In This Issue:

• 📖 Book Update: Part 2 Complete

• 🎯 The First Thing I Do When Someone Asks for a Risk Analysis

• 💡 Risk Analyst Skills Evolution

• 💬 Reader Question: Which skills do you think will matter most for risk analysts in the next five years?

Hi!
I’m still experimenting with shorter, more frequent newsletter issues. Please let me know your thoughts. Drop a comment below, or just like this post.

📖 Book Update: Part 2 Complete

Part 2 sets the foundations for quantitative risk analysis, demystifies the Monte Carlo method, and walks readers through what may be their first quantitative risk analysis. I’m writing the book out of order, tackling the hardest chapters first. It’s 20 chapters, and I have 14 done. Getting close!

Here’s a quick snapshot of what Part 2 covers.

Chapter 4: Foundations

Building the Right Mindset for Risk Assessment

This chapter establishes the core philosophy that risk assessment exists to support better decisions, not create compliance theater. Key concepts include adopting a "less wrong" mindset that acknowledges all models are imperfect yet useful, understanding that uncertainty is valuable information rather than a flaw, and learning essential vocabulary, such as the distinction between frequency and probability. The chapter emphasizes starting small with one decision and one scenario rather than trying to revolutionize everything at once.

Chapter 5: Your First Quantitative Risk Assessment

From Theory to Practice with Monte Carlo

Chapter 5 walks readers through their first hands-on quantitative assessment using a practical example of forecasting lost or broken mobile phones. It introduces the fundamental concepts of frequency (how often bad things happen) and magnitude (how much they cost), then combines them using Monte Carlo simulation in Excel. This chapter bridges the gap between theory and practice, showing how to build confidence through a simple, real-world exercise that demonstrates the basic risk equation in action.

Chapter 6: Interpreting and Communicating Results

Turning Numbers into Clear Risk Stories

This chapter focuses on what to do with quantitative results once you have them. It teaches essential statistical concepts like mean, median, and percentiles, then introduces key visualization tools including histograms, box plots, and loss exceedance curves. The chapter also provides practical guidance on communicating findings to executives while avoiding common reporting pitfalls.

Pre-order links are coming any day now. Check www.heatmapstohistograms.com

The First Thing I Do When Someone Asks for a Risk Analysis

When someone asks me to “do a risk analysis,” the first thing I try to do is talk myself out of it.

That may sound strange. Risk analysis is what I do, and I have built my career around it. I have also learned the hard way that risk analysis is not always the right tool. Sometimes the most helpful thing I can do is pause and ask a few questions before I ever start modeling.

A Painful Lesson

Early in my career, I ran what I thought was an excellent risk assessment. I spent weeks pulling data, interviewing stakeholders, and running simulations. When I finally presented the results, the decision maker looked at me politely and said, “This is interesting, but we already decided what we are going to do.”

That moment stuck with me. My analysis was technically solid but practically useless, because the decision had already been made. I had answered a question nobody was asking.

Ever since, I have developed a habit: when someone requests a risk analysis, I first try to talk myself out of it.

The Hammer and the Nail

There is a bias I try to keep in check. Psychologists call it the Law of the Instrument, sometimes referred to as Maslow’s Hammer. If all you have is a hammer, everything looks like a nail. For me, risk analysis is that hammer. It is powerful. However, not every problem is a nail.

Before I swing it, I ask: What problem are we really trying to solve?

My Field Notes: If You Are Asking for That… Try This Instead

Over time, I have built a giant notebook filled with scribbles on the alternatives to risk analysis. In other words: “if you ask for this, what you may need is this.” Here are some of the most common ones I see:

• Document a decision you already made → Decision log

• Could this threat group break in? → Threat modeling or red team

• What’s the consequences if a system goes down? → Business impact analysis or continuity plan

• What happens if ransomware hits us? → Tabletop exercise

• Which vulnerabilities should we prioritize? → Vulnerability management and threat intel

• Are we compliant with regulation X? → Gap assessment or audit

• Prove the program is effective → Metrics and KPIs

• Where are we most exposed? → Attack surface mapping

• Compare vendors → Third-party risk management

• Forecast budget needs → Scenario planning or financial modeling

• Help us choose between two strategies → Decision matrix or Multiple-criteria decision analysis

• Where are our process weaknesses? → SWOT or root cause analysis

• Justify an initiative to executives → Business case

• Estimate the cost of an incident after the fact → Post-incident review

• Show how we compare to peers → Benchmarking

These tools are not dead ends. They are on-ramps. A tabletop may surface uncertainty about the probability and magnitude of ransomware losses. A business case may expose unclear alternatives or competing preferences. A compliance gap assessment may highlight trade-offs between risk reduction and business friction.

Each of these is an opportunity to turn the conversation into a quantitative risk analysis once the uncertainty is clear and the decision is tied to objectives.

