GRC Articles

Show Me: Jump to:

Latest Articles

2018-10-02 by: James Bone Categories: Risk Management NSC: How Does the Human Element Affect Risk

Three experts at the National Safety Council (NSC) Annual Congress and Expo in Anaheim, Calif., examined how the human element – behaviors, actions and decisions – can affect risk and impact workplace safety.

The panel featured Brian Hughes, vice president of Apollo Associated Services LL, Stuart Alleman, master expert for Raytheon Space and Airborne and Steve Brown, corporate safety manager for Southern California Edison. Hughes opened the sessions by urging the panel and audience to define risk.

Brown said his company considers risk “the potential for something to go wrong or the potential for someone to sustain an injury.”

Alleman added, “If we put our people at risk, we’ll have problems.”

“Most definitions of risk look at the downside,” Hughes explained. But he added that in the finance world, risk means variability. “Risk brings greater returns, and it also brings greater losses.”

Workplace safety, however, involves more than finances and spreadsheets: the human element can affect risk, Hughes said.

“When people are involved, people are highly variable, and their actions are hard to predict,” he said.

Actions vs. Conditions

The components of risk include systematic risk and unsystematic risk. Systematic risk, as Hughes described it, is risk inherent in the market – it cannot be diversified away. Unsystematic risk, meanwhile, is the risk of any individual in the market. Total risk is a combination of these two types.

“Decisions involve risk,” Hughes said. “Effect is caused by both action and condition.”

The problem in deciphering the human element of risk may revolve around the fact that most companies tend to focus on the action rather than the condition.

“We don’t know to look for conditions. People are generally focused on action causes,” Hughes said.

Alleman agreed, explaining that he noticed a pattern when analyzing 14 similar workplace incidents.

“Each individual organization handled [the situation] in certain way” he said. “They all attacked actions – retrain people, put more reviews in place to solve problem and lower the threshold – [but] didn’t fix any of them.”

When Alleman and his team examined the incidents together instead of separately, they noticed some common causal effects, including behavior, ownership of problems and how those problems were dealt with when they happened.

“When we looked at them together, we saw the systematic problems,” Alleman explained.

Management’s Role

The panel also discussed how company management could affect how human risk elements impact workplace safety.

“In the past, we looked at the floor risk level,” Brown said. “We can lower that floor, but one of the problems we found is getting the management involved in lowering that floor and taking risk away.”

For example, Brown said in one case, employees were expected to wear safety glasses when working in a particular area. When management was around, workers would wear the protection. But with no one around to watch them, many did not wear the glasses.

“Once we got them involved and helped them realize what’s in it for them, it really turned the corner for us, getting employees involved,” Brown said. “The best way we got them involved was to encourage the safety team environment and then having management in there, giving them training for oversight and to be quiet and listen and address what they’re coming up with.”


The panel members agreed that putting additional pressure – whether it’s schedule, cost, quality or another type of pressure – on employees can increase risk in the workplace. By combining the analyses from the past year to look for systemic causes across the board, Alleman said pressure was clearly a factor.

“When they put that pressure on people, instances happen,” Alleman said.

When management was presented with the information that this pressure helped drive increased risk and contributed to incidents in the workplace, Alleman said management first tried to push the issue away. But when yet another incident happened, management finally realized pressure indeed might be a factor.

“They need to step back and see how they’re affecting the bottom-level people having accidents,” Alleman said of management.

“As things get more competitive, you have to increase complexity of the products you’re taking on,” Hughes explained. “I think people tend to undervalue the risks involved in that kind of change. That’s going to create a floor-level risk around schedule pressure that everyone will see, not just safety: quality, delivery, customer satisfaction, etc.”

When management listens to employees, the human element affecting risk may decrease, the panel explained.

“A lot of times, we blame people for what happens,” Alleman pointed out. “The secret we found is if you can get the top level to listen to the bottom level, the listening will surface issues quickly and resolve themselves without you having to get involved.”


by: James Bone Categories: Risk Management The human element of corporate risk


Companies are all about people and a company’s success will depend on its people. Yet they are also a company’s biggest risk. Getting a measure of people and their potential shortcomings presents one of the biggest challenges to companies. Ironically, though, a company needs intelligent, experienced and ethical people to manage every other type of corporate risk.

