Project Risk Assessment Techniques

#Safetytechtip for solo safety pros overwhelmed with risk register admin. As a solo safety professional, developing a comprehensive risk register can feel like a massive undertaking. But what if you could use a simple, tech-driven workflow to get it done faster and with better results? All while maintaining critical thinking & collaboration with teams. Here's a pro tip to streamline the process & tap into the collective knowledge of your organisation. Full disclosure: This entire post, from my core ideas to the final text, was generated using my voice—a workflow created entirely through my dictation & insights, then crafted into this narrative using LLMs. No keyboard used aside from pressing Ctrl + Windows key to activate my dictation tool*. Step 1: Brainstorm and Categorise with AI Start by physically walking through your planned risk scenarios, dictating your job steps, potential hazards, processes and areas of risk. Transcribe (there's loads of ways to do this) then use an AI tool like Claude, Gemini, ChatGPT etc to summarise these notes into risk assessment categories based on a company risk template which you can upload as context. This gives you a structured foundation for your register. Step 2: Host a Multidisciplinary Risk Conversation Schedule a session with key stakeholders to host a risk discussion - try to make it more conversational than line by line; nobody likes sitting through excel risk reviews. Use the risk categories you developed as a talking guide. Use an omnidirectional microphone to capture the conversation (with consent) & ask each person to state their name & role which with speaker identification during transcription. Step 3: Transcribe & Populate Your Register Upload the audio file to a transcription service (even Microsoft Word can do this) to get a written record of the discussion. Then use Claude to populate your risk register. Step 4: Develop Your Management Plan Once your register is populated, start a new chat with the same or alternate LLM** Upload a reference example of a risk management plan and prompt it to create a new one based on your newly populated risk register. This ensures your action plan aligns with your identified risks. Step 5: Turn Plans into Action Finally, turn your management plan into a clear, actionable list. Export these tasks directly into an electronic task manager like Microsoft Tasks or Asana; I used Google Tasks for my latest action register. This ensures accountability and helps you track progress toward mitigation. By leveraging AI and collaborative tools, you can evolve risk management into an efficient and effective process. *Hit me up if you'd like to learn more about how I overlay dictation into everything from excel cells to email replies. ** I like to use different LLMs for different tasks - they all perform differently depending on what you want to do; if you need coaching or guidance on this let me know. #Safetytech #Safetyinnovation

💡 A Practical Guide to Climate Scenarios! Really pleased to have written the forward to this valuable report on the types and applications of climate scenarios by MSCI Inc. and my former United Nations Environment Programme Finance Initiative (UNEP FI) FI colleagues Looking for a handy summary of the types of scenarios from qualitative to quantitative? Here it is: 1. 𝗙𝘂𝗹𝗹𝘆 𝗡𝗮𝗿𝗿𝗮𝘁𝗶𝘃𝗲 𝗦𝗰𝗲𝗻𝗮𝗿𝗶𝗼𝘀 These scenarios are qualitative descriptions of potential climate futures. ✅ Strengths: - Easily customizable - Useful for high-level strategic discussions - Can capture complex risks that are difficult to quantify ⚠️ Limitations: - Subjective and vulnerable to bias - Lack of numerical outputs makes them hard to integrate into risk models 2. 𝗤𝘂𝗮𝗻𝘁𝗶𝗳𝗶𝗲𝗱 𝗡𝗮𝗿𝗿𝗮𝘁𝗶𝘃𝗲 𝗦𝗰𝗲𝗻𝗮𝗿𝗶𝗼𝘀 This type builds on fully narrative scenarios by adding expert-driven quantitative estimates (macroeconomic forecasts, asset class returns, regional physical risks). ✅ Strengths: - Balances qualitative storytelling with numerical data - Allows for scenario comparisons without requiring sophisticated models - Easier to communicate results with clear quantitative insights ⚠️ Limitations: - Can give a false sense of precision if assumptions are weak - Still dependent on subjective expert input, leading to potential biases 3. 𝗠𝗼𝗱𝗲𝗹-𝗗𝗿𝗶𝘃𝗲𝗻 𝗦𝗰𝗲𝗻𝗮𝗿𝗶𝗼𝘀 These scenarios rely on integrated quantitative models to project how climate change and transition risks might evolve under different policy and economic conditions, using macroeconomic models, IAMs, and energy system models. ✅ Strengths: Highly structured and data-driven, reducing subjectivity. Can produce detailed, sector-specific outputs useful for investment decisions. Widely used by regulators and financial institutions for stress testing. ⚠️ Limitations: - Expensive and time-consuming to develop and maintain - “Black box” nature of complex models makes interpretation difficult - Results are only as good as underlying assumptions and data inputs 4. 𝗣𝗿𝗼𝗯𝗮𝗯𝗶𝗹𝗶𝘀𝘁𝗶𝗰 𝗦𝗰𝗲𝗻𝗮𝗿𝗶𝗼𝘀 Probabilistic models go beyond single-scenario forecasting by assigning probabilities, variance, and uncertainty estimates to different climate outcomes. ✅ Strengths: - Models uncertainty, improving risk management - Enables sophisticated stress testing for asset prices, portfolios, and corporate exposure - Valuable for insurance, catastrophe modeling, and financial risk assessments ⚠️ Limitations: - Highly complex and computationally demanding - Requires strong assumptions about uncertainty - Limited research on how climate change affects probability distributions #ClimateFinance #ClimateScenarios #SustainableInvesting #RiskManagement #ScenarioAnalysis #Risk #Finance

“Mapping Cybersecurity Threats to Defenses: A Strategic Approach to Risk Mitigation” Most of the time we talk about reducing risk by implementing controls, but we don’t talk about if the implemented controls will reduce the Probability or Impact of the Risk. The below matrix helps organizations build a robust, prioritized, and strategic cybersecurity posture while ensuring risks are managed comprehensively by implementing controls that reduces the probability while minimising the impact. Key Takeaways from the Matrix 1. Multi-layered Security: Many controls address multiple attack types, emphasizing the importance of defense in depth. 2. Balance Between Probability and Impact: Controls like patch management and EDR reduce both the likelihood of attacks (probability) and the harm they can cause (impact). 3. Tailored Controls: Some attacks (e.g., DDoS) require specific solutions like DDoS protection, while broader threats (e.g., phishing) are countered by multiple layers like email security, IAM, and training. 4. Holistic Approach: Combining technical measures (e.g., WAF) with process controls (e.g., training, third-party risk management) creates a comprehensive security posture. This matrix can be a powerful tool for understanding how individual security controls align with specific threats, helping organizations prioritize investments and optimize their cybersecurity strategy. Cyber Security News ®The Cyber Security Hub™

Root Cause Analysis (RCA) Methods – Overview, Comparison & Tips 🔍 In quality, safety, engineering, and problem-solving domains, Root Cause Analysis (RCA) is a cornerstone of sustainable improvement. Here’s a quick overview and comparison of the top RCA methods, their strengths, and where they shine: 🎯 Popular RCA Tools & Techniques: ❶5 Whys – Simple yet powerful. Keep asking “why” to drill down to the root cause. ✅ Quick, intuitive | ❌ May oversimplify complex issues ❷Fishbone (Ishikawa) Diagram – Visualizes potential causes across categories (People, Methods, Machines, etc.) ✅ Great for brainstorming | ❌ Needs team consensus ❸Pareto Analysis – Based on the 80/20 rule. Focuses on the most frequent causes. ✅ Prioritization | ❌ Doesn’t show causality ❹FMEA (Failure Modes and Effects Analysis) – Proactive method to assess risk of potential failures. ✅ Risk-based | ❌ Time-consuming ❺Fault Tree Analysis (FTA) – Logical, top-down approach using boolean logic. ✅ Detailed and structured | ❌ Requires expertise ❻DMAIC (Six Sigma) – Structured problem-solving (Define, Measure, Analyze, Improve, Control). ✅ Data-driven | ❌ Can be resource-heavy ❼8D (Eight Disciplines) – Team-based, process-driven RCA with containment and corrective action. ✅ Widely used in automotive/manufacturing | ❌ May be too rigid for some issues ❽Shainin Red X Method – Focuses on dominant cause using progressive elimination. ✅ Fast for repetitive issues | ❌ Less known, needs training ❾Bowtie Analysis – Combines risk assessment with RCA, visualizing threats, controls, and consequences. ✅ Holistic | ❌ More qualitative ❿Cause & Effect Matrix – Prioritizes inputs based on impact on key outputs (CTQs). ✅ Links causes to outcomes | ❌ Needs solid process understanding ⓫AI/ML-Based RCA – Uses data mining and algorithms to detect patterns and predict root causes. ✅ Scalable, modern | ❌ Requires quality data & digital maturity 🔥 Challenges in Using RCA: -Bias and assumptions -Lack of data or poor data quality -Over-reliance on a single tool -Team misalignment -Skipping validation of root cause(s) 🧿 New Additions & Tips: ✅ Combine methods: e.g., Fishbone + 5 Whys or Pareto + FMEA ✅ Train teams on when/how to use each tool ✅ Always validate the root cause with data/evidence ✅ Document learnings for future prevention ✅ Embrace digital tools where appropriate 🧭 Choosing the Right RCA Tool: Ask yourself: ✔ Is the problem complex or simple? ✔ Do we have data? ✔ Is time a constraint? ✔ Are multiple stakeholders involved? ✔ Is this recurring or a one-time issue? 📊 Sometimes, a hybrid approach works best! 📢 What RCA tool do you use most often, and why? Share your experience or tips in the comments! ====== 🔔 Consider following me at Govind Tiwari,PhD #RootCauseAnalysis #QualityManagement #ContinuousImprovement #ProblemSolving #LeanSixSigma #FMEA #8D #DMAIC #Shainin #AIinQuality #CQI #QMS #RiskManagement #OperationalExcellence

Pricing Portfolio Risk: Credit Risk Transfer (CRT) / Significant Risk Transfer (SRT) allows a bank to transfer a first loss or mezzanine tranche of assets on balance sheet to a third-party investor, permitting capital relief vis-à-vis Basel regulations. Large, savvy banks in Europe have been doing this for 20+ years, transferring risk on nearly ~$200B of portfolios in 2023 alone, frequently in synthetic securitization form. In September 2023, the Federal Reserve Board released a statement providing much-needed clarity to U.S. banks on how they can issue SRTs in synthetic securitization form, while maintaining compliance with Regulation Q. With the implementation of Basel III Endgame set to start in 2025, U.S. banks have begun to engage in risk transfer exercises more vigorously. U.S. banks transferred risk on ~$35B of portfolios during 2023 – mostly in Q4 – however 2024 will prove to be an even more active year in the U.S.   SRT allows a bank to actively manage its credit risk while maintaining the relationships with their institutional banking clients by providing a full range of services (account management, term loans, credit facilities, cash management, FX, trade finance, investment banking, custody, payment solutions, etc.). The bank can take a pool of 300+ relationship loans and transfer the 0-6% or 0-12.5% first loss exposure to an investor via SRT, thus retaining the senior 94% or 87.5% slice, respectively. This exercise has been done most frequently with corporate loans; however, banks also use this tool to manage capital requirements for consumer loans (auto loans, credit cards), residential mortgage loans, infrastructure finance, CRE loans, and more.   SRT returns are determined by the actual credit performance of the underlying loans, along with important structural characteristics like detachment points and the length of revolving period to replace maturing loans. The Marathon Asset Management team, along with other investment managers, have been actively engaged in SRT, in both credit-linked note format and derivative format, the latter of which could be funded either upfront or in a margin structure. The banks we work with are well-managed, strong institutions with astute credit underwriting teams, allowing for a mutually rewarding partnership where we can earn a healthy return while the bank enjoys sustainable capital relief, which in turn improves return on equity for investors. SRTs are a complex exercise, and risk must be priced appropriately for it to remain an attractive investment segment within the structured finance world.   In the example below, the issuance of a 0-10% SRT tranche allows a bank to reduce its risk weighting from 65% on 100% of the loans to 15% on the retained 90% of the risk, resulting in a net 79% reduction of capital required.

“The Risk Was Theoretical. The Panic Was Real.” Over the weekend, a good friend called me, frustrated after sitting through a board risk session. They said: We were reviewing this vendor fraud risk, and the dashboard—one that’s been around for years—had it flagged as “High Inherent Risk.” A board director asked whether they should pause the rollout until it turned green. Another director said, “Residual risk is low—we’ve implemented multiple controls.” But then someone else said, “Inherent risk can’t be lowered. It’s theoretical. It assumes no controls.” So a director asked, “Then why is it on the dashboard?” Everyone looked at each other… and the meeting was adjourned. The topic was tabled for discussion in two weeks. They gave me some more context—all anonymized, of course. Then they asked me: “Am I crazy? Or is this just broken?” I responded: You’re not crazy. But yeah—this is broken. The board was reacting to a theoretical number—a red warning light tied to a world that doesn’t exist. Controls were in place. Incidents were zero. Residual risk was low. But the color red still hijacked the conversation. I’ve seen this too many times: • Boards asking for mitigation of a risk that’s already been mitigated • Directors getting spooked by “inherent” risk ratings with no operational meaning • Anchoring on worst-case scores instead of real-world data What I Told Them If a score assumes zero controls—and the real world has controls—then it’s not insight. It’s just inertia disguised as analysis. The root of the confusion? It traces back to legacy risk frameworks—particularly COSO’s internal control model, which introduced “inherent risk” as a theoretical baseline. But theory doesn’t run companies—context and evidence do. When boards fixate on inherited terminology without questioning its relevance, oversight becomes ritual instead of risk governance. What I suggested was this: Before the next board meeting, propose reframing the dashboard to reflect actual, observable risk. Swap out “inherent” for impact potential, and pair it with evidence-based assessments of control effectiveness. Give the board a narrative they can respond to, one grounded in what’s real, not what’s red. And just before we hung up, I said: “Look, this isn’t official advice—just two friends talking. But if the dashboard’s telling a story no one believes, maybe it’s time to change the script.” Your Turn… Have you ever had to coach a board or executive team through this kind of misalignment? What helped get the conversation back on track? Have a great week and holiday! Jonathan T. Marks #risk #controls #coso

Using foresight to anticipate emerging critical risk - a Proposed methodology by OECD - OCDE The new OECD paper presents a methodology to help countries identify and characterise global emerging critical risks as part of the OECD’s Framework on the Management of Emerging Critical Risks. It supports experts and policymakers tasked with anticipating and preparing for uncertain and evolving threats that transcend traditional national boundaries. 1️⃣ The approach begins with horizon scanning to capture weak signals and unconventional data sources, including patent analysis, crowd forecasting, and the use of generative AI. 2️⃣It then applies structured foresight techniques, such as futures wheels, cross-impact analysis, and scenario-based “Risk-Worlds,” to explore how risks might manifest and interact in multiple possible future contexts. The methodology emphasises understanding risks “at source,” focusing on vulnerabilities, interconnectedness, and possible management strategies. Rather than predicting a single future, it seeks to broaden the range of possibilities, encouraging proactive adaptation, building collective understanding, and ultimately strengthening government capacity to navigate and shape an increasingly complex and uncertain global risk landscape. Kudos to Josh Polchar and OECD for putting the paper out #Foresight #Futures #Scenarios #OECD #Methodology

What’s the difference between sensitivities and scenarios in FP&A? They’re often used interchangeably, but there are key differences that set them apart. In my latest collaboration with Toptal, and as Nicholas Piscani notes here, sensitivity analysis allows FP&As to show a range of potential outcomes based upon how key drivers may vary. A business’ future is inherently unpredictable, which means planning for possibilities is crucial. 𝐖𝐡𝐚𝐭 𝐚𝐫𝐞 𝐬𝐞𝐧𝐬𝐢𝐭𝐢𝐯𝐢𝐭𝐢𝐞𝐬? Sensitivity analysis is another name for ‘what-if’ analysis. It evaluates the ramifications on outputs, flexing inputs, within a mathematical framework. An example of this might be sensitizing the pricing of software to see what the resulting customer retention rate would be. The company might expect a price hike to reduce retention, but the analysis would either confirm or dismiss whether this is true and to what extent. In finance, we commonly use sensitivity analysis to see how certain factors, when changed, influence results we care about. This allows us to seek influence or control these elements to reduce or manage risk. If increased pricing shows a heavy loss of customers, the head of customer experience may seek to add more value to reduce the blow. 𝐖𝐡𝐚𝐭 𝐚𝐫𝐞 𝐬𝐜𝐞𝐧𝐚𝐫𝐢𝐨𝐬? Scenario analysis groups various assumptions together. It allows FP&A to see what the collective impact of a decision would be on many different elements of the business. For example, a growth strategy with equity financing or debt financing, might be two scenarios that a small company would consider. Scenarios may illustrate each capitalization option’s impact on cash flow and ownership structure even if product pricing and customer experience stays the same. Why are sensitivities and scenarios important for FP&A and startups? Unlike more established business models, startups plan for the future with limited financial performance. If FP&A conducts a single analysis and presents it to an investor group, those investors know the analysis has inherent risk. But if FP&A has conducted multiple analyses, complete with sensitivities and scenarios, investors may be more encouraged by the possibilities and vetting that FP&A considered. Sensitivities and scenarios paint a fuller picture of possibilities and business outcomes and provide investors with greater confidence. 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬 𝐟𝐨𝐫 𝐲𝐨𝐮: What elements in your business do you sensitize? What macroeconomic factors impact your business scenarios? #toptal #seidmanfinancial

Tail risk refers to the likelihood and impact of rare, extreme moves in investment returns typically those beyond three standard deviations from the mean events that standard normal-based models fail to capture Real-world return distributions exhibit excess kurtosis meaning extreme outcomes (both losses and gains) occur more often than a normal distribution would predict Practical Techniques to Model Tail Risk 1. Value at Risk (VaR) & Expected Shortfall (ES / CVaR) VaR computes the maximum expected loss at a given confidence level (e.g., 95% or 99%) over a certain horizon. It's simple but doesn't capture the magnitude of losses beyond that threshold Expected Shortfall (ES), aka Conditional VaR (CVaR) or Tail VaR, measures the average loss in the worst-case tail beyond the VaR threshold—offering a more comprehensive view of tail behavior ES is coherent and subadditive (unlike VaR), making it more suitable for portfolio risk management In practice, ES can be computed using closed-form formulas for certain distributions or via simulation (e.g., Monte Carlo) 2. Extreme Value Theory (EVT) / Peaks-Over-Threshold (POT) Focuses on modeling the tail distribution directly, rather than the entire return distribution. The POT method fits a Generalized Pareto Distribution (GPD) to the values that exceed a high threshold sidestepping parametric assumptions over the full range EVT approaches are highly practical in risk management used for forecasting VaR and ES more accurately, especially when data exhibit heavy tails Academic work shows combining GARCH filtering for volatility clustering with EVT on residuals improves tail risk estimates 3. GARCH and Time-Series Models Return volatility clusters over time. GARCH (and its variants) models this conditional heteroskedasticity: ARCH/GARCH models estimate time-varying volatility, improving tail risk estimates by accounting for changing market regimes These models are often paired with EVT for enhanced tail modeling: filter returns via GARCH, then apply EVT (like POT) to the standardized residuals 4. Stochastic‐Volatility and Jump Models (SVJ) These models capture both volatility dynamics and discontinuous jumps: SVJ models (e.g. Bates, Duffie–Pan–Singleton) blend stochastic volatility with jump components, enabling fat tails, skewness, volatility clustering, and large jumps all in one model They’re particularly useful for tail risk modeling in derivatives pricing and hedging applications thanks to their market realism 5. Copulas for Multivariate Tail Risk To model joint tail dependencies across assets: Copulas enable constructing joint distributions from individual marginals, capturing dependence structures including during extreme events Useful for portfolio-level tail risk, systemic risk, or stress testing scenarios where multiple assets may suffer extreme losses simultaneously 

Navigating Maturity Spikes: A Strategic Approach to Liquidity Management Managing maturity spikes in funding is a critical aspect of effective liquidity management for banks. Such spikes occur when a significant volume of liabilities or funding sources are due for renewal or repayment at the same time, potentially leading to liquidity strain if not managed appropriately. Understanding and strategically addressing these maturity concentrations is essential for maintaining financial stability and ensuring ongoing operational resilience. The first step in managing maturity spikes involves accurate forecasting and monitoring. Banks must have robust systems in place to predict cash flow needs and identify potential maturity concentrations in advance. This foresight allows for the development of contingency plans to address potential liquidity shortfalls, ensuring that the bank remains prepared for various scenarios. Diversification of funding sources plays a crucial role in mitigating the risks associated with maturity spikes. By spreading funding sources across a variety of maturities and types, banks can reduce their reliance on any single source of funding, thereby enhancing their liquidity profile. This strategy involves a mix of short-term and long-term funding, as well as considering a variety of instruments such as deposits, bonds, and other borrowings. Active management of assets is another key strategy. Banks can improve their liquidity position by maintaining a portfolio of high-quality liquid assets (HQLA) that can be quickly converted into cash without significant loss. This portfolio acts as a buffer during periods of stress, providing the bank with additional flexibility to meet its liquidity needs. Moreover, engaging in proactive dialogue with stakeholders, including investors, depositors, and regulators, is advantageous. Transparent communication about the bank’s liquidity management strategies and stability can bolster confidence among stakeholders, potentially easing the pressure during maturity spikes. Finally, stress testing and scenario analysis are indispensable tools in the arsenal of liquidity management. By simulating various adverse conditions, including severe maturity spikes, banks can assess the robustness of their liquidity positions and adjust their strategies accordingly. This proactive approach ensures that banks are not only prepared for normal market conditions but are also resilient in the face of financial stress. In essence, managing maturity spikes in funding is a multifaceted challenge that requires a strategic and proactive approach. Through accurate forecasting, diversification of funding sources, active asset management, effective stakeholder communication, and rigorous stress testing, banks can navigate these challenges successfully. By prioritising liquidity management, banks can ensure their long-term stability and continue to serve their customers and communities effectively.