Closing Assessment Gaps Using Risk-Based Methods

Nobody Has Solved Vulnerability Management Let's face it - vulnerability management remains unsolved—not for lack of tools or effort, but because the problem is rooted in the reality of complex, ever-evolving IT environments and misaligned priorities. The Root Cause 🚨 Prioritisation Paralysis: Security teams commonly label “everything” as a priority, leading to an unsustainable situation where real threats get lost in the noise. When all vulnerabilities are urgent, none actually are, diluting focus and overloading remediation teams. 🚨 Lack of Standardisation: Without industry-standard ratings, organisations juggle different scoring systems (CVSS, vendor scores, managerial directives), making effective risk prioritisation nearly impossible. 🚨 Silos & Communication Gaps: Security and IT operate in isolation—security wants speed, IT wants stability. This results in missed patches, rushed deployments without proper testing, and unclear accountability. 🚨 Information Blind Spots: Organisations lack full visibility into their attack surface, shadow IT, and contextual risk data. This leads to decisions made in the dark, undermining any best efforts at prioritisation. Why Current Approaches Struggle ⚠️ Overwhelming Volume: Monthly maintenance, zero-day threats, and critical app updates all compete for attention. Most teams fall back on rigid cycles, missing the nuance needed for real-world threats. ⚠️ Manual & Reactive Processes: Reliance on spreadsheets or siloed tools results in a reactive, rather than proactive, approach to patching. Best Practices for Patch Prioritisation To break the cycle, leading practice is moving toward a risk-based approach: 💡 Track-Based Remediation: Assign vulnerabilities to distinct tracks—routine, critical application, or urgent zero-days—and manage each according to risk and business impact. 💡 Continuous Contextual Analysis: Integrate vulnerability intelligence, exploit likelihood, compliance requirements, and business exposure into prioritisation—not just severity scores. 💡 Automation & AI: Use AI for fast analysis of vast data sources, applying predictive models to score risk more accurately. Automate patch testing and deployment to close gaps and improve consistency. 💡 Unified Visibility: Invest in tools that give a comprehensive, context-rich view of your organisation’s true attack surface and current exposures. The Path Forward Nobody has solved vulnerability management because the challenge isn’t just technical—it’s operational, cultural, and contextual. Until organisations bridge silos, clarify ownership, embrace risk-based prioritisation, and utilise advanced automation, vulnerability management will continue to be a juggling act.

In Oil & Gas facilities like LNG plants, inspections of aging assets for corrosion damage often require costly production interruptions. Risk-Based Inspection (RBI) changes this. By applying RBI methodology, facilities can optimize and extend inspection intervals—by months or even years—while maintaining (or improving) asset integrity. This is supported by strategic use of non-intrusive inspection techniques between major shutdowns. There are three main types: 1) Qualitative RBI (expert judgement) 2) Quantitative RBI (statistical/probabilistic) 3) Semi-quantitative RBI (hybrid) Standards like API 580, API 581, and DNV-RP-G101 guide credible RBI programs, especially in offshore and industrial environments. These standards help focus inspections on high-risk assets—improving safety and optimizing resources. RBI is now common in oil and gas, petrochemicals, and power generation. The RBI Advantage: Rather than treating all equipment equally, RBI targets resources on assets with the highest probability and consequence of failure. It improves three core areas: 1) Inspection Frequency: Extended intervals based on actual risk, not fixed schedules 2) Inspection Scope: Focused coverage on high-risk components and degradation mechanisms 3) Inspection Techniques: Use of advanced non-intrusive methods like automated Ultrasonics, acoustic emission, and corrosion monitoring tools such as CUI monitoring by CorrosionRADAR Between shutdowns, continuous monitoring provides ongoing asset health insights. This data feeds back into risk models, allowing dynamic updates as equipment conditions evolve. However, one challenge in RBI is risk perception—it varies across engineers and organizations. What’s acceptable at one site may not be at another. RBI programs must be tailored to each organization’s risk tolerance and context. To build an effective RBI program: - Form a multidisciplinary team skilled in both risk assessment and inspection technologies - Use strong data collection to gather historical performance, damage mechanisms, and design data - Commit to continuous improvement: regularly update risk models, use digital tools for real-time monitoring, and integrate feedback from inspectors - Integrate RBI with your maintenance systems to align inspection with actual risk - Promote ongoing training and engagement to build a strong reliability and safety culture *** How is your facility balancing inspection frequency with risk in critical asset monitoring? P.S.: Follow me for more insights on Industry 4.0, Predictive Maintenance, and the future of Corrosion Monitoring.

