<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[the Risk Desk]]></title><description><![CDATA[the Risk Desk]]></description><link>https://mahirchowdhury.substack.com</link><image><url>https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png</url><title>the Risk Desk</title><link>https://mahirchowdhury.substack.com</link></image><generator>Substack</generator><lastBuildDate>Wed, 08 Jul 2026 18:07:40 GMT</lastBuildDate><atom:link href="https://mahirchowdhury.substack.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Mahir Chowdhury]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[mahirchowdhury@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[mahirchowdhury@substack.com]]></itunes:email><itunes:name><![CDATA[Mahir Chowdhury]]></itunes:name></itunes:owner><itunes:author><![CDATA[Mahir Chowdhury]]></itunes:author><googleplay:owner><![CDATA[mahirchowdhury@substack.com]]></googleplay:owner><googleplay:email><![CDATA[mahirchowdhury@substack.com]]></googleplay:email><googleplay:author><![CDATA[Mahir Chowdhury]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[AI Has Changed the Conversation Around Anonymised Data]]></title><description><![CDATA[For years, organisations have relied on anonymised data to strike a balance between innovation and privacy.]]></description><link>https://mahirchowdhury.substack.com/p/ai-has-changed-the-conversation-around</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/ai-has-changed-the-conversation-around</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Tue, 23 Jun 2026 09:39:48 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>For years, organisations have relied on anonymised data to strike a balance between innovation and privacy.</p><p>Whether it&#8217;s improving products, understanding customer behaviour, conducting research or training machine learning models, anonymisation has often been viewed as the safest way to extract value from data without exposing the people behind it.</p><p>The logic seems straightforward: remove names, email addresses and other obvious identifiers, and the privacy risk largely disappears.</p><p>I&#8217;m not convinced that&#8217;s a safe assumption anymore.</p><p>As AI systems become more capable, the conversation is shifting from <em>what data organisations collect</em> to <em>what can be inferred from the data they already have</em>.</p><p>That&#8217;s a very different problem.</p><p>A decade ago, identifying someone from an anonymised dataset would have required a determined analyst, access to additional datasets and a significant amount of time.</p><p>Today, AI can process millions of records, identify subtle patterns and uncover relationships that a human would never realistically find on their own.</p><p>The concern isn&#8217;t that AI can see a name hidden in a spreadsheet. The concern is that it may not need to.</p><p>Think about the information organisations routinely collect:</p><ul><li><p>Usage patterns</p></li><li><p>Location data</p></li><li><p>Device information</p></li><li><p>Login behaviour</p></li><li><p>Purchase history</p></li><li><p>Activity timestamps</p></li></ul><p>None of these data points necessarily identify an individual by themselves. Combined, however, they can create a remarkably distinctive profile.</p><p>The more datasets that exist, the easier it becomes to connect those dots.That&#8217;s where I think many organisations underestimate the risk.</p><p>When discussing anonymisation, the focus is often on the dataset in isolation.</p><p>But attackers don&#8217;t operate in isolation, neither does AI.</p><p>An anonymised dataset might appear perfectly safe when viewed on its own. The problem arises when it is combined with publicly available information, leaked datasets, social media activity or data obtained from third parties.</p><p>Suddenly, information that seemed anonymous starts looking much less anonymous.</p><p>What&#8217;s particularly interesting is that a dataset doesn&#8217;t have to change for the risk to increase. The data sitting in storage today may be exactly the same data sitting there in five years&#8217; time.</p><p>What changes is the technology available to analyse it.</p><p>That&#8217;s the part I think organisations need to pay more attention to.</p><p><strong>So What Should Organisations Do?</strong></p><p>The answer isn&#8217;t to stop using data altogether. The answer is to recognise that anonymisation is just one layer of defence.</p><p>Organisations should start by collecting less data in the first place. If information isn&#8217;t essential to a business objective, there is little value in retaining it indefinitely.