Evaluating Risk From Multiple Stakeholder Perspectives

As part of its inaugural convening, the International Network of AI Safety Institutes issued a joint statement on risk assessments of advanced AI systems! I led the US AI Safety Institute's work on the technical track on risk assessments and we had a really fantastic discussion at the convening Here's an excerpt of the joint statement: 🦾 Advanced AI systems have capabilities across a broad range of contexts, enabling them to be used and misused, accidentally or intentionally, in ways that can be difficult to predict, measure, and mitigate. Addressing these challenges is core to the mission of the International Network of AI Safety Institutes. ☣️ Risk assessments should be carried out in a manner that can directly inform proportionate and effective mitigation measures, for example by estimating risk in relation to specified evaluation criteria, such as tolerance levels or thresholds. Risk domains can be prioritized according to multiple criteria, including their severity, likelihood of occurrence, or the level of societal resilience in that domain. 🪟 Risk assessments should to the greatest extent possible be transparent in their methodology and results. Transparency can help ensure that risk assessments are evidence-based, interpretable, and consistent. 🌎 Risk assessments should be comprehensive and connected to a broad range of potential and existing real-world harms through the use of a variety of assessment methods. An estimation that an advanced AI system may pose a particular risk should map to the potential impact of the risk if it manifests as part of a system deployed to users. 🙌 Risk assessments should be multistakeholder in their approach and in the interpretation of results. The scale and increasing impact of advanced AI systems demands a more integrated ecosystem of AI safety that includes diverse disciplines, perspectives and experiences, including from across the AI lifecycle. 🤝 The Network is committed to building on these six key aspects to establish a shared scientific basis for risk assessments of advanced AI systems. This may involve conducting joint risk assessments and cooperative scientific research, recognizing that the science and practice of advanced AI risk assessment continues to evolve. Individual network members retain flexibility to conduct, apply, and adapt any risk assessments or risk-benefit trade-offs in line with international and domestic frameworks. ⏰ Risk assessments should inform concrete decisions and be conducted at regular intervals to adapt to progress in advanced AI systems and AI safety research. ↻ Risk assessments should be, to the extent possible, reproducible and appropriately documented. Thanks to all of my colleagues at the U.S. AI Safety Institute that helped lead this work! This was a joint effort with Christina Knight, Conrad Stosz, Mark Latonero, Elizabeth Kelly and the rest of the team, as well as our international partners

Here is a way to think about sustainability through the lens of stakeholder value exchange and how organizations create and sustain value over time. The framework lays out how different stakeholder groups contribute inputs, receive outcomes, and interact with the organization through specific exchange mechanisms. It spans core operations, customers, employees, suppliers, investors, communities, regulators, civil society, and natural systems, making the interdependencies across the business ecosystem more visible. What I find particularly useful about this framing is that it helps connect sustainability directly to how organizations function day to day. Strategy, governance, risk management, capital allocation, talent systems, procurement, partnerships, and compliance are all part of the same value creation system rather than parallel conversations. Seen this way, sustainability becomes a question of balance and continuity. Each stakeholder relationship relies on an exchange that needs to hold over time. When those exchanges are well designed, organizations tend to benefit from resilience, trust, and long term performance. When they weaken, value erosion often shows up through operational friction, workforce instability, supply chain disruption, regulatory pressure, or declining legitimacy. The framework also helps surface where decision making and incentives matter most. It highlights how governance structures, management systems, and operating models shape outcomes across stakeholders, not just financial ones. This makes it easier to identify where adjustments are needed to support long term value creation rather than short term optimization. Looking at sustainability through a stakeholder value exchange lens can support more informed strategic choices. It encourages organizations to move beyond compliance driven responses and instead examine whether their existing systems are designed to sustain fair and predictable exchanges across the full set of stakeholders they depend on. As sustainability expectations continue to evolve across markets and sectors, this type of perspective becomes increasingly relevant. The question is not how many initiatives are in place, but whether the underlying business model is structured to maintain value creation across stakeholders over time.

Rethinking Cyber Risk: Are You Still Assessing It One-Dimensionally? Most organizations conduct some form of risk assessment—but too often, it’s siloed, static, or narrowly focused. In today’s fast-moving cybersecurity landscape, one approach simply isn’t enough. To build a resilient and business-aligned security program, you need to assess risk from three core perspectives: 1. Process-Based Risk Assessment Focus: Critical business operations Identify how threats impact workflows like incident response, vendor onboarding, or payment processing. Why it matters: Aligns risk management with operational continuity. 2. Asset-Based Risk Assessment Focus: Systems, data, and infrastructure Evaluate vulnerabilities and exposures tied to your most critical assets. Why it matters: You can’t protect what you don’t know exists. 3. Context-Based Risk Assessment Focus: Organizational mission, compliance, and threat landscape Assess how risks affect strategy, compliance posture (GDPR, PCI DSS, etc.), and reputation. Why it matters: Translates cyber risk into executive-level impact. 🔐 Why This Matters for GRC and Security Teams Combining all three approaches offers a 360-degree view of risk, enabling better prioritization, stronger governance, and smarter investments. It’s not just about compliance—it’s about protecting what matters most to your organization. 💭 Final Thought: If your current assessments only focus on technical assets or isolated threats, it may be time to level up your strategy. Cyber risk isn’t just IT’s problem—it’s a business priority. Let’s start treating it like one. Have you implemented these approaches in your risk program? I'd love to hear your perspective—drop your thoughts in the comments or message me to connect. #CyberSecurity #GRC #RiskManagement #NIST #ISO27001 #CyberRisk #Compliance #NISTCSF #PCI #InfoSec #Leadership #BusinessResilience

A new publication from the Risk Decision Making Lab! In this paper, led by my Ph.D. student Md. Munjurul Haque, we integrated the insights of 47 stakeholders from the Mobile Bay area into a comprehensive flood risk assessment. The stakeholders represented diverse sectors, including emergency management, resilience, engineering, city planning, and NGOs. Their input was used to weight a wide range of flood risk factors encompassing hazard, vulnerability, and exposure. The result is a spatially detailed flood risk map that illustrates how risk varies across the study area. This innovative approach incorporates stakeholders’ perspectives and local knowledge, providing a more grounded and context-sensitive understanding of flood risk. Many thanks go to my postdoc Hemal Dey for his contribution to data visualization and to the sponsor Alabama Center of Excellence for their support. Check out the paper: https://lnkd.in/e-CsFvZ3 #flooding #stakeholder #MobileBay #RiskAssessment

We are staring at the biggest blind spot in enterprise risk since Sarbanes-Oxley. This isn't another governance post. For context: Stakeholder Risk is what happens when leadership, incentives, trust, and decision authority fall out of alignment. No bad market. No failed strategy. Just misalignment that compounds quietly until it shows up as lost value. If you treat it as a distinct risk category, it becomes measurable, monitorable, and manageable. If you don't, it shows up in diligence. Or worse, after close. I can see a future where every board, fiduciary, and PE sponsor benchmarks Stakeholder Risk the same way they benchmark financial and operational risk. Misalignment isn't a communication problem. It's a valuation problem. CEOs running $5M+ EBITDA businesses: you need visibility into where decision authority has drifted before it costs you at the table. Boards and investors: you need intelligence on governance gaps before they become enterprise loss. Here's where to start: • Map informal power against formal authority • Identify incentive structures that conflict across leadership • Benchmark alignment before a transaction, not during HumanFactor is a Stakeholder Risk Intelligence platform. Not advisory. Not episodic. The numbers tell one story. Stakeholders tell another. Which one are you reading?

Success in risk management is fundamentally tied to understanding the demands, concerns, and perspectives of stakeholders. Organizations operate within complex ecosystems where multiple parties—such as investors, customers, employees, regulators, and communities—have direct and indirect influences on strategic outcomes. By actively listening to stakeholders, organizations can identify emerging risks that might not be apparent through traditional assessments. Concerns raised by frontline employees may highlight operational inefficiencies, while insights from investors can reveal financial vulnerabilities. More specifically, from the point of view of my own professional experience…how can I serve as a risk facilitator in a Operational or Quality Division, if I decide to stay in my own bubble of standard requirements, or else only connected with the top management team, their macro strategical vision and the risks related to their exclusive view, but not connected to the staff involved with tactical and operational processes which, supposedly will support the organization’s key results? How can I support risk assessment and risk plans dedicated to managing the risk related to a professional certification process, with no understanding about the concerns of the market, applicants and certified professionals? What are the concerns of these professionals in terms of the professional’s value-add continuous process, and the meaning of their own activity? What are the concerns and perceptions from the public served by these professionals so far? Is the professional certification process still able to measure the current role demands and required knowledge and skills? Is the certification’s audit methodology still able to deliver adequate contribution embedded with the organization’s strategic targets, and supporting the decision-making process accordingly? In 2018, I had the opportunity to talk about the importance of the governance, compliance and risk management to the Brazilian health accreditation market for the 1st time. Almost 7 years later and since 2024, I've been, somehow, supporting certification processes related to health care professionals in a much more mature market, serving in a structured organization that not just understands the valued certification as a way to recognize these professionals and improve the reliability and effectiveness in healthcare, but also and mainly works tirelessly to guarantee the qualified and reliable healthcare accessible in places with less or no resources available as their own strategic objective – and that’s exactly a clear indication about how effective you can be in terms of "to work towards the stakeholders demands".

As you know, with your management systems (#AIMS, #ISMS, #QMS, etc.), context is key. To effectively articulate your organization’s context in alignment with #ISO42001 Clause 4, you should reference complementary ISO standards for stakeholder identification, lifecycle management, risk assessment, and scope definition. ➡1. Identify and Understand Stakeholders  🔲ISO5339: You will use “make, use, and impact” categories from this standard to identify a broad range of stakeholder needs, including ethical and societal concerns. 🔲#ISO23894: You should reference its inclusivity guidelines to integrate both internal and external perspectives early in the AI lifecycle. ✅Action: Identify relevant stakeholders, document expectations, and align with ISO42001 Clause 4.2 to cover ethical, social, and operational needs comprehensively. ➡2. Define Organizational Objectives for AI  🔲ISO42001: You must align AI objectives with broader organizational goals, grounding your risk management and quality assurance practices. 🔲#ISO25059: You will apply its quality criteria—such as transparency and robustness—to set clear, ethical objectives. ✅Action: Set objectives that prioritize quality, transparency, and ethical standards to meet ISO42001 Clauses 4.1 and 4.2. These objectives will inform risk and impact assessments. ➡3. Establish AI Lifecycle Considerations  🔲ISO5338: Use its lifecycle model to map AI processes from conception through deployment and disposal, ensuring comprehensive governance. 🔲#ISO42005: You will use this for lifecycle-based impact assessments to maintain compliance and ethical standards at each stage. ✅Action: Define specific AI lifecycle phases (design, development, deployment, decommissioning), aligning them with ISO42001 Clause 4.3 to ensure effective governance across the lifecycle in your defined scope. ➡4. Conduct Risk and Impact Assessments  🔲ISO23894: You will reference its risk assessment framework to systematically identify and address potential AI impacts. 🔲ISO42005: Use its guidance to assess and mitigate both the positive and negative impacts on individuals and society. ✅Action: Implement a risk-based assessment approach, evaluating potential impacts on users, stakeholders, and society, and align these assessments with ISO42001 Clauses 6.1 and 8.4 for proactive risk management. ➡5. Document Scope, Context, and Boundaries  🔲ISO42001: You must establish a clear AIMS scope covering operational realities, ethical standards, and stakeholder needs. 🔲ISO5338 and ISO5339: These standards guide you in defining boundaries based on lifecycle stages and stakeholder input, ensuring contextual relevance. ✅Action: Document the AIMS scope, system boundaries, ethical guidelines, and roles of stakeholders. Use lifecycle and stakeholder insights from #ISO5338 and #ISO5339 to ensure alignment with ISO42001 Clause 4.3. A-LIGN #TheBusinessofCompliance #ComplianceAlignedtoYou

Why do so many strategic decisions fail to deliver? 🆘 Because they’re often built on untested assumptions. Let me introduce you to a method that can help: 𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗰 𝗔𝘀𝘀𝘂𝗺𝗽𝘁𝗶𝗼𝗻𝘀 𝗦𝘂𝗿𝗳𝗮𝗰𝗶𝗻𝗴 𝗮𝗻𝗱 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 (𝗦𝗔𝗦𝗧). Here’s how it works and why it’s helpful for making better decisions: Every decision comes with hidden assumptions 🕵♀️ These assumptions are often based on beliefs about the environment, resources, or future trends. If they’re wrong, your strategy could be headed for failure. Here’s the solution: 𝗦𝗔𝗦𝗧 By surfacing and testing these assumptions with a structured approach, you can identify weaknesses and refine your strategy to be more robust. There are two key benefits to using SAST: 𝗥𝗲𝗱𝘂𝗰𝗲𝗱 𝗥𝗶𝘀𝗸: By challenging assumptions early on, you reduce the risk of making decisions based on faulty beliefs. 𝗕𝗲𝘁𝘁𝗲𝗿 𝗗𝗲𝗰𝗶𝘀𝗶𝗼𝗻-𝗠𝗮𝗸𝗶𝗻𝗴: You end up with a strategy built on a solid foundation, increasing your chances of success. So, here's the process: 𝗡𝗮𝗿𝗿𝗮𝘁𝗶𝘃𝗲𝘀: Determine the key stories that are driving your strategy. 𝗦𝘁𝗮𝗸𝗲𝗵𝗼𝗹𝗱𝗲𝗿 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀: Identify and list all relevant parties who have a stake in the decision. 𝗔𝘀𝘀𝘂𝗺𝗽𝘁𝗶𝗼𝗻𝘀 𝗦𝗽𝗲𝗰𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻: Consider what you must be assuming about each stakeholder and their future behaviour. 𝗔𝘀𝘀𝘂𝗺𝗽𝘁𝗶𝗼𝗻𝘀 𝗥𝗮𝘁𝗶𝗻𝗴: Evaluate the strength and reliability of each assumption by ranking them on an importance vs. certainty matrix. 𝗗𝗲𝗯𝗮𝘁𝗲: Engage in structured discussions to challenge and test these assumptions. 𝗥𝗲𝘃𝗶𝗲𝘄 𝗮𝗻𝗱 𝗥𝗲𝗳𝗶𝗻𝗲 𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝘆: Based on the debates, refine your strategy by validating or discarding assumptions as needed. Even complex decisions can be navigated with greater confidence by applying this method. Involve diverse groups to get a full range of perspectives, and don’t shy away from tough discussions. 𝗪𝗵𝗲𝗻 𝗶𝘁 𝗰𝗮𝗻 𝗯𝗲 𝗵𝗲𝗹𝗽𝗳𝘂𝗹: SAST is particularly useful in situations where decisions are complex, involve multiple stakeholders, or have high stakes. It’s also valuable when there is significant uncertainty or when past strategies have failed due to overlooked assumptions. 𝗖𝗿𝗶𝘁𝗶𝗾𝘂𝗲𝘀 𝗮𝗻𝗱 𝗽𝗶𝘁𝗳𝗮𝗹𝗹𝘀 𝘁𝗼 𝗯𝗲 𝗺𝗶𝗻𝗱𝗳𝘂𝗹 𝗼𝗳: While SAST is powerful, it can be time-consuming and may lead to conflict if not managed carefully. It’s important to balance thoroughness with practicality, and to ensure that all voices are heard without allowing dominant viewpoints to overshadow the process. 𝗜𝗺𝗮𝗴𝗲: The sketch is from my notes from my PhD in Systems Thinking, let me know if you found it useful? 𝗢𝗿𝗶𝗴𝗶𝗻𝗮𝗹 𝗦𝗼𝘂𝗿𝗰𝗲𝘀: Mitroff, I. I., & Mason, R. O. (1981). Challenging Strategic Planning Assumptions: Theory, Cases, and Techniques. Mitroff, I. I., & Emshoff, J. R. (1979). On strategic assumption-making: A dialectical approach to policy and planning. #PhDnotes #systemicdesign

You’ve got your shiny new risk assessment template with 1,000 lines ready to go. You gather your expensive IT, product, and engineering teams to go line by line… Your hand hovers over your mouse & you're ready to start scoring each and every line… Then it happens. As you start reading each control to the team… Silence. <<insert crickets chirping>> And then come the questions: “What do you mean?” “Which product are we talking about?” “Which environment?” …And my personal favorite “It depends…” Your risk assessment screeches to a halt. You quickly realize… you're not prepared for the risk assessment. Now what? Change your approach. Instead of a controls-based or asset-threat-vulnerability assessment, try a scenario-based risk assessment. If you follow me, you’ve heard this before... start with the revenue drivers of the organization, then back into the people, process, and technology (your critical business functions) that make that revenue possible. Before you bring in IT, Product, or Engineering and start with Business and Operations. Ask questions like: “How does the company make money?” Then drill down with clarifiers: “You mentioned 80% of revenue comes from customer transaction fees, can you tell me more about that process?” “Who owns that process?” “How is it performed?” “What systems, software, or third parties are involved?” “Where are those located?” “Who manages them?” Now you’re focused on critical business functions and the people, processes, and technology driving 80% of the revenue. When you finally meet with IT, Product, or Engineering your questions are scenario-based, targeted, and prioritized around risks to revenue & not generic control statements. This approach respects everyone’s time and produces results that are more actionable, relatable, and valuable to the business. You might even get what we all hope for... stakeholder buy-in and funding to mitigate the highest-priority risks. #ciso #business #riskassessment #scope

This is could be the start of a journey to protect your organization from variety of risks (not only cyber/technology risks). The first steps are truly to believe and to comprehend the inter-connectivity between all these risk domains of an organization. I always add the financial domain, the holistic (not only cyber) 3rd party/outsourcing risk, the business and compliance/legal risk. All these risk domains overlap in one or another way. The impact on organization will be different for every firm - why? Different markets and business goals across diverse timelines, the technology stacks differ in age, integration level, the human element, location, regulatory environment and mainly the risk appetite is key driver. What I have not heard often or at all is the thought that each action, activity or lack of has an underlying reason - e.g. strategy/business/financial reasons for an M&A, house developing an own CRM system due to a very complex an unusual CMR procedures, not applying a patch due to an old infrastructure and breaking data flow between apps etc. These reasons have benefits as well, not only risks. Nice! But what next? My recommendation, start with a simple structure, not to boil the ocean: 1. Identify, evaluate (best quantify) your risks of the action - what is the likelihood of happening, how many times a year/10 years this event can occur, what the consequences of this risk may cost you. End to end, across all domains, do not isolate. Please consider also risk remediating actions such as security controls or others, which will help to lower the risk value, don’t forget they may add some costs as well. 2. Evaluate the benefits of the action, activity or lack of it, in the same way. 3. Gain/Loss to the organization - compare the benefit with the risk value, this is your indicator (yes an indicator only) whether the event is a risky or beneficial event. 4. If the event’s risks are higher than the benefits, you need to apply your risk (appetite) threshold, which will help to decide whether to execute the action and accept the risk or not. 5. This type of evaluations can demonstrate how much it can costs to make a pro decision for the specific event. 5. The CFO, the leadership should be consulted whether the organization can and is willing to come up for the risk financially (in case it realizes or for the remediating actions), short or long term. Reputational damage, loss of skilled staff, slow re-hiring process, high staff turn around, changed work ethics, incorrectly placed or to be replaced technology and many other soft values risks result in a financial impact. This is very simplified approach. You can vary in simulations of your business resiliency with verifying whether the organization could ‘cover and survive’ financially one or more related events. There is a lot of room for scenarios. Don’t forget, we work with likelihoods, assumptions and the world, that spins fast and changes every day. As the risks and opportunities.