Enhancing Internal Audit Programs through Risk-Based Auditing: A Strategic Approach Integrating Risk-Based Auditing (RBA) into internal audit programs enhances effectiveness and efficiency. Learn how to achieve this strategic approach: Understanding Risk-Based Auditing - Risk-Based Auditing (RBA) identifies and assesses key risks to an organization's objectives, allocating resources to high-risk areas for more relevant and timely insights. Key Steps to Integrate RBA - 1. Understand the Organization: Understand the organization's objectives, strategies, and risk landscape by reviewing key documents and consulting with stakeholders to identify critical risk areas. 2. Risk Assessment: Conduct a thorough risk assessment to identify and prioritize risks using tools like risk matrices and heat maps, forming the foundation of the RBA approach. 3. Develop the Audit Plan: Develop a dynamic risk-based audit plan that aligns with the organization's risk profile, allowing for adjustments as risks evolve. 4. Allocate Resources: Allocate audit resources based on risk assessment, prioritizing high-risk areas and adjusting resource allocation accordingly. 5. Coordinate with Other Assurance Providers: Collaborate with other assurance providers to avoid duplication and ensure comprehensive risk coverage. 6. Communicate the Plan: Communicate the risk-based audit plan to stakeholders to gain support and understanding of audit focus and priorities. 7. Continuous Monitoring and Updating: Regularly review and update the risk-based audit plan to reflect changes in the organization's risk environment and ensure ongoing effectiveness. Benefits of Risk-Based Auditing - i. Enhanced Focus: RBA focuses on high-risk areas, addressing critical issues and leading to more impactful audit outcomes. ii. Proactive Risk Management: RBA promotes a proactive approach to risk management, helping organizations to anticipate and mitigate risks before they materialize. iii. Improved Resource Allocation: Efficient use of audit resources by focusing on areas that matter the most, thereby increasing the overall efficiency of the audit process. iv. Better Stakeholder Communication: Clear communication of the audit plan and its focus areas enhances transparency and builds trust with stakeholders. Conclusion - Integrating Risk-Based Auditing into internal audit programs is not just a best practice but a necessity in today’s dynamic business environment. It enables organizations to stay ahead of potential risks, ensuring robust risk management and sustained success.

When we first started working with this client on their Privacy Risk Program, their third-party risk assessment process was already in place—but something was missing. One day, during a discussion about vendor evaluations, I asked, “How do you assess privacy risks?” There was a pause. They had a thorough security review, but privacy risks weren’t explicitly addressed. That’s when the realization hit: without assessing privacy risks, they had a blind spot in their vendor management. Fast forward to today, and that gap is now closed. They’ve successfully integrated a dedicated privacy questionnaire into their third-party risk assessment. Now, every vendor is evaluated not just for security controls but also for privacy practices, data handling, and regulatory compliance. This simple but powerful change means they can: ✅ Spot privacy risks early in vendor relationships ✅ Ensure compliance with data protection laws ✅ Build trust by proactively safeguarding personal data It’s been amazing to witness their transformation from reactive to proactive privacy risk management. Small changes can make a big impact! #PrivacyRisk #ThirdPartyRisk #DataProtection #PrivacyByDesign #RiskManagement

#RiskManagement "To move from simplistic risk scores to consequence-led narratives, Boards must shift their focus from numerical ratings to a detailed understanding of how failure manifests and propagates through interconnected systems. Analysis tells us that this transition involves several specific strategic actions: > Articulate Consequence Pathways and Scenarios: Rather than relying on a single colour-coded square, every risk report should describe escalation scenarios and failure pathways. This means explaining the second- and third-order effects of a disruption—for example, how a telecommunications failure might cascade into transport-signalling issues, financial transaction interruptions, and emergency-response degradation. > Implement Systemic Dependency Mapping: Boards should require visual maps of upstream and downstream dependencies across infrastructure, suppliers, digital systems, and regulatory interfaces. Understanding these links is essential for moving beyond a "single-point" view of hazards to a systemic view of consequences. > Include Explicit Uncertainty Statements: To counter the "veneer of certainty" provided by risk scores, reports must articulate the strength of knowledge underpinning the assessment. This includes being transparent about knowledge gaps, assumptions, evidence quality, and model limitations. Weak knowledge should never be hidden behind a definitive risk score. > Adopt Operational Language over Matrix Language: Leadership should move away from abstract terms like "likelihood" and "residual score" and instead speak in terms of operational reality. This involves asking questions about control fragility, escalation speed, resilience capacity, and the tolerability of consequences. > Link Risk to Resilience Capability: Risk discussions should not occur in isolation; they should be integrated with assessments of the organisation's preparedness, response capability, and recovery capacity. A narrative might explain that while a specific risk is high, the organisation's strong resilience pathways make it strategically acceptable. > Focus on Decision Quality: The narrative's ultimate goal is to support decision-making under uncertainty. Instead of asking "What is the risk rating?", Boards should ask: "What leadership decision does this analysis support?"." Tony Ridley, MSc CSyP FSyI SRMCP Risk, Security, Safety, Resilience & Management Sciences Risk Management Security Management Crisis Management #risk #risks #enterpriserisk #enterprisesecurityriskmanagement #intelligence #threatlintelligence #riskmanagement #riskanalysis #riskassessment #riskmanagementframework #operationalriskmanagement #projectriskmanagement #projectrisk #operationalresilience #resilience #operationalrisk #riskintelligence #governance #crisis #crisismanagement #complexity #chaos #crisisleadership #crisisplan #crisismanagementplan #stress #governance #decisionmaking #riskmanagement #riskinformed #securitymanagement

My 4-step process to evaluate AI systems to manage risk and stay ISO 42001 compliant: 1. AI Model Assessment Here I evaluate: -> Algorithm types   -> Optimization methods   -> Tools to aid in development  I also look at the underlying training data's: -> Quality -> Categories   -> Provenance -> Intended use   -> Known or potential bias   -> Last update or modification   -> Conditioning tools & techniques This spans ISO 42001 Annex A controls 4.2-4.4, 6.1.2-2.23, and 7.2-7.6. And is very similar to the process described in ISO 42005, Annex E.2.3-E.2.4. 2. AI System Assessment Look at real-world deployment of the model along with supporting infrastructure, specifically evaluating: -> Complexity   -> Physical location -> Intended purpose -> Accessibility and usability   -> Testing and release criteria   -> Accountability and human oversight   -> Data retention and disposal policies   -> Data classifications/sources processed   -> Transparency, explainability, and interpretability   -> Reliability, observability, logging, and monitoring   -> Software & hardware for development & deployment This overlaps with some model assessment-specific controls for ISO 42001 and also covers all of Annex A.6. 3. AI Impact Assessment Using customer criteria, StackAware evaluates these impacts to individuals and societies for certain systems: -> Economics   -> Health and safety -> Environmental sustainability   -> Legal, governmental, and public policy   -> Normative, societal, cultural, and human rights 4. AI Risk Assessment Using steps 1-3, I look at the probable frequency and magnitude of future loss. Any information gaps often become risks themselves. For organizational risk, I use the "Rapid Risk Audit" approach from Doug Hubbard and Richard Seiersen. This gives a quantitative annual loss expectancy (ALE), which is easy to compare to one's risk appetite. I then compare individual and societal risks against the client's risk criteria to determine their acceptability. With the risks identified, it's time to move to treatment. But that's for another post! TL;DR - to evaluate AI risk in ISO 42001 compliant way, I: 1. Assess the underlying artificial intelligence model 2. Look at the AI system in a real-world context 3. Evaluate individual and societal impacts 4. Calculate risk quantitatively How are you evaluating the AI you use?

NIST just quietly released the guide that connects your cybersecurity program to your hiring plan. SP 1308 dropped this month. It bridges three frameworks most institutions treat as separate projects: CSF 2.0 for security outcomes, the NICE Framework for workforce competencies, and IR 8286 for enterprise risk governance. Here's why this matters for community financial institutions: The gap it closes: Most banks have a cybersecurity program. Most banks also have trouble hiring and retaining people who can run it. NIST is now saying those aren't separate problems. Your workforce strategy IS your security strategy. What the guide actually tells you to do: 1. Build a CSF Organizational Profile that maps your current security posture against your target state 2. Run a business impact analysis tied to your critical assets (not a generic template) 3. Conduct a gap analysis that includes workforce skill gaps alongside technical control gaps 4. Use that gap analysis to drive hiring, training, and resource allocation decisions What your examiner will care about: FFIEC examiners already ask about staffing adequacy for IT and cybersecurity functions. SP 1308 gives them a framework to evaluate whether your answer holds up. If you say "we're adequately staffed," they now have a structured methodology to test that claim. The practical takeaway: Pull your current CSF assessment. Pull your org chart. Map which humans own which CSF functions. Where you see one person covering five categories, that's your risk concentration. You don't need to adopt SP 1308 wholesale. But knowing it exists and understanding its logic puts you ahead of most institutions in your asset class. Has your team reviewed how CSF 2.0 maps to your actual workforce capacity? #NIST #Cybersecurity #CreditUnions

Do you know the hidden risk in “solved” problems? In every audit trail, there’s a pattern: Closed CAPAs that quietly reopen months later. The cause isn’t always poor execution. Often, the fix addressed symptoms but never fed back into the systems that spawned the issue. In regulated industries, that gap matters, because an isolated fix without integration into your FMEA, control plan, or change management is just a temporary patch. Closing the loop means more than filing the report. It means checking every linked process, updating every related record, and making sure the next team that touches the work sees the lesson learned. 💡 Put this into practice: Review your last three CAPAs and confirm the preventive action is linked in your core quality systems, not just in the CAPA record. Sustainable quality is when yesterday’s fix becomes tomorrow’s prevention. 

“Strong governance begins where risk visibility meets audit intelligence.” Every strong organization needs a structured Risk & Audit Assessment Framework to make informed decisions, reduce uncertainty, and strengthen controls. This framework highlights the complete lifecycle: 🔹 Identify Define objectives, scope, risks, threats, processes, and external factors. 🔹 Assess Evaluate probability, business impact, control effectiveness, and prioritize risks based on likelihood and severity. 🔹 Mitigate Develop mitigation strategies, assign ownership, implement controls, and execute response plans. 🔹 Monitor Continuously track risks, validate controls, escalate issues, and update risk profiles. 🔹 Integrated Insights & Reporting Combine audit assessments, control testing, and gap analysis to provide leadership with actionable insights. 🔹 Framework Enablers ✔ Governance ✔ Data & Tools ✔ Policies & Standards ✔ Skills & Culture 💡 Why it matters: An effective framework provides a 360° view of organizational risk, supports compliance, improves control maturity, and enables better strategic decision-making. In today’s environment, risk management is no longer reactive — it must be continuous, measurable, and audit-driven. #RiskManagement #InternalAudit #AuditFramework #GRC #Compliance #EnterpriseRiskManagement #CyberRisk #Governance #RiskAssessment #BusinessResilience

Does your ERM have an RCSA ? Risk & Control Self-Assessment (RCSA): Your Proactive Risk Management Framework RCSA empowers organizations to identify risks, evaluate controls, and close gaps before issues escalate. Key Benefits: ✓ Identify inherent risks in processes and activities ✓ Evaluate control effectiveness in real-time ✓ Align residual risk with organizational risk appetite ✓ Support data-driven risk mitigation decisions The 6 Core Components: Process Mapping Risk Assessment Risk Identification Control Identification Control Effectiveness Rating Action Plans The Process: Plan → Identify → Assess → Validate → Report → Monitor (continuous cycle) RCSA isn't just compliance—it's a strategic tool for owning risks and strengthening your control environment. #internalaudit #riskgovernance #ERM