</p><p>Organisations should also look beyond simply removing names and email addresses. Techniques such as <strong>data aggregation</strong> (grouping data together rather than focusing on individuals), <strong>tokenisation</strong> (replacing sensitive information with substitute values) and <strong>differential privacy</strong> (adding small amounts of uncertainty to prevent people being singled out) can make it much harder to reconnect data to a specific person.</p><p>Access controls matter too.</p><p>Not every employee, contractor or third party needs access to large datasets simply because direct identifiers have been removed. Data should still be treated according to its potential impact if it were misused or reconstructed.</p><p>Most importantly, organisations should regularly reassess datasets that were anonymised years ago.</p><p>A dataset considered low risk in 2020 may present a very different risk profile in 2026 because of advances in AI and the availability of external data sources.</p><p>Security teams routinely conduct vulnerability assessments on systems.</p><p>Perhaps it&#8217;s time we treated datasets the same way.</p><p><strong>A Different Question</strong></p><p>Too often, anonymisation is treated as a compliance exercise:</p><p><em>&#8220;We removed the identifiers. Job done.&#8221;</em></p><p>From a governance perspective, that may satisfy a requirement.</p><p>From a security perspective, it probably isn&#8217;t enough.</p><p>The more useful question isn&#8217;t:</p><p><em>&#8220;Did we remove personal information?&#8221;</em></p><p>It&#8217;s:</p><p><em>&#8220;What could a sufficiently capable AI system learn from what&#8217;s left?&#8221;</em></p><p>Because that&#8217;s increasingly the threat model we&#8217;re dealing with.</p><p>The reality is that AI is exceptionally good at finding patterns, and privacy is often lost through patterns rather than explicit identifiers.</p><p>Anonymisation isn&#8217;t dead. It&#8217;s still an important control.</p><p>But organisations should be careful not to mistake anonymisation for anonymity.</p><p>Those are becoming two very different things.</p><p><strong>What do you think?</strong></p><p>Should organisations start treating anonymised datasets as sensitive assets by default, regardless of whether personal identifiers have been removed?</p>]]></content:encoded></item><item><title><![CDATA[Why Simple Risk Models Still Work]]></title><description><![CDATA[The Bow Tie method]]></description><link>https://mahirchowdhury.substack.com/p/why-simple-risk-models-still-work</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/why-simple-risk-models-still-work</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Fri, 08 May 2026 11:01:55 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!-j3c!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>The bow tie method has been around for a while.</p><p>Which usually means one of two things:</p><ul><li><p>it&#8217;s outdated</p></li><li><p>or it&#8217;s quietly useful</p></li></ul><p>In this case, it&#8217;s probably the second.</p><p>At a basic level, it&#8217;s simple: a risk event in the middle, causes on one side, consequences on the other, and controls sitting in between. Nothing particularly complex, but that simplicity is doing more work than it looks like. </p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!-j3c!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!-j3c!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!-j3c!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!-j3c!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!-j3c!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!-j3c!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png" width="728" height="485.5" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;normal&quot;,&quot;height&quot;:971,&quot;width&quot;:1456,&quot;resizeWidth&quot;:728,&quot;bytes&quot;:1238385,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://mahirchowdhury.substack.com/i/196885649?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!-j3c!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!-j3c!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!-j3c!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!-j3c!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6ad62626-7ab8-4caa-9bcd-f27c07a4c38b_1536x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>What the bow tie does well is force clarity.</p><p>It moves the conversation away from:</p><ul><li><p>abstract risk descriptions</p></li><li><p>generic scoring</p></li><li><p>broad categories</p></li></ul><p>And towards something more grounded:</p><ul><li><p>what actually causes this?</p></li><li><p>what is meant to stop it?</p></li><li><p>what happens if it still occurs?</p></li><li><p>what limits the damage?