Research done talent measurement company SHL, one in eight managers (mostly middle managers) and professionals is a high risk to his or her company mainly through poor decision-making and communications.

People risk defies precise quantification but it would seem that individual behaviour is inextricably linked to a company’s culture. Managing people (the HR component) and leading people (the CEO/board of directors) are very real risks and not the soft issues – as once thought. Efforts to mitigate HR risk, therefore, should not be ignored.

The following examples prove just how people can affect an organisation negatively, some with grave consequences while others have unnecessary consequences.

A compliance department undertook a special review of one of the daily regulatory reports to check whether the company was complying with all the relevant regulatory requirements. The review revealed definite areas of concern and there were other breaches of the regulatory requirements. The department drafted a document of the findings, which turned out to be the easy part. The difficult part was deciding what to do with this report.

Prior to this incident, there were other instances where compliance concerns regarding other issues related to the same specific director were taken to their boss. Meetings were promised with the department director but never materialised. The reports themselves were eventually ‘forgotten’ and the director in question was regarded as ‘untouchable’.

This time, however, the compliance officers considered these breaches urgent and serious. They decided to escalate the findings to the boss as usual but also to copy in other senior internal people as well as the firm’s directors. An urgent board meeting was held. Nobody supported the compliance officers or their report. A stressful and conflicting time followed but a lucky break occurred. A whistle-blower used the hotline to report other concerns regarding the particular director and her department. Retribution was not sweet, however, as the director resigned before the end of the disciplinary hearing, so escaping both public censure and any kind of real punishment. The director was free to move on to any other company after resigning, rendering potential employers vulnerable to an undesirable employee profile!

The questions one ponders over in this example are associated with people risk rather than the regulatory risks identified:

  • Why did no one express concern about the findings in the report?
  • Why was it not acknowledged that the compliance function was doing its job?
  • Why were the board of directors and the department director concerned allowed to get away with such behaviour towards the compliance department?
  • Why did no-one in senior management question why the department director’s reactions were so extreme?
  • Why, with the numerous different charges, did senior management not question the morals and principles of the director and ensure that some punishment or action was meted out to the director?
  • What does this say about the moral compass of the other directors and bode for the company and future employers?

Risk management initiatives must include people risk

Consider the following example:

  • A very trusted driver – who had been working for the company for some fifteen years – was well respected until one weekend, he unintentionally pressed the car-tracking alarm button on the key ring of the company car.
  • The tracking company phoned the chief operating officer and it was revealed that the car was in another province over the weekend, obviously taken without permission. The driver had been using the company car for private use.
  • An inspection of the delivery book indicated many long trips to clients and regulators that were never commissioned over a few years.
  • To add insult to injury, it was later found out that the speedometer was not working in any event. But whose fault was it?
  • The delivery book and the driver were not supervised or monitored. It could be argued that, had the proper risk-control measures been put in place, the driver might still have his job, financial loss would have been avoided, time would not have been lost through investigations and interrogations, disciplinary hearings and all the bureaucracy that involves would also have been avoided.

Sometimes, too, management just does not really want to deal with the human element of risk.

One strange but true example is of an employee who fell pregnant with her second child within two months after the birth of her first child:

  • It was not planned and she was devastated, thinking she would lose her job.
  • Of course, the policy on maternity leave was available on the intranet but not read.
  • She successfully explained to colleagues and her management that her expanding stomach was a medical problem and not a baby – despite the disbelief.
  • Even more strangely, neither management – nor the staff member – ever consulted the policy or HR in this regard to seek guidance or assurance. The HR manager avoided the issue.

Risk management initiatives are about managing risk holistically – referred to as enterprise-wide risk management. Risk falls heavily within the HR space and includes understanding and assessing the interactions and interdependencies between various departments and stakeholders.

Dawn Pretorius has, for some 12 years, run her own agency focusing on consulting, business strategy, training and development. A specific area of expertise for her includes risk management, compliance and corporate governance consulting. Dawn is a professional member of the Compliance Institute of South Africa, and her practice is accredited with the Financial Services Board. She has just published Beyond play: a down-to-earth approach to governance, risk and compliance.

Among many other qualifications, Dawn has a M.Com, B.Tech Banking, FIB(SA), MAP (Wits Business School). Her career has concentrated on many facets in the banking industry, such as financial and estate planning; private and offshore banking; company structures; credit, risk, compliance and corporate governance; marketing and communication and management training; and development in both technical and soft skills.


