forms — not only digital data and infrastructure, but also paper copies, verbal and other types of analogue communication, memorised information, etc. Instead of focusing solely on technology, information security also looks at people and processes. As such, it is typically positioned as a core business function that reaches across departments.

That is why security objectives must align with and support the organisation’s strategic goals. Otherwise, security becomes a burden, another cost centre that management tries to avoid.

Why it matters now more than ever

If you are ever near Berlin, you should visit the Berlin Spy Museum. Besides having very intriguing exhibits, it is a good reminder of the extent to which people are willing to go for gathering and protecting information.

Information has always been a valuable asset. People, businesses and states have always sought information to gain a societal, economic, political or military advantage. Since the rise of computer technology, the scale at which we exchange information has increased dramatically, accelerating further with every technological breakthrough: personal computers, the internet, smartphones, and now generative AI.

In the past few decades, a large portion of our economy has moved into the digital space, becoming ever more reliant on the rapid exchange of information. And, unfortunately, so has warfare.

Things are getting personal

The more our economy depends on information, the more there is at stake when it is compromised. Disruptions to supply chains, ransomware shutting down hospitals and pipelines, state-sponsored attacks on critical infrastructure — these are no longer hypothetical scenarios. They are regular occurrences, and they have caught the attention of regulators.

The response across Europe has been a wave of legislation demanding better resilience from organisations that the economy depends on. The EU’s NIS2 Directive dramatically expands the scope of who is covered. DORA targets the financial sector and its ICT suppliers. The Cyber Resilience Act sets security requirements for products.

What makes these regulations different from earlier efforts is that they do not stop at the organisation. They hold management personally accountable for ensuring that security is governed properly. Directors and executives who fail to meet their obligations face direct consequences.

Information security is no longer something leadership can delegate and forget about.

A structured approach to security: ISMS

Faced with these challenges, how do we manage information security in a way that is systematic, proportionate, and sustainable?

The answer is an Information Security Management System, commonly referred to as an ISMS. It is a structured approach to managing information security through policies, processes, roles, and controls, all driven by risk-based decisions .

It is not a product you buy, a checklist you complete, or a one-time project that ends with a certificate on the wall. It is an operating system for making security decisions and demonstrating that those decisions are sound.

The international standard for ISMS is ISO/IEC 27001. It provides a framework for establishing, implementing, maintaining, and continually improving information security management. The standard is deliberately technology-neutral and sector-agnostic. It does not prescribe specific controls or tools. Instead, it requires the organisation to assess its own risks, determine what controls are appropriate, implement them, monitor their effectiveness, and improve over time.

There is a catch, though. Having an ISMS does not mean you are secure. It means you have a system in place that enables you to identify and address issues. But you need to be diligent, responsible, and actually do it. Otherwise it’s only a compliance theatre, with no real security benefits.

ISO/IEC 27001 includes Annex A, a catalogue of 93 controls across organisational, people, physical, and technological domains. Its purpose is not to serve as a compliance checklist, but rather offer a broad and relatively complete set of controls that organisations can use to identify weaknesses and mitigate risks. Some controls will be essential; others will be irrelevant to your context; and for some risks you might still need to look elsewhere for a solution.

What comes next

In this series we will go through some of the steps of building and running an ISO/IEC 27001 compliant ISMS. The first of them is understanding the environment — the organisational context — in which the ISMS will exist. In the next post in the series we will look at some techniques on how this can be done.

What is risk, and why bother managing it?

Sun, 15 Mar 2026 00:00:00 +0100

Most of us, when using the term risk colloquially, understand it to be something ominous: a danger, a threat, something that could go wrong. Paradoxically, it seems that while considering risk-taking reckless, we also tend to celebrate it as bravery.

It is better by noble boldness to run the risk of being subject to half the evils we anticipate than to remain in cowardly listlessness for fear of what might happen. — attributed to Herodotus

Throughout history, famous political leaders, philosophers, scientists and artists have all provided words of wisdom regarding risk-taking, not as a warning against it, but rather as encouragement. If we are rational beings, however, how can we hold both of these conflicting beliefs simultaneously? How can we both view risk as a danger to be avoided, and risk-taking as a virtue to be celebrated?