</p></li></ul><p>The bow tie brings it closer to reality. It connects events, causes, controls, and outcomes in a way that&#8217;s easy to follow. It also makes a distinction that often gets blurred in practice: the difference between controls that prevent something happening and controls that reduce the impact after the fact.</p><p>In a cyber context, for example:</p><p>Preventive controls might include:</p><ul><li><p>access controls</p></li><li><p>MFA</p></li><li><p>system hardening</p></li></ul><p>Mitigating controls might include:</p><ul><li><p>monitoring</p></li><li><p>incident response</p></li><li><p>recovery capability</p></li></ul><p>Seeing both sides together gives a more complete picture of how resilient a system actually is.</p><p>Its value is in making the important relationships visible:</p><ul><li><p>where risk originates</p></li><li><p>how it&#8217;s controlled</p></li><li><p>what happens if those controls fail</p></li></ul><p>Used properly, it becomes less about the diagram and more about the conversation. Something you can use to challenge assumptions, test whether controls really exist, and ask what happens when they don&#8217;t.</p><p>It&#8217;s not trying to capture everything, and it doesn&#8217;t need to.</p><p>Its value is in making a few things visible: where risk starts, how it&#8217;s controlled, and what happens if those controls fail.</p><p>That&#8217;s probably why it&#8217;s still used today as a common practice in Risk Management.</p>]]></content:encoded></item><item><title><![CDATA[Risk Avoidance, Acceptance, Mitigation and Transfer — And When Each One Actually Makes Sense]]></title><description><![CDATA[The Operational Reality Behind Cyber Risk Responses]]></description><link>https://mahirchowdhury.substack.com/p/risk-avoidance-acceptance-mitigation</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/risk-avoidance-acceptance-mitigation</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Wed, 06 May 2026 11:37:25 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Most risk frameworks group responses into four categories:</p><ul><li><p>avoid</p></li><li><p>mitigate</p></li><li><p>transfer</p></li><li><p>accept</p></li></ul><p>At first glance, they seem fairly straightforward. But the interesting part isn&#8217;t really the definitions themselves - it&#8217;s understanding when each response is useful, and what trade-offs come with them.</p><p>Because none of them are inherently &#8220;better&#8221; than the others. They&#8217;re just different ways of dealing with uncertainty.</p><p>Risk avoidance is probably the simplest conceptually. If an activity creates more exposure than the organisation is comfortable with, the risk is avoided entirely.</p><p>From a cybersecurity perspective, that might mean:</p><ul><li><p>not exposing a service publicly</p></li><li><p>not storing sensitive customer data</p></li><li><p>avoiding unsupported legacy systems</p></li><li><p>refusing certain third-party integrations</p></li></ul><p>Avoidance is effective because it removes the exposure altogether. But it also removes flexibility, speed, or commercial opportunity.</p><p>Which is why true avoidance tends to be relatively rare.</p><p>Mitigation is usually the most familiar response operationally. Rather than removing the activity, the organisation introduces controls to reduce either:</p><ul><li><p>the likelihood of the event<br>or</p></li><li><p>the impact if it happens</p></li></ul><p>In cyber environments, mitigation often includes:</p><ul><li><p>MFA</p></li><li><p>network segmentation</p></li><li><p>privileged access controls</p></li><li><p>monitoring and alerting</p></li><li><p>vulnerability management</p></li><li><p>resilience and recovery capabilities</p></li></ul><p>Good mitigation isn&#8217;t necessarily about adding more controls.</p><p>It&#8217;s about introducing controls that are proportionate, sustainable, and aligned to how systems actually operate.</p><p>Because overly complicated controls often create workarounds of their own.</p><p>Risk transfer is slightly different because the exposure still exists, but some of the consequences move elsewhere.</p><p>Cyber insurance is probably the clearest example, but transfer can also happen through:</p><ul><li><p>outsourced providers</p></li><li><p>managed security services</p></li><li><p>contractual security obligations</p></li><li><p>cloud service arrangements</p></li></ul><p>Transfer can help reduce financial exposure or shift certain operational responsibilities.</p><p>But it doesn&#8217;t remove accountability entirely.</p><p>If a major incident happens, the organisation still deals with:</p><ul><li><p>disruption</p></li><li><p>recovery</p></li><li><p>customer impact</p></li><li><p>regulatory scrutiny</p></li><li><p>reputational damage</p></li></ul><p>Which is why transferred cyber risk is rarely fully transferred in practice.