2018-09-26 by: James Bone Categories: Risk Management How to Design an Intelligent Organization

Simplicity is the value proposition that should be expected from the implementation of modern technology solutions.

“Intelligent Automation” is such a new term that you won’t find it in Wikipedia or Merriam-Webster. However, we are clearly in the early stages of a technological transformation that’s no less dramatic than the one spurred by the emergence of the Internet.

A new age in quantitative and empirical methods will change how businesses operate as well as the role of traditional finance professionals. To compete in this environment, finance teams must be willing to adopt new operating models that reduce costs and improve performance through better data. In short, a new framework is needed for designing an “intelligent organization.”

The convergence of technology and cognitive science provides finance professionals with powerful new tools to tackle complex problems with more certainty. Advanced analytics and automation will increasingly play bigger roles as tactical solutions to drive efficiency or to help executives solve complex problems.

But the real opportunities lie in reimaging the enterprise as intelligent organization — one designed to create situational awareness with tools capable of analyzing disparate data in real or near-real time.

Automation of redundant processes is only the first step. An intelligent organization strategically designs automation to connect disparate systems (e.g., data sources) by enabling users with tools to quickly respond or adjust to threats and opportunities in the business.

Situational awareness is the product of this design. In order to push decision-making deeper into the organization, line staff need the tools and information to respond to change in the business and the flexibility to adjust and mitigate problems within prescribed limits. Likewise, senior executives need near-real time data that provides the means to query performance across different lines of business with confidence and anticipate impacts to singular or enterprise events in order to avoid costly mistakes.

Financial reporting is becoming increasingly complex at the same time finance professionals are being challenged to manage emerging risks, reduce costs, and add value to strategic objectives. These competing mandates require new support tools that deliver intelligence and inspire greater confidence in the numbers.

James Bone

Thankfully, a range of new automation tools is now available to help finance professionals achieve better outcomes against this dual mandate. However, to be successful finance executives need a new cognitive framework that anticipates the needs of staff and provides access to the right data in a resilient manner.

This cognitive framework provides finance with a design road map that includes human elements focused on how staff uses technology and simplifying the rollout and implementation of advanced analytical tools.

The framework is composed of five pillars, each designed to complement the others in the implementation of intelligent automation and the development of an intelligent organization:

  1. Cognitive governance
  2. Intentional control design
  3. Business intelligence
  4. Performance management
  5. Situational awareness

Cognitive governance is the driver of intelligent automation as a strategic tool in guiding organizational outcomes. The goal of cognitive governance, as the name implies, is to facilitate the design of intelligent automation to create actionable business intelligence, improve decision-making, and reduce manual processes that lead to poor or uncertain outcomes.

In other words, cognitive governance systematically identifies “blind spots” across the firm then directs intelligent automation to reduce or eliminate the blind spots.

The end game is to create situational awareness at multiple levels of the organization with better tools to understand risks, errors in judgment, and inefficient processes. Human error as a result of decision-making under uncertainty is increasingly recognized as the greatest risk to organizational success. Therefore, it is crucial for senior management create a systemic framework for reducing blind spots in a timely manner. Cognitive governance sets the tone and direction for the other four pillars.

Intentional control design, business intelligence, and performance management are tools for creating situational awareness in response to cognitive governance mandates. A cognitive framework does not require huge investments in the latest big data “shiny objects.” It’s not necessary to spend millions on machine learning or other forms of artificial intelligence. Alternative automation tools for simplifying operations are readily available today, as is access to advanced analytics, for organizations large and small, from a variety of cloud services.

However, for firms that want to use machine learning/AI, a cognitive framework easily integrates any widely used tool or regulatory risk framework. A cognitive framework is focused on a factor that others ignore: how humans interact with and use technology to get their work done most effectively.

Network complexity has been identified as a strategic bottleneck in response times for dealing with cybersecurity risks, cost of technology, and inflexibility in fast-paced business environments. Without a proper framework, improperly designed automation processes may simply add to infrastructure complexity.

There is also a dark side to machine learning/AI that organizations must understand in order to anticipate best use cases and avoid the inevitable missteps that will come with autonomous systems. Microsoft learned a hard lesson with “Clippy,” its Chatbot project, which was shelved when users taught the bot racist remarks. While there are many uses for AI, this technology is still in an experimental stage of growth.

Overly complicated approaches to intelligent automation are the leading cause of failed big data projects. Simplicity is the new value proposition that should be expected from the implementation of technology solutions. Intelligent automation is one tool to accomplish that goal, but execution requires a framework that understands how people use new technology effectively.

Simplicity must be a strategic design imperative based on a framework for creating situational awareness across the enterprise.

James Bone is a cognitive risk consultant; a lecturer at Columbia University’s School of Professional Studies; founder of, an online directory of governance, risk, and compliance tools; and author of, “Cognitive Hack: The New Battleground in Cybersecurity … the Human Mind.”

2018-02-20 by: James Bone Categories: Risk Management Cognitive Hack: Trust, Deception and Blind Spots

When we think of hacking we think of a network being hacked remotely by a computer nerd sitting in a bedroom using code she’s written to steal personal data, money or just to see if it is possible. The idea of a character breaking network security to take control of law enforcement systems has been imprinted in our psyche from images portrayed in TV crime shows however the real story is much more complex and simple in execution.

The idea behind a cognitive hack is simple. Cognitive hack refers to the use of a computer or information system [social media, etc.] to launch a different kind of attack. The sole intent of a cognitive attack relies on its effectiveness to “change human users’ perceptions and corresponding behaviors in order to be successful.”[1] Robert Mueller’s indictment of 13 Russian operatives is an example of a cognitive hack taken to the extreme but demonstrates the effectiveness and subtleties of an attack of this nature.[2]

Mueller’s indictment of an elaborately organized and surprisingly low-cost “troll farm” set up to launch an “information warfare” operation to impact U.S. political elections from Russian soil using social medial platforms is extraordinary and dangerous. The danger of these attacks is only now becoming clear but it is also important to understand the simplicity of a cognitive hack. To be clear, the Russian attack is extraordinary in scope, purpose and effectiveness however these attacks happen every day for much more mundane purposes.

Most of us think of these attacks as email phishing campaigns designed to lure you to click on an unsuspecting link to gain access to your data. Russia’s attack is simply a more elaborate and audacious version to influence what we think, how we vote and foment dissent between political parties and the citizenry of a country. That is what makes Mueller’s detailed indictment even more shocking.[3] Consider for example how TV commercials, advertisers and, yes politicians, have been very effective at using “sound bites” to simplify their product story to appeal to certain target markets. The art of persuasion is a simple way to explain a cognitive hack which is an attack that is focused on the subconscious.

It is instructive to look at the Russian attack rationally from its [Russia’s] perspective in order to objectively consider how this threat can be deployed on a global scale. Instead of spending billions of dollars in a military arms race, countries are becoming armed with the ability to influence the citizens of a country for a few million dollars simply through information warfare. A new more advanced cadre of computer scientists are being groomed to defend and build security for and against these sophisticated attacks. This is simply an old trick disguised in 21st century technology through the use of the internet.

A new playbook has been refined to hack political campaigns and used effectively around the world as documented in an article March, 2016. For more than 10 years, elections in Latin America have become a testing ground for how to hack an election. The drama in the U.S. reads like one episode of a long running soap opera complete with “hackers for hire”, “middle-men”, political conspiracy and sovereign country interference.

“Only amateurs attack machines; professionals target people.”[4]

Now that we know the rules have changed what can be done about this form of cyber-attack? Academics, government researchers and law enforcement have studied this problem for decades but the general public is largely unaware of how pervasive the risk is and the threat it imposes on our society and the next generation of internet users.

I wrote a book, Cognitive Hack: The New Battleground in Cybersecurity…the Human Mind to chronicle this risk and proposed a cognitive risk framework to bring awareness to the problem. Much more is needed to raise awareness by every organization, government official and risk professionals around the world. A new cognitive risk framework is needed to better understand these threats, identify and assess new variants of the attack and develop contingencies rapidly.

Social media has unwittingly become a platform of choice for nation state hackers who can easily hide the identify of organizations and resources involved in these attacks. Social media platforms are largely unregulated and therefore are not required to verify the identity and source of funding to set up and operate these kinds of operations. This may change given the stakes involved.

Just as banks and other financial services firms are required to identify new account owners and their source of funding technology providers of social media sites may also be used as a venue for raising and laundering illicit funds to carry out fraud or attacks on a sovereign state. We now have explicit evidence of the threat this poses to emerging and mature democracies alike.

Regulation is not enough to address an attack this complex and existing training programs have proven to be ineffective. Traditional risk frameworks and security measures are not designed to deal with attacks of this nature. Fortunately, a handful of information security professionals are now considering how to implement new approaches to mitigate the risk of cognitive hacks. The National Institute of Standards and Technology (NIST), is also working on an expansive new training program for information security specialists specifically designed to understand the human element of security yet the public is largely on its own. The knowledge gap is huge and the general public needs more than an easy to remember slogan.

A national debate is needed between industry leaders to tackle security. Silicon Valley and the tech industry, writ large, must also step up and play a leadership role in combatting these attacks by forming self-regulatory consortiums to deal with the diversity and proliferation of cyber threats through vulnerabilities in new technology launches and the development of more secure networking systems. The cost of cyber risk is far exceeding the rate of inflation and will eventually become a drag on corporate earnings and national growth rates as well. Businesses must look beyond the “insider threat” model of security risk and reconsider how the work environment contributes to risk exposure to cyberattacks.

Cognitive risks require a new mental model for understanding “trust” on the internet. Organizations must begin to develop new trust measures for doing business over the internet and with business partners. The idea of security must also be expanded to include more advanced risk assessment methodologies along with a redesign of the human-computer interaction to mitigate cognitive hacks.

Cognitive hacks are asymmetric in nature meaning that the downside of these attacks can significantly outweigh the benefits of risk-taking if not addressed in a timely manner. Because of the asymmetric nature of a cognitive hack attackers seek the easiest route to gain access. Email is one example of a low cost and very effective attack vector which seeks to leverage the digital footprint we leave on the internet.

Imagine a sandy beach where you leave footprints as you walk but instead of the tide erasing your footprints they remain forever present with bits of data about you all along the way. Web accounts, free Wi-Fi networks, mobile phone apps, shopping websites, etc. create a digital profile that may be more public than you realize. Now consider how your employee’s behavior on the internet during work connects back to this digital footprint and you are starting to get an idea of how simple it is for hackers to breach a network.

A cognitive risk framework begins with an assessment of Risk Perceptions related to cyber risks at different levels of the firm. The risk perceptions assessment creates a Cognitive Mapof the organization’s cyber awareness. This is called Cognitive Governance and is the first of five pillars to manage asymmetric risks. The other five pillars are driven from the findings in the cognitive map.

A cognitive map uncovers the blind spots we all experience when a situation at work or on the internet exceeds our experience with how to deal with it successfully. Natural blind spots are used by hackers to deceive us into changing one’s behavior to click a link, a video, a promotional ad or even what we read. Trust, deception and blind spots are just a few of the tools we must incorporate into a new toolkit called the cognitive risk framework.

There is little doubt that Mueller’s investigation into the sources and methods used by the Russians to influence the 2016 election will reveal more surprises but one thing is no longer in doubt…the Russians have a new cognitive weapon that is deniable but still traceable, for now. They are learning from Mueller’s findings and will get better.

Will we?






2018-02-19 by: James Bone Categories: Risk Management The Emergence of a Cognitive Risk Era: Cognitive Risk Framework

The Emergence of a Cognitive Risk Era



Traditional risk frameworks, such as COSO ERM (1985), ISO 31000 (2009), and the Basel Capital Accord (1974) are modern inventions from the early 20th century formulated to respond to major failure in managing financial, operational, regulatory, and market risks. Traditional risk frameworks have been helpful in managing compliance risks with an emphasis on internal controls but lack the rigor to evaluate asymmetric risks that cause business failure.

2018-01-20 by: James Bone Categories: Risk Management Risk Trilogy: A Mechanic, an Artist, and a Scientist walk into a Pub

It is the dead of winter in a lovely little village along the coastline of southern Maine and a sudden Nor’easter pounds New England. To escape the cold and quench their thirst three solitary figures decide to seek refuge in the only Irish pub open that night. Each of these figures has arrived, serendipitously, within 15 minutes of one another and are beginning to warm themselves near the fireplace next to the bar.

As they settle in all three decide to share a pint or two and order food before they depart along their separate journeys. Not surprisingly, one pint leads to another and before long the conversation has traversed solving world events and inevitably leads to their work and avocation.

The first figure pipes up, ”I am a mechanic! I have seven professional certifications and have been taught by master mechanics from around the world.” The second figure interjects, that’s really interesting, “I am an artist! I interpret the complex and make it simple for my audience to understand.” Without hesitation the third figure interrupts and exclaims, “I am a scientist! I research and explore the unknown.”

After several more pints of beer the conversation has grown even more verbose and an argument ensues. The artist asks the mechanic what types of mechanical repairs does she solve and the mechanic responds, “I am a risk mechanic!” I have been certified in all varieties of risks, policies and procedures, and frameworks and speak regularly on the topic around the world, says the mechanic.

At this the scientist asks the artist, “what does it mean that you interpret the complex and make it simple for your audience?” The artist says, “I study how people make decisions and help them manage risks by redesigning their work to solve complex problems!” The mechanic then elbows the artist and asks the scientist, well, what do you study? The scientist proudly explains that she is a researcher of complex risk phenomenon. I have eight patents on this topic.

As the storm outside subsides, the bartender, having overheard the arguments, has decided his three patrons have had enough to drink for one night. The bartender proposes a bet and asks the three to solve a complex risk problem with the winner’s tab paid.

Solve this riddle asks the bartender, “What does a rich man crave but can never buy? We chase it but can never find it. What makes fools of us all?”


Do you know the answer?

2017-12-21 by: James Bone Categories: Risk Management Pervasive Search by Synthexis

Palestinian fishermen ride their boat at the Seaport of Gaza City April 4, 2016. Israel has extended the distance it permits Gaza fishermen to head out to sea along certain parts of the coastline of the enclave, which is run by the Islamist group Hamas.
REUTERS/Suhaib Salem


Synthexis is a research focused investigative and consulting firm working in the area of emerging software technologies. Synthexis provides business advisory services to vendors and buyers of cognitive computing, search and text analytics technologies. We maintain active research programs in these areas, write about these topics, speak at industry conferences, craft marketing messages, and analyze strategy and positioning for our clients. Our analysts represent over 50
years in the IT and online industries.
2017-12-09 by: James Bone Categories: Risk Management Is Cognitive Computing the Next Step to Help Fight Cybercrime?

James Bone, executive director, of TheGRCBlueBook participated in a webinar sponsored by IBM on the future of cybersecurity with two esteemed colleagues,  Research Professor / Founding Director, Dynamic Decision Making Laboratory, Carnegie Mellon University and  Technical Specialist, IBM Security.

In this webinar we will look at cognitive security – the concept of using data mining, machine learning, natural language processing and human-computer interaction to mimic the way the human brain functions and learns – in order to help fight cybercrime.

2017-11-13 by: James Bone Categories: Risk Management Signals

If you spend any time on social media, viewing online news stories or read blog posts from pundits and self-described experts and consultants [present company included] you will notice that the ratio of “jargon” to information is rising rapidly. This is especially true in enterprise risk management, machine learning, artificial intelligence, data analysis and other fields where opinions are diverse because real expertise is in short supply.

This is a real problem on many fronts because jargon obscures the transfer of actionable information and makes it harder to make decisions that really matter. So I looked up the definition of “jargon”.

“Jargon: special words or expressions that are used by a particular profession or group and are difficult for others to understand.”

Well intended people use jargon to portray a sense of expertise in a particular subject-matter to those of us seeking to learn more and understand how to make sense of the information we are reading. The problem is that neither the speaker nor the listener is really exchanging meaningful information. In an era where vast amounts of misinformation is a mouse click away we must begin to speak clearly.

Critical thinking is the product of objective analysis and the evaluation of an issue to make an informed decision. However, because we are human what we believe can be based on biased information from peer groups, background, experience, political leanings, family experience and other factors both conscious and sub-conscious.

In an era where “truth” is malleable critical thinkers are more important than ever. This is especially relevant to risk professionals. The jargon in risk management is destroying the practice and profession of risk management.

Yes, these are strong words but we must be honest about what is not working. We, the collective “we”, use words like Risk Appetite, Risk Register, Risk Value, Risk Insights, or my favorite, “the ability to look around corners”; as if everyone understands what they mean and how to use these words to define some process that leads to awareness. The practice of risk management does not endow the practitioner with the ability to see the future. Done well, risk management, is the process of reducing uncertainty BUT only in certain situations!

