ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Managing Risk in Reel Time—ISACA at the movies

Managing Risk in Reel Time—ISACA at the movies

| Posted at 3:33 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (0)

Brian BarnierQuick, do you know…

  • ISACA’s founding chapter? Los Angeles
  • How many years the Chapter has existed? 45
  • Where is their annual conference held? Universal Studios

At this time of year, regardless of hemisphere, people head to movie theaters to escape heat or cold.

If you’ve joined in one of the risk management workshops I’ve taught, you know part of our FUN is drawing on the personal passions of people in the room—from sports to photography to cake baking to movies.

As ISACA has chapters in 86 countries, consider the movie that was #1 in many countries recently—from Argentina to Uruguay—How to Train Your Dragon 2.

What can Dragon 2 teach ISACA members? Let’s focus on the Risk Management Cycle’s 5+2 steps.

The 5 steps are about continuous improvement:

  • Evaluate the environment and enterprise capabilities—“Know the business.”
    • The movie’s hero, Hiccup, and companions learn about new lands, dragons and villains. When the team encounters a new dragon, Fishlegs studies his dragonology cards to learn about dragons’ attack and defense capabilities (just as is done more mathematically in the companion video game).
  • Seek Scenarios—ask, “What if?”
    • “What if?” is constantly asked as the characters learn and adapt—especially when Hiccup thinks ahead to his encounter with the villain.
  • Watch for Warnings
    • In the original Dragon film, the team learned how to recognize when a dragon was about to breathe fire. In this movie, they learn about icy breath.
  • Prioritize
    • A running lesson is in the dialog between Hiccup and his father about prioritizing action in the protection of their people.
  • Improve position in environment and/or capabilities
    • Despite Hiccup’s best efforts to be proactive and engage the enemy beyond his island (picking his environment), the villain finally attacks Berk. The writer, Dean DeBlois, surprises audiences with amazing new capabilities.
The +2 steps are the “ring the bell” shortcut through the middle of the Cycle for reacting and recovering when a risk materializes.
  • The audience is engaged by watching the heroes valiantly react over and over again, but only partially recovering until the thrilling end. The backdrop for the closing narration is recovery mode.

Take Action: Bring a little slice of the risk workshop to your chapter—have a movie night!

  1. Pick a popular movie in your country; some stats at
  2. Break into 4-6 person groups
  3. Create “movie maps”—mapping the movie plot into the 5+2 steps of the Cycle
  4. Apply this to IT-related business risk in your organization

Bonus: As in COBIT 5, consider how managing risk is more efficient and effective than using controls. In Dragon 2, as in data centers, factory floors and organizations in general—the villain’s control attempts ultimately fail. X-men also makes this point. There are situations where controls are helpful, movie plots can also provide those examples.

Help other ISACA members learn: Post your risk management movie maps to the ISACA Risk Management Community.

Brian Barnier, ValueBridge Advisors, has volunteered for ISACA in a range of roles. He is the author of The Operational Risk Handbook, at the ISACA Bookstore.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.