</p><p>Risk acceptance is often misunderstood because it sounds passive, but in mature environments it&#8217;s usually a conscious decision.</p><p>In cybersecurity, acceptance often happens where:</p><ul><li><p>legacy systems can&#8217;t realistically be replaced immediately</p></li><li><p>remediation costs outweigh the exposure</p></li><li><p>vulnerabilities are low impact</p></li><li><p>operational constraints limit further mitigation</p></li></ul><p>Not every cyber risk can be eliminated entirely.</p><p>Part of effective risk management is recognising which exposures are tolerable within the context of the organisation&#8217;s wider objectives and operating model.</p><p>What makes these categories useful is that they force a broader discussion.</p><p>Not just:<br>&#8220;what is the cyber risk?&#8221;</p><p>But:</p><ul><li><p>what are we trying to protect?</p></li><li><p>what level of exposure is realistic?</p></li><li><p>what operational trade-offs exist?</p></li><li><p>where should controls sit?</p></li><li><p>what happens if those controls fail quietly?</p></li></ul><p>And in reality, responses are often combined.</p><p>An organisation might:</p><ul><li><p>mitigate part of a cyber risk</p></li><li><p>transfer some financial exposure</p></li><li><p>and consciously accept the remaining residual risk</p></li></ul><p>Which is why cyber risk management is rarely about eliminating uncertainty completely.</p><p>It&#8217;s usually about balancing:</p><ul><li><p>security</p></li><li><p>usability</p></li><li><p>resilience</p></li><li><p>operational efficiency</p></li><li><p>commercial practicality</p></li></ul><p>From an operational risk perspective, that balance is where most of the interesting decisions sit.</p><p>Because strong cybersecurity is rarely just about technology.</p><p>It&#8217;s usually about how operational decisions, system design, and human behaviour interact over time.</p><p>Which of the four responses do you think organisations rely on most heavily in cybersecurity?</p>]]></content:encoded></item><item><title><![CDATA[Why Cyber Risk Doesn’t Sit Where We Think It Does]]></title><description><![CDATA[Cyber and Risk]]></description><link>https://mahirchowdhury.substack.com/p/why-cyber-risk-doesnt-sit-where-we</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/why-cyber-risk-doesnt-sit-where-we</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Tue, 21 Apr 2026 09:43:45 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Does Cyber Risk sit with the security team?</p><p>That&#8217;s partly true. But it doesn&#8217;t quite hold up when you look at where the risk actually comes from.</p><p>If incidents are shaped by things like:</p><ul><li><p>access </p></li><li><p>process gaps</p></li><li><p>unclear ownership</p></li><li><p>exceptions that quietly become permanent</p></li></ul><p>then the risk isn&#8217;t really being created in the security team.</p><p>Security can:</p><ul><li><p>implement controls</p></li><li><p>monitor activity</p></li><li><p>respond when something goes wrong</p></li></ul><p>But they&#8217;re usually not the ones deciding:</p><ul><li><p>who gets access in the first place</p></li><li><p>how systems are structured</p></li><li><p>where shortcuts are allowed</p></li><li><p>how work actually gets done day to day</p></li></ul><p>And that&#8217;s where the exposure builds.</p><p>So you end up in a slightly awkward position. Security teams are expected to manage outcomes they don&#8217;t fully control. And the parts of the organisation that do shape the risk don&#8217;t always see it as theirs.</p><p>Which is why a lot of cyber risk ends up being managed at the edges.</p><p>Policies. Reviews. Escalations.</p><p>Things that sit slightly outside the work itself.</p><p>From an operational risk perspective, this isn&#8217;t unusual. Risk doesn&#8217;t sit neatly in one place.</p><p>It sits in decisions:</p><ul><li><p>who approves what</p></li><li><p>what gets prioritised</p></li><li><p>where pressure builds</p></li><li><p>what gets ignored</p></li></ul><p>Cyber just makes it more visible.</p><p>There&#8217;s also a tendency to treat cyber as something specialised. Which it is, technically. But a lot of the underlying questions are fairly basic:</p><ul><li><p>who owns this?</p></li><li><p>why does this role have this level of access?</p></li><li><p>what happens if this fails quietly?</p></li><li><p>where are we relying on someone to remember something?</p></li></ul><p>Those aren&#8217;t really security questions. They&#8217;re operational ones.</p><p>And if they&#8217;re not answered properly, security tends to compensate.