Let’s stop expecting super human feats of wisdom in risk management that no one has ever demonstrated consistently over time.

We call risk frameworks a risk program when it is only an aspirational guide for what goes in a risk program not what you do to understand and address risks. The truth is the reason that there is so much jargon in risk management is because we know very little about how to do it well. Fortunately, the truth is much more simple than the jargon from uninformed pundits who would have you believe otherwise.  Risk management is much more simple and less omniscient than the hype surrounding it. This may be disappointing to hear and many may argue against this narrative but let’s examine the truth.

Think of risk management as an Oak tree with one trunk but many branches. Economics is the trunk of the Oak tree of risk management with many branches of decision science that include the science of advanced analytics and human behavior among many others.

Economists and a Psychologist are the only ones who have ever won a Nobel Prize in the science of risk management.

Risk management was NOT invented by COSO ERM, consultants like McKinsey & Co. or applied mathematicians however many disciplines have played an active role in advancing the practice of risk management which is still in its infancy of development.  Risk management is challenging because unlike the laws of physics which can be understood and modeled according to scientific methods the laws of human nature consistently defy logic. One look at today’s headlines is all you need to understand the complexity of risk management in any organization.

As the Oak tree of risk management grows new branches are needed such as data science, data management, cognitive system design, ergonomics, intelligent technology and many other disciplines. I created the Cognitive Risk Framework for Enterprise Risk Management and Cybersecurity to make room for the inevitable growth and diversity of disciplines that will evolve through the practice of risk management. It too is an aspiration of what a risk program can become. Risks are not some static “thing” that can be tamed into obedience by one approach, a simple focus on internal controls or the next hot trend in technology. Risk management must continue to evolve and so must those of us who are passionate about learning to get better at managing risks.

Let me leave you with one new word of jargon that is growing rapidly. Signal. The word Signal is being used in Big Data conversations to distinguish how to separate out the noise of Big Data from real insights to understand what customers want, identify trends and insights in data, and understand risks. How is that for a multi-jargonistic sentence?

Not surprisingly, McKinsey has jumped on this band wagon to tell the listener they too must separate the signal from the noise. Like all jargon, few tell you how only that you must do these things. What only a few will tell you is that the challenge of identifying the signal, insight, value or substitute whatever jargon you like is to develop a multi-disciplinary approach.

The cognitive risk framework for enterprise risk and cyber security was developed to start a conversation about how to begin the “how” of the evolution of risk management into what it will become not some imaginary end state of risk management.

2017-10-05 by: James Bone Categories: Risk Management CHOICE connect: Book review Cognitive Hack: The New Battleground in Cybersecurity..the Human Mind

Cognitive Hack addresses an area of cybersecurity that has not been vastly explored—the human element. Most cybersecurity authors focus on how technology can be used and/or adapted to make an enterprise’s infrastructure secure. Bone, a risk advisory consultant and an editor, aims “to introduce readers to the evolution of emerging technologies …” and to “address what some believe to be the weakest link in cybersecurity—the human mind.”

The author examines six distinct areas: understanding various vulnerabilities, exploring advances in situational awareness, “the cyber paradox,” the risk of relying solely on industry reports, delving into a hacker’s mind, and providing a “cognitive risk framework” for cybersecurity. In each of these topics, Bone uses real-world examples of security breaches and how the human element effected the severity of the breach. He also supplies ways the human element could have been mitigated in the breach, thus lessening the severity. In addition, Bone explains that cognitive hacking is in its infancy, and much work and research still needs to be completed. For those interested in the topic, he lists several areas where further research is needed.

–T. Farmer, Arkansas State University

Summing Up: Recommended. Graduate students, faculty, and professionals.


A publication of the Association of College and Research Libraries
A division of the American Library Association
Editorial Offices: 575 Main Street, Suite 300, Middletown, CT 06457-3445
Phone: (860) 347-6933
Fax: (860) 704-0465
October 2017 Vol. 55 No. 2


CRC Press Inc

The following review appeared in the October 2017 issue of CHOICE:

Information & Computer Science
Bone, James. Cognitive hack: the new battleground in cybersecurity … the human mind. CRC Press, 2017. 181p bibl index ISBN 9781498749817, $79.95; ISBN 9781498749824 ebook, contact publisher for price.

To read more click link below: