The 4 commandments of risk management

The main purpose of the four commandments of risk management is the risk awareness of the employees. After all, man is the weakest link. Risk awareness goes both ways. On the one hand this concerns awareness of the business with regard to information security: where does it hurt and what can be done technically and what do you have to do yourself? On the other hand, it is also about the awareness of ICT people: what do they need to know that the business finds important and what is not. Doing more is often irresponsible and gives rise to spending money inappropriatly.In this contribution I write my own opinion, not that of any organization
Author: Manu Steens

What & why?

The purpose of information security is to ensure the reliability of information systems. This reliability is viewed from the following three perspectives:

Confidentiality: ensuring that information is only accessible to whom you authorize to do so.
Integrity: ensuring the correctness and completeness of the information.
Availability: ensuring that authorized users have timely access to the information / information systems at the right time

This is of course only possible by taking, maintaining and monitoring a coherent package of measures. It generally concerns information in information systems, but also on paper.

The information security policy of the organization aims at ensuring, on the basis of risk management, that the information of the organization is correct and complete and accessible in time for the authorized persons.


To ensure information security adequately, develop measures to ensure confidentiality (C), integrity (I) and availability (A: availability).
It is not easy to lay down generally applicable criteria for this, because these can differ from department to department within an organization, even between teams within a department the needs can be different.

These measures must also respond to the following areas:

  • People and Resources,
  • Collaboration (at process level and overarching)
  • Systems
  • Content,

As an aid instrument we have worked out the matrix below. In this matrix, we approach the four domains from the three perspectives. We have prepared a number of guidelines for each combination. For these questions we have drawn inspiration from the “four commandments of risk management” (see below). Every employee can get to work with these questions. But these questions are also extremely suitable for gaining a clearer view of information security (both from the point of view of the “business” and from the point of view of IT).


 People and resourcesCollaboration at process level and overarchingSystemsContent
CWhat do you share with whom? Which access do you need? Does anyone know the security manager? What is the intention of the management with their information security policy?Does the confidential information remain within confidential circles? Are these circles known to everyone?Which things do you have to be able to be admitted to the systems? Is a background study necessary for this? Who coordinates this?Which security-related laws must your organization meet (privacy, ISO standards, BCM, …)?
IDoes everyone have good intentions? Is a background investigation necessary for this?Are the processes drawn up and checked for bugs and errors? Was the flow of the process tested?Are the systems regularly maintained and tested? Is that needed?How important is the correctness of the content? Do you use voluntary error introduction for the sake of confidentiality?
AWhat people and things do you need to be able to do your work safely?What about a system failure? People? Buildings? Facilities? Suppliers? Has a risk analysis been made for information security?Who has physical access to which systems? Who has logical access to which systems? When? Is there an SLA with supplier?When do you need the information? Are these depending on the time in the year?

Answers to these questions are some of the criteria that information security must meet within the organization.

The four commandments of risk management and four examples of values: openness, decisiveness, trust and agility

Risk-aware behavior can shrink to the following four commandments:

  • Do not harm yourself unless you get better;
  • Do not harm anyone unless he / she gets better;
  • Do not break anything unless you can make something better with the parts;
  • Grab your chances, unless this is contrary to rules 1, 2 or 3.

These four commandments are

  • simple
  • easy to remember
  • clearly applicable

Moreover, these commands are relatively easy to link to the values ​​of an organization. By way of illustration, we give here how these fit within the values ​​of openness, decisiveness, trust and agility.


Rule 2: do not harm anyone to this applies. For example, openness of management is only valid as long as someone is involved. The privacy legislation also supports this principle that a person can appeal against the processing of his data. In addition, according to the privacy legislation, one can come out with statistics, not to expose the heart and soul of an individual against his/her will. So there may be transparency, but with the right extent: the extent to which you do not hurt anyone.


Rule 3: do not break anything and rule 4: grab your chances. Effectiveness within the organization needs creativity. In order to serve clients better, however, it may be necessary to be decisive and break down existing structures and build better structures. For this, one should know his ways within the organization to act effectively. And if you know the goals and the way to it, it is important to seize the opportunities.


Rule 2: do not harm anyone and rule 1: do not harm yourself. For an organization, it is of utmost importance that everyone has their trust. This applies to both the client and the employees. You must have sufficient self-confidence that you are heading in the right direction with what you do for the market. If people hurt each other senselessly, this trust will soon be violated.


This means that exceptions can always be part of rules 1 through 4.

But it also means rule 4: grab your chances. Drifting away from the chosen road can yield a number of benefits that you would otherwise have missed. Looking carefully at opportunities and tackling these issues is also the message !

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts