How To Create Value In Security Risk Management?


Mitigating measures that support the objective

Security risk management is ultimately about prioritising available resources. All the hoops security professionals go through to assess threats, vulnerabilities and risk levels are at the end of the day for them to be able to single out what threats should be countered by which measures in which order.

It is a very positive tendency that the security risk management community increasingly has been focusing on "enabling". An attempt to ensure that one's own effort is in line with the organisation's strategy and objectives and that you support and strengthen rather than limit. In other words, the security manager can go from being the "naysayer" to saying "yes we can do that - if..." and even add competitive edge through how security risks are managed; the footprint you leave, the international standards you comply with, the ability to integrate with your customers' organisations (how can we add value to our customers' customers?) or the information you are able to deliver - the possibilities to enable and strengthen the organisation are many. 

Involvement & collaboration!

Involvement & collaboration!


That is why two of my areas of focus has always been to:

1) involve relevant stakeholders (get inspiration on the "how" with the power-interest grid by Eden & Ackerman, 1998)  in security risk management, even though it takes time and you have to accept that you will not look as efficient to sr. management as you could - in the long run, you'll have a much greater impact. Remember that "effect = involvement x quality" and if you have to change how people work - involvement is key. 


2) prioritize implementing the mitigating measures you have evaluated as worthwhile during in the security risk assessments. It is a trap to get deeply fascinated by the colours of your heat maps and details of your risk register that you tend to forget what it's all about - implementing measures that impact the level of risk your colleagues (& customers?) are facing. It is the basic discipline in business "Project Management" that will change things "where the metal meets the meat" or in business language - where you meet your customers' needs. 

To keep it short; put effort into identifying and implementing the mitigating measures that support your organisation and prioritise the involvement of relevant stakeholders.

The author is the CEO & Founder of "Human Risks" - an online platform for security risk management where identification of mitigating measures, management and involvement is in focus. Read more on


Feature news from Human Risks!

We have been busy at Human Risks during the summer preparing a handful of new features that I'm quite excited to share with you - here's just a few...



Templates - Turn your mitigating measures into templates that can be distributed and managed across your organisation. Mitigations are automatically suggested to counter relevant threats in your risk assessments and you can manage implementation by assigning responsibility and setting deadlines. If you need inspiration on security measures you can download best practice security policies, procedures and guidelines from our growing library.


Audits - Add recurring controls to your mitigating measures that automatically generate audits and notify the responsible when it is time to complete them (e.g. the yearly evacuation drill, monthly perimeter inspection, maintenance tasks etc.). This feature gives you a visual overview of all audits, remarks & follow-ups and whether they are "on schedule" or have exceeded their deadline.


Incident Reports - We've done a re-design of our incident reports front page that allows you to pull statistics on global security incidents from our constantly updated data feed from the experienced analysts at Riskline and your organisation's internal incident reports

I'll follow up with individual posts on each feature and share some thoughts on why they are important when managing security risks...

Oh - and I nearly forgot the app - It'll allow you to complete audits on the go from a phone or tablet and will hit the app stores in a few months... I'll keep you posted!

When an organisation decides to implement a structured approach to managing risks this is what happens!

OK - the list is just some of the observations I have made and is of course not complete - but hey what don't you do for a catchy headline?

These are some of the positive (side) effects that I have seen come from implementing a structured approach to managing risks:

Awareness - The increase in awareness you can create internally in an organisation is the most important gain. People start discussing what makes a threat and how dangerous it really is (risk). How the organisation's objectives are tied to potential risks and how managing them can either allow them to reach their objectives or even gain competitive advantage by doing so. Awareness is still one of the most important factors if you want to manage risks because it all comes down to affecting human behaviour and when people gain an understanding of potential risks based on facts and feel they are heard and involved in a "bottom up"-approach they are much more likely to adapt their behaviour and embrace "corporate policies" because they are partly their own.


Resources - Mapping potential risks and discussing which to counter to which degree is basically a discussion about prioritising resources. The process gives organisations a clear picture of what is at stake both in terms of impact (people-assets-reputation) financially and in terms of business strategy, which allows them to make informed decisions on what risks to take and how to mitigate them. The decisions should be compared to the objectives of the business and either support reaching them or setting new ones.


Focus - When you are making an effort to know your current and emerging risks and how to handle them it gives a calm and overview that allows the organisation to focus on their key objectives - delivering the services and products to their customers, which to my best knowledge risk management is all about supporting! 

What are your experiences? Any points I have blatantly left out? (Read the comments on LinkedIn)

Need a Site Security Review App?


We are launching a site security review app in September and have available seats for co-funders who in return for feedback get a more tailored product and a very reasonable price.

The app allows you to define minimum security requirements and the user can then create a review and map a site's level of compliance.

The co-funder offer is open until 1st July and ensures you product development meetings before and after the launch.

Sign-up here for more information on the specifications and price or share with your network

Threat identification based on facts

Our integrated database of global security alerts country risk summaries and risk levels helps you identify and assess relevant threats for your risk assessments on the Human Risks platform.

We believe that threat identification and assessment should be based on facts.

As an example - there are 83 conflict & terrorism related incidents with a risk level rated "medium" & "high" in Kenya from 2015 to today. All incidents rated "high" happened within the past 3 months.

Contact us for a free demo here:

Sign up for a free demonstration!

Security risk management in spreadsheets? Not anymore! New times require new tools.

Human Risks' online security risk management platform enables your organization to identify and assess threats, manage the implementation of mitigating actions and setting up recurring audits that automatically notifies the responsible.

Our feed of global security incidents ensures that threat identification and assessment is done on facts and will keep you updated only on selected incident types matching your assessments.

As we like to say: Total Overview - Always Updated!

Sign up here for a free demo:

ASIS Europe - Security Risk Management Conference

Human Risks were present at the ASIS 2017 Europe Conference, where we had a stand, talked about the future of risks management and served a local Danish brew of schnapps. Visitors could also win a 6 month subscription to our platform including 2 online training sessions!

The ASIS Europe 2017 was a fantastic experience! We are now following up on the 30+ security professionals from all around the world - from Pakistan to Venezuela - who were interested in a presentation and a free trial to Human Risks.

Our intern Yuki made this great video that sums up our trip to Milan! Check it out below:

Follow our blog and LinkedIn-page for more updates on the future of risk management!

Always updated

Security risk assessments must be continually updated as organizations today face increasingly dynamic and diverse threats. The yearly review of a word document doesn't cut it anymore!

In addition to enabling your team to assess threats, our assessments also allow you to identify, manage and analyze the cost-efficiency of mitigations and set up recurring audits that automatically remind the responsible.

A data feed of global security incidents and country risk summaries ensure that threat identification happens on updated facts directly in your assessment. It even keeps you updated only on selected types of future incidents!

As we like to say: Total Overview - Always Updated!

Why Human Risks?

Human Risks was founded on Mads' experiences when deployed in Afghanistan's Helmand Province, working as a Security Adviser for the Foreign Office and later in the private sector.  

Mads found it challenging to establish and maintain an updated overview and involve stakeholders using only Microsoft Word & Excel. He set out to solve this by creating an online platform that later was called Human Risks.

An overview of the risk landscape will enable you as a risk manager to support the organization in reaching its objectives and potentially set even more ambitious goals. We want to help you cut through the clutter, replace out-dated formats and give you an updated overview.

Human Risks: Total Overview – Always Updated!