</p><p>More monitoring. More alerts. More layers.</p><p>Trying to manage risk that&#8217;s already been designed in.</p><p>So the organisation feels covered. But the underlying drivers haven&#8217;t really moved.</p><p>Which leads to a slightly different way of looking at it.</p><p>Maybe the issue isn&#8217;t whether cyber risk is being managed. It&#8217;s where it&#8217;s being managed from.</p><p>Because if risk is created through everyday decisions, it probably needs to be addressed there as well. Not just afterwards.</p><p>Curious how others see this.</p><p>Where you are, does cyber risk feel owned by the business &#8212; or mostly handled by security?</p>]]></content:encoded></item><item><title><![CDATA[The Bit of Operational Risk We Still Don’t Design For]]></title><description><![CDATA[The issue isn&#8217;t awareness. It&#8217;s what we do, or don&#8217;t do with it.]]></description><link>https://mahirchowdhury.substack.com/p/the-bit-of-operational-risk-we-still</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/the-bit-of-operational-risk-we-still</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Tue, 14 Apr 2026 10:09:36 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>I read a piece in The Independent this week about operational risk and the &#8220;human element&#8221;.</p><p>And the reaction was basically: <em>yes, this is right - but this has been known for years.</em></p><p>Most organisations already know people are central to operational risk. That&#8217;s not the problem. The problem is we haven&#8217;t really changed how anything works because of it.</p><p>We&#8217;re still very comfortable investing in frameworks, policies, governance layers, reporting packs - all the visible stuff. But much less comfortable asking: <strong>what actually happens when people are under pressure?</strong></p><p>Because that&#8217;s where things stop looking tidy.</p><p>People:</p><ul><li><p>cut corners</p></li><li><p>delay raising things</p></li><li><p>make trade-offs they don&#8217;t document</p></li><li><p>rely on workarounds that &#8220;just about work&#8221;</p></li></ul><p>Not because they&#8217;re careless, but because that&#8217;s often what the system quietly rewards.</p><p>The article talks about leaders needing to be closer to the frontline. Fair enough. But even when they are, they&#8217;re not really seeing it.</p><p>They&#8217;re seeing a version of reality that&#8217;s been cleaned up; dashboards, summaries, updates that have already been softened. The interesting stuff - the friction, the near-misses, the awkward bits - rarely travels upwards properly. And that&#8217;s where most operational risk actually sits.</p><p>We also talk about &#8220;risk culture&#8221; like it&#8217;s something fixed. It isn&#8217;t. It shifts all the time:</p><ul><li><p>when targets get tighter</p></li><li><p>when timelines get shorter</p></li><li><p>when priorities change</p></li><li><p>when leadership focus moves elsewhere</p></li></ul><p>If you&#8217;re not actively shaping it, it just drifts.</p><p>The bit that matters most, though, is whether people feel they can actually speak up. If there&#8217;s even a small hesitation &#8212; <em>&#8220;should I say this?&#8221;</em>, <em>&#8220;is this going to land badly?&#8221;</em> -  then your whole framework starts to become a bit performative.</p><p>You still get reporting. You still get metrics. But you don&#8217;t get the full picture.</p><p>And underneath all of this is something we don&#8217;t really talk about enough: <strong>incentives beat policies almost every time.</strong></p><p>You can have a great framework on paper. But if people are rewarded for speed, delivery, and not rocking the boat, that&#8217;s what will drive behaviour.</p><p><strong>Most operational failures aren&#8217;t surprises. They&#8217;re patterns no one wanted to confront properly.</strong></p><p>So yes, the &#8220;human element&#8221; matters. But it&#8217;s not new. What&#8217;s missing is actually redesigning things around it, rather than just acknowledging it in another article or training session.</p><p>Interested how others see this:</p><p>Where does human behaviour create risk where you are, the kind that never quite makes it into the official view?</p>]]></content:encoded></item><item><title><![CDATA[Most Breaches Aren’t Hacks. They’re Design Failures.]]></title><description><![CDATA[We talk about breaches as if they&#8217;re clever attacks - sophisticated, targeted, unstoppable.]]></description><link>https://mahirchowdhury.substack.com/p/most-breaches-arent-hacks-theyre</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/most-breaches-arent-hacks-theyre</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Fri, 21 Nov 2025 16:24:26 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>We talk about breaches as if they&#8217;re clever attacks - sophisticated, targeted, unstoppable.