Decision making & risk

Beyond intuition, risk is a formally studied concept across several disciplines. Game theory examines strategic choices between competing actors, behavioural economics studies how people actually make decisions, but the one that we think can best help us understand the nature of risk is decision theory.

Wikipedia describes decision theory as a branch of probability, economics, and analytic philosophy that uses expected utility and probability to model how individuals would behave rationally under uncertainty. This is a mouthful for an introductory chapter on risk, so let’s take a more naive but simplified view.

Decision theory is a theory of rational choice. At its core it looks at possible actions we can take, and events (also known as states of the world, or states of nature) which are descriptions of how the world can materialise around us and what outcomes we will see across the possible actions. The theory offers criteria and methods for choosing the best course of action based on what we know about the world.

As such it recognises three environments in which decisions are made:

Decision making under certainty — we know for certain how events will play out and what outcomes we will get.
Decision making under uncertainty — we have no reliable knowledge about how events will play out.
Decision making under risk — we have some knowledge about the world and can assign different probabilities to different outcomes.

While decision theory distinguishes between the three, offering criteria and methods that best fit different environments, the boundaries are less rigid than they appear.

Absolute certainty is simply the case where one event has a probability of 100%. Leaving aside how realistic it is to claim certainty for events, decisions made in this environment are trivial (you choose the action leading to the best outcome) and not debated.

Uncertainty is more contested. It boils down to the difference in view on probability between different schools of thought . One view, going back to economist Frank Knight in 1921, holds that uncertainty is fundamentally different from risk. Under this view, probability simply does not apply to uncertain events, as there is no basis for assigning any probability. Attempting to do so is meaningless, so the criteria for choosing an action is mostly based on looking at worst or best possible outcomes. A different view, on the other hand, is that probability represents a degree of belief, making it possible to assign probability values to events even in the absence of reliable information.

In management practice (where our focus is) this difference is almost negligible. Pure unknowability is rare, as we almost always have some information that lets us form at least a rough estimate of how likely different outcomes are (more on this in a future post). This is why we adopt the latter view. Under it, the first two environments (where we either have absolute, or no reliable knowledge) become special cases of the third environment.

Essentially, under this interpretation of decision theory, risk represents the basis on which rational decisions are made.

Threats & Opportunities — two sides of the same coin

If you are reading this blog, chances are you’re not a decision theorist. You have probably encountered risk terminology different from what is discussed in the previous section. In many fields we are used to talking about threats, impact and a predefined set of risk response strategies. What most risk management courses don’t teach us, however, is that these terms map directly to the concepts of decision theory: threats are the events, impact is the outcome, and response strategies are the actions we can choose from.

In the previous section we intentionally used the term events rather than states, which is more common in decision theory literature, to make this bridge easier to see. The difference in framing is that decision theory treats events, outcomes and actions more broadly, while management practice typically narrows the focus to threats as potentially harmful events that lead to financial loss or some other negative consequence.

Financial economics has taught us, however, that risk is inseparable from reward. And in strategic planning we often need to consider not only threats but also opportunities. While some scholars and practitioners still prefer the colloquial, simpler view of risk, there is a good argument to be made for adopting a more outcome-agnostic definition that covers both threats and opportunities.

For example, starting a new business is uncertain. You might fail, lose your investment, and wish you had stayed employed. You might also build something that provides independence, income, and work you find meaningful. Same uncertainty, multiple possible outcomes.

The useful question is not exclusively: What could go wrong?; nor exclusively: What could go right?; but rather: Given my goals and what I know about the world around me, what is the best course of action to achieve them?

Opportunities and threats are not that different — they are both uncertain events (states) that differ only in whether the outcome is beneficial or harmful. This is why most major risk frameworks like ISO 31000, COSO ERM, Risk IT, etc. align with broader decision science tradition in accepting a definition that accounts for both directions. In our practice we adopt ISO’s definition of risk, which is:

Risk is an effect of uncertainty on objectives — ISO 31000:2018

Where an effect is any deviation from the expected — positive or negative.

