Benjamin Franklin once said that nothing is certain except death and taxes. It’s a statement most business leaders and risk managers would agree with today.

Most of us are just trying to do what we can to keep things afloat, grow our businesses, help our employees thrive, increase our profits, keep our board happy and maintain that often tenuous balance between work and family.

Each of these responsibilities comes with inherent uncertainty and risk, but that’s not necessarily a bad thing. To be innovative and competitive, you have to embrace risk and be willing to journey into uncharted territory – but not without taking the proper precautions.

See also

[White paper] Compliance Does Not Equal Security

Manage Your Risk (and Uncertainty)

Three years ago, almost every single business was faced with the imminent need to pivot as physical locations shut down for personal safety during the global pandemic. Almost without exception, those businesses that embraced the unknown and pivoted quickly were able to land on their feet and keep moving forward, often finding new and inventive ways to reach their customers and trying things they would never have otherwise.

While we can’t avoid uncertainty, we can manage it by understanding our risk – whether IT, cyber, operational or otherwise – and what we can do to achieve positive business outcomes.

Risk isn’t binary, but rather a continuum of how likely something is to happen and how much or little it will impact you. Understanding your risks (and the threats and vulnerabilities that could cause them to manifest) allows you to make informed decisions about how much risk you’re willing to take on as an organization and what controls you can put in place to reduce that risk.

Start with these 4 fundamental risk management practices:

4 Fundamental Risk Management Practices: Stay Compliant with Relevant Regulations | Proactively Manage Your Risk | Balance Risk and Reward | Get Strategic about Your Security

#1. Stay Compliant with Relevant Regulations

Imagine your organization is an automobile, and as a business leader, you’re in the driver’s seat. It’s your job to take your organization from where you are now to where you want to be.

How do you make the trip (with minimal risk)?

Implement Controls

You have to have some basic ‘controls’ in place to get yourself on the road – a steering wheel, a gas pedal, seats, tires, brakes and so on.

Follow Standards

As a driver, being compliant is also important and there are ‘standards’ we all have to follow. This means driving the speed limit, stopping at red lights and stop signs, staying between the lines and keeping a safe distance from the person in front of you.

You could also be required to have things like seat belts, rear and side mirrors, windshield wipers, airbags and other minimum safety controls. You’ll have to purchase car insurance in case you’re involved in an accident, as well.

At this point, you’re feeling pretty confident. You’re following all the rules, and you think you’ve implemented enough controls to keep yourself safe and driving forward.

However, the landscape can be treacherous and full of threats. And sometimes, even though you comply with all the guidelines and have controls in place, an incident can take place that brings your vehicle (or your business) to a screeching halt.

How do you plan for such threats?

#2 Proactively Manage Your Risk

It’s often after these incidents have occurred that we have the most clarity on what went wrong and how we could have prevented it. But how can you ensure that you’re taking steps now to avoid disaster later?

With a proactive risk management plan. Start by understanding your risk exposure, and the relationship between risks, threats and vulnerabilities.

Let’s continue with the vehicle analogy to shed some light on the differences between these three concepts.


When you’re driving, there is any number of threats that could impact you and your vehicle, and they can vary based on where you live, what season it is or even what route you take when you drive.

Threats can be things like snowstorms, ice, tornadoes, a lack of signage and clearly-marked lines – or my Michigan favorite – potholes. They could be situations caused by other parties but that still impact you: for example, drivers crossing the line or running stop signs; drivers going too fast or tailing too closely; inebriated drivers; or even a deer jumping out into the road.

Some threats will be more relevant to you than others, so you need to understand which ones are the most impactful to your situation and need your attention.


You also need to consider any weaknesses that affect you or your vehicle. Vulnerabilities could be things like having low tire pressure, not replacing the brake pads and rotors, being an inexperienced driver, having poor eyesight or not having safety equipment in your car like a tire jack or a spare tire.

The more vulnerabilities you have and the longer they go unaddressed, the more likely it is that a threat will be able to exploit them. And just like threats, not all vulnerabilities are created equal: some are merely minor inconveniences while others could cause serious damage if they’re not taken care of.


Risks are the potential harm you could face if you’re impacted by a threat. Possible risks could include expenses associated with managing a loss event; fines and judgments; lost, damaged or stolen assets; or ineffective remediation action.

Essentially, risks are how a threat could impact you – either on its own or by exploiting a vulnerability.

For example, if you have multiple drivers in the family (vulnerability), you could have difficulty maintaining personal accountability (risk) if someone hits a pothole (threat) and damages the car (another risk).

Unlike threats and vulnerabilities, which can change and evolve over time, risks are predetermined and finite. Using a prescriptive risk register is a great way to ensure that you know your risks ahead of time and that you aren’t overlooking a potentially impactful risk.

#3 Balance Risk and Reward

Do the risks associated with driving a vehicle keep you from taking to the open road? For some people, it might, but for a lot of us, the risk of driving is worth the reward of having the freedom to commute and explore.

If I expected that driving the speed limit and following the rules of the road was going to keep me safe, I would definitely not have purchased the all-wheel-drive SUV I have parked in my garage. Instead, I thought about the threats I might experience based on where I live and how much I drive and used that information to make a strategic decision about the vehicle that made the most sense for my situation and was within my budget.

For your first vehicle, I’m guessing that you had a more basic set of controls to work with (as well as a more flexible opinion about the rules of the road).

It was experience and having a better understanding of the threats and risks associated with driving a vehicle, as well as how to remediate vulnerabilities along the way, that made you a more proficient driver. Maybe that’s what caused you to invest in a vehicle that had anti-theft alarms, high safety ratings and three rows of seats. Or maybe that’s why you got that sweet sportscar because you understood the risks and decided that it was worth the reward.

That’s really what managing risk is all about: you can’t avoid uncertainty; however, if you know what threats impact your business, manage your vulnerabilities and understand your risks, you’re giving yourself the tools you need to make strategic business decisions to successfully drive your organization into the future.

#4 Get Strategic about Your Security

Of course, when you’re leveraging risk like that, you’ll need to take extra precautions – and not just implement more compliance controls.

Risk management is about planning for uncertainty, and compliance standards written months or years ago can’t protect you from evolving threats and vulnerabilities. In other words? Compliance does not equal security.

Get strategic about your security with this FREE whitepaper today – so you can securely accelerate your organization’s strategic business objectives tomorrow.