</p><p>But most &#8220;hacks&#8221; aren&#8217;t hacks at all.<br>They&#8217;re the natural outcome of weak design.</p><p>Attackers simply walk through the gaps created long before they arrive:</p><ul><li><p>vague roles</p></li><li><p>sloppy access control</p></li><li><p>poor logging</p></li><li><p>silent failure modes</p></li><li><p>over-privileged systems</p></li><li><p>handoffs no one has ever mapped</p></li><li><p>controls that only work if someone remembers them perfectly</p></li></ul><p>The real threat isn&#8217;t the hacker.<br>It&#8217;s the architecture you&#8217;ve normalised.</p><p>And this is where Operational Risk and Cyber align.</p><p>What looks like a technical failure is usually an operational one in disguise:</p><ul><li><p>someone had access they didn&#8217;t need</p></li><li><p>monitoring wasn&#8217;t set up properly</p></li><li><p>exceptions were granted &#8220;just this once&#8221;</p></li><li><p>ownership of key processes was unclear</p></li><li><p>a workaround became the unofficial process</p></li><li><p>risk signals were ignored because they were inconvenient</p></li></ul><p>By the time an attacker shows up, the organisation has already weakened itself.</p><p>Operational Risk exists to challenge this.<br>To ask the awkward questions:</p><ul><li><p>Who actually owns this?</p></li><li><p>What happens when this breaks quietly?</p></li><li><p>Why does this role have unnecessary access?</p></li><li><p>Which processes rely on memory or goodwill?</p></li><li><p>Where is the real dependency we pretend isn&#8217;t there?</p></li></ul><p>Cyber incidents look technical from the outside.<br>On the inside, they&#8217;re almost always operational.</p><p>The breach is the symptom.<br>The design is the cause.<br>And behaviour is the bridge between the two.</p><p>If you only focus on the attacker, you&#8217;re already reacting.<br>If you focus on the design, you&#8217;re preventing.</p>]]></content:encoded></item><item><title><![CDATA[Stop Treating Operational Risk as Compliance. It’s Actually Strategy]]></title><description><![CDATA[There&#8217;s a well-worn myth in boardrooms (or your weekly catch up Teams meeting)]]></description><link>https://mahirchowdhury.substack.com/p/stop-treating-operational-risk-as</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/stop-treating-operational-risk-as</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Thu, 20 Nov 2025 18:01:59 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>There&#8217;s a well-worn myth in boardrooms (or your weekly catch up Teams meeting)</p><p></p><p><strong>&#8220;Operational risk is just about protecting the downside.&#8221;</strong></p><p>No, operational risk <em>is</em> the strategy.</p><p>You can&#8217;t scale anything - payments, onboarding, customer support, tech releases, if your operational underbelly is held together with goodwill and spreadsheets.</p><p>The companies winning now aren&#8217;t the ones with perfect products.<br>They&#8217;re the ones that:</p><ul><li><p>recover quickly</p></li><li><p>learn quickly</p></li><li><p>change safely</p></li><li><p>communicate honestly</p></li><li><p>treat controls as part of the product, not an afterthought</p></li></ul><p>Operational risk isn&#8217;t the handbrake.<br><strong>It&#8217;s the grip that lets you accelerate.</strong></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://mahirchowdhury.substack.com/p/stop-treating-operational-risk-as/comments&quot;,&quot;text&quot;:&quot;Leave a comment&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://mahirchowdhury.substack.com/p/stop-treating-operational-risk-as/comments"><span>Leave a comment</span></a></p>]]></content:encoded></item><item><title><![CDATA[Hello, I'm Mahir! ]]></title><description><![CDATA[How I Ended Up Here: A Personal Introduction to Risk]]></description><link>https://mahirchowdhury.substack.com/p/hello-im-mahir</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/hello-im-mahir</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Thu, 20 Nov 2025 16:55:55 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>I&#8217;ve spent the last few years in Operational Risk, mainly in the financial services and one thing has become very clear to me: most people think risk management is either paperwork or politics. But done properly, it&#8217;s far more interesting than that - and far more important. <br><br>For those who don&#8217;t know me: I&#8217;m Mahir, a Risk management professional with experience across financial services, internal audit, compliance, healthcare, and even the recruitment sector. I&#8217;ve spent the last three years inside functions that people tend to overlook until something goes wrong. Operational Risk is where I&#8217;ve found my footing - the messy, human, behavioural side of risk that actually shapes how companies work day to day.