The “standard model” of:
Basic – minimal understanding / analysis;
Reactive – responding to incidents / directives;
Compliant – meeting the requirements of law / adopted practices;
Pro-active – actively looking for and identifying risks, to;
Resilient – with a fully embedded approach to considering risks and their required controls;
can often appear different from inside the business.
The interactive graphic that I’ve developed at this link gives a slightly different view. Recasting the journey from how it seems to decision makers inside the business gives the phases of:
Identification. Realizing there is a need to get pro-active about controlling risks;
Resistance. From the workplace – why change? Or Initiative Overload are common responses;
Overload. We’ve gotten really good at identifying risks and inventing actions and controls – but now we’ve arrived at a risk register / action listing that can not be managed!
Restart. This can also sadly repeat – but a realization that a better approach is needed becomes obvious. Summarizing, re-starting or re-ranking are common responses – but they just lead the organization back into the Overload phase;
Critical Controls. Finding the pearls in the oyster plantation – where important controls gain (rightly) the most attention from decision makers and receive the most resource allocation;
Data Focus. This can happen in parallel with Critical Controls – but normally is only identified when the arbitrary nature of the Critical Control selection comes to light. Deeply understanding what is happening is critical to focussing on the most important Controls, and finally to;
Pathways. Major incident types (by either consequence or frequency) are represented as bow ties – where the pathways to loss are clear and the way in which controls act becomes obvious.