The real payoff is cooperation. Working with continuity teams on a BIA, with compliance on a gap assessment, or with finance on scenario modeling creates shared language. It shows security is not just a critic on the sidelines, but a partner helping the business connect the dots. That is how we expand influence and make risk analysis something the whole organization values.

When a Risk Analysis Is Warranted

A risk analysis is justified only when a decision is made that matters, tied to organizational objectives, and faces material uncertainty about a future event whose probability and impact can be estimated well enough to inform action.

That means several conditions need to be true:

1. Clear decision statement – The problem can be framed as a real choice between alternatives (“Should we do A, B, or C?”).

2. Link to objectives – The decision is directly connected to the organization's goals, mission, or priorities.

3. Decision owner – Someone is accountable for making the call and acting on the results.

4. Uncertainty that matters – There is genuine uncertainty about the outcome, and reducing it would influence the decision.

5. Defined preferences – We understand what matters in choosing between alternatives (cost, uptime, safety, growth).

6. Meaningful information – We have, or can generate, enough data to credibly estimate probability and impact.

7. Actionability – The results will drive behavior or resource allocation, not sit on a shelf.

8. Stopping rule – We know when additional analysis no longer changes the decision.

If a request does not pass these tests, it usually belongs in one of the alternative tools above. If it does, then a risk analysis can truly add value.

When Risk Analysis Really Matters

When those tests are satisfied, that is when risk analysis shines.

• It is the right tool when we need to allocate resources and compare competing investments.

• It is the right tool when we are setting risk tolerance and need to understand plausible loss ranges.

• It is the right tool when we are evaluating a high-stakes initiative like a cloud migration or an acquisition.

• It is the right tool when leadership asks, “If I give you $X, how much risk does it reduce?”

• It is the right tool when we want to see how risks add up across the enterprise.

• It is the right tool when we are negotiating insurance.

• It is the right tool when we need to show the board not just what might happen, but how likely and how big.

Those are the moments when probabilistic modeling earns its keep.

The Discipline of Saying No

Trying to talk myself out of a risk analysis is not a sign of cynicism. It is discipline. It forces me to check decision quality, ownership, and alignment with organizational priorities. It helps me resist the hammer-and-nail bias. It also ensures that when I do deliver a risk analysis, it answers a real question that matters.

The result is sharper insights, stronger cooperation across teams, and decisions that leaders are willing to act on.

That, to me, is the craft.

The Risk Analyst Skills Evolution

I recently gave a talk at the Society of Information Risk Analysis (SIRA) annual conference, SIRAcon 2025. My session was titled “Quantifying in the Age of Hallucination: How I Learned to Stop Worrying and Trust the AI (Sometimes).” It explored how AI is changing the way we do risk analysis, what it is good at, where it is dangerous, and how our skills as analysts are evolving.

If you are not a member of SIRA, you should consider joining. It is a great community focused on advancing the practice of risk analysis. If you are already a member, the video of my talk should be up soon.

When I think about the future of our field, this is the slide that keeps me up at night.

AI is already handling a lot of what used to be core to our jobs. It excels at routine calculations, summarizing reports, creating first drafts, building simple visualizations, and even assisting with compliance checks. These are things I used to spend hours on earlier in my career, but now I can ask an AI tool to take a first pass, and it often does a decent job. The time savings are real, but it also makes me pause. If AI is doing this now, what will be left in five years?

The skills that are rising in value are the ones that are harder to automate:

• Critical thinking and synthesis

• Framing risk in a strategic context

• Deciding which risks actually matter

• Influencing decision makers

• Bringing in ethical judgment

These are not just nice to have; they are the very things that will define the best risk analysts in the future.

In my own work, I already see this shift. Two years ago, I would spend a full afternoon finding peer company incident data for use in an analysis. Today, I let AI do the research, and then I spend my time refining the narrative and making sure the analysis actually connects to the business decision at hand. The AI is faster at the chart, but it cannot decide which story matters. That is still on me, and that is where my real value lies.

One other point I made in the talk is about prompt engineering. Right now it feels like an essential skill. Knowing how to craft the right prompt can make the difference between a useful output and complete nonsense. But we should not fool ourselves into thinking prompt engineering will remain a differentiator for long. Models are already starting to generate and refine their own prompts. AI will eventually take this work out of our hands. For now it is important, but soon it will fade into the background.

The bottom line: risk analysts who cling to tasks that are being automated will find themselves automated out. Risk analysts who invest in human differentiators like judgment, synthesis, and influence will thrive.

AI will not replace risk analysts, but risk analysts who use AI effectively will replace those who do not.

Reader Question

✉️ Contact

Have a question about this, or anything else? Here's how to reach me:

• Reply to this newsletter if reading via email

• Comment below

• Connect with me on LinkedIn

• Contact form

❤️ How You Can Help

✅ Share your questions or feedback in the comments below
✅ Forward this to a colleague
✅ Click the ❤️ if you liked this issue

Thank you for reading, and remember: quantitative risk analysis is a valuable tool, but not the only tool.

—Tony