</p><p>But my journey into risk started much earlier, long before I ever stepped into a formal risk role.</p><p>I was working in a customer advisor role at EE (the mobile network provider) in the heart of Kings Road (up the Chels), doing compliance paperwork the old-fashioned way - manually checking forms, tracing mistakes, verifying information, and backtracking customer interactions to understand what had actually happened. Most people hated that part of the job. I genuinely enjoyed it. There was something about finding the root of a problem, spotting inconsistencies, and piecing together what went wrong that made more sense to me than hitting sales targets. Looking back, that was probably my first real exposure to risk thinking - even if I didn&#8217;t recognise it at the time.</p><p>I didn&#8217;t take the traditional route into this field either. I didn&#8217;t go to university; I came in through an apprenticeship. It meant I learned on the job, I learned quickly, and I learned from real problems rather than lecture slides. That background is probably why I&#8217;ve always been drawn to the practical side of risk - the processes that don&#8217;t quite work, the challenges teams face, and the gaps between how things should happen and how they actually do.<br><br>Outside of work, I try to keep myself balanced with things that have nothing to do with MI or governance packs. I&#8217;m into football and badminton, recently started running to improve my fitness, and I&#8217;ve developed a bit of a hobby for hiking; the longer the incline, the quieter the mind. <br><br>This Substack is my space to share what I&#8217;m learning, what I&#8217;m questioning, and what I think we could all do better when it comes to Operational Risk and risk management more broadly. Expect observations, small provocations, and the occasional rant about processes that should have been redesigned ten years ago. Whether you work in risk, touch it occasionally, or just find the mechanics of organisations interesting, welcome. I&#8217;m glad you&#8217;re here<strong>.</strong></p>]]></content:encoded></item><item><title><![CDATA[Operational Risk Isn’t Boring]]></title><description><![CDATA[Operational risk gets dismissed as dull - endless forms, RAG statuses, and meetings that should&#8217;ve been emails.]]></description><link>https://mahirchowdhury.substack.com/p/operational-risk-isnt-boring</link><guid isPermaLink="false">https://mahirchowdhury.substack.com/p/operational-risk-isnt-boring</guid><dc:creator><![CDATA[Mahir Chowdhury]]></dc:creator><pubDate>Thu, 20 Nov 2025 16:09:17 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!mTuE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F361df778-5a5b-4807-adca-eca97b778729_800x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Operational risk gets dismissed as dull - endless forms, RAG statuses, and meetings that should&#8217;ve been emails.</p><p>But the reason people think it&#8217;s boring is simple:</p><p><strong>Most organisations still manage operational risk like it&#8217;s the early 2000s.<br>No curiosity. No data. No experimentation. Just heritage processes and hope.</strong></p><p>If you treated marketing the way most companies treat risk:</p><ul><li><p>no testing</p></li><li><p>no lessons learned </p></li><li><p>just old frameworks and tick box exercises </p></li></ul><p>&#8230;it would look equally lifeless.</p><p>Operational risk is actually fascinating when you give it half a chance. It&#8217;s:</p><ul><li><p>MI that leads to improved decision making</p></li><li><p>Engineering control objectives which actually manage risk </p></li><li><p>Identifying trends and themes</p></li><li><p>Awareness of vulnerabilities</p></li></ul><p>If your risk function feels tedious, it&#8217;s not the discipline &#8212;<br><strong>it&#8217;s how you&#8217;re doing it.</strong></p><p>What&#8217;s the most outdated risk practice you&#8217;ve seen recently?</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://mahirchowdhury.substack.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://mahirchowdhury.substack.com/?utm_source=substack&amp;utm_medium=email&amp;utm_content=share&amp;action=share&quot;,&quot;text&quot;:&quot;Share Mahir Chowdhury&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://mahirchowdhury.substack.com/?utm_source=substack&amp;utm_medium=email&amp;utm_content=share&amp;action=share"><span>Share Mahir Chowdhury</span></a></p>]]></content:encoded></item></channel></rss>