Not all risks are possible to fully mitigate in every context, so you need to record and manage those residual risks. These are often put into a risk register along with the universe of risks that are mitigated. A better term to describe your log of residual risks might be Risk Inventory. Most organizations do not manage these risk inventories as well as they could. Before examining that, let’s look at what I think is a good, and simple, model of how to think about the overall risk process...| Risk and Cyber
Chesterton's Fence is a cautionary tale to make sure that before you change things you actually understand their purpose. This is particularly important for controls or other risk mitigation. When new leaders come into an organization they sometimes look at the array of controls and want to streamline them. So they start whittling away at things that apparently don't make sense or have no obvious purpose and then a few months later (maybe less maybe more) you start seeing issues, incidents or o| Risk and Cyber
Iterative interrogative technique| en.wikipedia.org
Blameless postmortems in SRE culture. Incident study that focus on root cause analysis and preventive actions, for culture of continuous improvement.| sre.google