Positive risk in a negative outfit

While risk management frameworks have adopted the aforementioned definition of risk, allowing for risk to refer to potentially positive outcomes, the vocabulary has not caught up yet. Most resources, tools, and standards still use terminology built around negative risk: threats, vulnerabilities, losses, mitigation. Some frameworks introduce parallel terminology for positive risk, but these terms are not standardised and are used inconsistently across sources.

In our practice, and for the rest of this series, we stick with the established vocabulary. We will speak about threats, vulnerabilities and loss, while allowing opportunities, strengths and gains to be managed through the same process without always explicitly stating them.

We will revisit this issue again in upcoming posts, when we talk about modelling and expressing risk.

Managing risk is more than just an operational overhead

As established above, risk is foundational to rational decision-making. There is no decision made without, at least implicitly, considering some uncertainty and therefore some risk. Even the most trivial decisions, like what to have for lunch, involve balancing short-term gratification against convenience, cost, and long-term health consequences.

Of course, explicitly managing what you eat for lunch is counterproductive for most of us. But the more complex the situation and the higher the stakes, the more important it becomes to manage risk deliberately.

A founder who decides against entering a new market because “the timing feels wrong” is making a risk decision.
A CTO who delays a migration because “too many things could break” is making a risk decision.
A CFO who sets aside cash reserves “just in case” is making a risk decision.

All these cases can benefit from a more formal approach to risk. In fact, even the lunch decision can be non-trivial and require more conscious planning for people suffering from diabetes, food allergies, severe food intolerances and other health conditions. Unfortunately, many view risk management as an overhead, often done pro-forma for the purpose of satisfying a compliance checkbox.

Risk as a reasoning tool

One way a structured approach to risk helps is by formalising the processes and rules under which uncertainties and related decisions are analysed.

Studies in psychology and behavioural science have shown that human judgement is subject to biases that systematically distort how we perceive and evaluate uncertainties. We overweight vivid, recent events. We anchor on the first number we hear. We confuse familiarity with safety. And many more. A formal process does not eliminate bias, but it creates a structure in which assumptions are made explicit and can be examined. Further, it enables us to evaluate the quality of our decisions over time and continually improve the system to yield better results.

Risk as a communication tool

The second major benefit of adopting a risk management framework across an organisation is that it can bridge the language barrier between people in different functions.

Most organisations, large and small, figure out ways to bring the right people to the table. Often there is no lack of complaints and ideas from the leaders of different functions. But a frequent issue that prevents organisations from properly analysing and prioritising across functions is the difference in language: engineering, HR, finance — they all use different terminology that prevents them from communicating effectively.

A shared methodology with common criteria for analysing and expressing risk overcomes this barrier and enables effective prioritisation and allocation of resources.

Risk as a legal tool

When industries fail to adopt best practices, they usually become regulated. A third, more recent consideration is that regulatory frameworks like DORA and NIS2 now explicitly ground their requirements in risk management and hold leadership personally accountable for the decisions made.

For organisations that were already managing risk well, these requirements change very little. For those relying on intuition, informal processes, or checkbox compliance, regulation has turned a best-practice argument into a legal one.

What’s next

In this post, we looked at different views on risk and adopted a definition that allows for both positive and negative outcomes. We made the case that managing risk deliberately is worth the effort, not just as operational overhead, but as a tool for reasoning, communication, and accountability.

In the next post, we will look at the landscape of risk management activities and then turn to a foundational question that determines everything downstream: how do we express risk?

NoFuss Consulting

Two approaches to managing risk

Risk management overview

A red herring: qualitative vs. quantitative methods

Risk matrices are worse than useless

It’s not all doom and gloom for qualitative methods

Common arguments against quantitative methods

Quantitative methods are too difficult

Quantitative techniques require high-quality data

Some aspects of risk are intangible and cannot be measured

How can we tell what works?

Further reading

What’s next

What is information security, and why does it matter?

Information security is a business function

Why it matters now more than ever

Things are getting personal

A structured approach to security: ISMS

What comes next

What is risk, and why bother managing it?

Decision making & risk

Threats & Opportunities — two sides of the same coin

Positive risk in a negative outfit

Managing risk is more than just an operational overhead

Risk as a reasoning tool

Risk as a communication tool

Risk as a legal tool

What’s next