00:06  Welcome to Absolutely Critical by Fortress, where leaders across government and
00:11 industry share how they protect mission-critical systems in environments where
00:15 disruption, compromise, or failure simply isn't an option.
00:19 Hey there, welcome to the Absolutely Critical podcast.
00:22 I'm your host, Lee Mangold.
00:24 Risk management isn't a topic that people are usually excited to talk about.
00:28 For some, risk management really only happens when an auditor asks for your
00:32 risk register, but for others, it's a fully developed and complex process.
00:37 But the reality is we're doing risk management every day, whether we know it or
00:41 not.
00:42 Sometimes it's right, and sometimes it's not so right.
00:46 So today we're going to dive into the wonderful world of risk management and
00:50 talk about some of the basics, but also really how to get started in your
00:54 organization.
00:55 To help us through that, welcome our guest today, David White.
00:58 David is the president and co-founder of Axio, where he advances cyber risk
01:03 quantification and resilience across critical infrastructure sectors.
01:06 He leads Axio's work with the U.S. Department of Energy and Cyber Risk
01:10 Institute and contributes to policy initiatives shaping the future of cyber
01:16 oversight.
01:18 Thank you, Lee.
01:19 I'm thrilled to be here.
01:21 I'm excited to talk about risk management.
01:23 I know.
01:24 We talked beforehand, and it's David and I met, and I was actually really
01:28 excited to talk about risk management.
01:30 I said it takes kind of a special kind of person to really get excited about
01:33 risk management, but here we are, right?
01:38 But yeah, I think this is one of those topics that I don't think we talk enough
01:43 about.
01:44 We hear about this, every audit that we do, everything that we do in
01:48 cybersecurity and risk and compliance in general boils down at some point to
01:52 risk management.
01:56 Yeah, it really does.
01:58 In security, we are, in fact, managing risk all the time, but are we managing
02:06 the right risks?
02:07 Are we prioritizing the right risks?
02:09 And are we managing them in a way that's most efficient and effective for the
02:13 organization?
02:14 And that's where the process, and I loved in the intro, Lee, that you called it
02:20 a process, because risk management is a process.
02:23 Yeah, it's a life cycle, right?
02:25 So, yeah.
02:26 So let's get started.
02:28 So when you hear the term risk management in a business context, what should
02:32 leaders really be thinking about?
02:33 Risk management means different things to different people, but where do you
02:36 see organizations, where should they start?
02:39 Where do they seem to get things wrong?
02:42 Well, I think, so first it is a process.
02:46 So they should be thinking, this is a process.
02:49 It's something to do, not something to buy.
02:53 Now, there might be some tools that you buy to help you out with the process,
02:57 but think process first.
03:00 And remember the basics, because risk, like the dictionary definition is just
03:08 exposure to danger, harm, or loss, right?
03:12 So it's some exposure.
03:14 And the objective of the risk management process is to keep that exposure
03:22 within acceptable limits for the organization.
03:26 And so now we've seen a couple of things.
03:29 So it's a process.
03:30 It's something I have to do, right?
03:32 And what are these acceptable limits?
03:35 Like what are the limits?
03:37 And that's where it connects with governance, with the C-suite and the board,
03:43 because that's where those limits should come from, right?
03:48 But then because it's a process, you need...
03:53 And a process is just a machine.
03:56 It's really...
03:58 I like to think of a process as a machine.
04:01 So we need a machine that's repeatable and efficient that we can afford to
04:05 operate, to identify risks, analyze risk, prioritize risk, and then treat those
04:12 risks to get the whole portfolio of risk within that exposure limit, right?
04:20 And that's really what to think about, I think, in this.
04:24 Yeah.
04:25 I think there's this tendency to look at risk management from an all or nothing
04:32 perspective too, right?
04:35 And it's about managing to an expectation, right?
04:40 It's managing to your risk thresholds.
04:42 And there's lots of ways to do that, right?
04:44 Obviously.
04:45 One of the things that I've always been a really big advocate of, and we talked
04:50 about this a little bit, we're going to fight a little bit, is I'm a big fan of
04:53 qualitative risk management.
04:55 Now, I have a whole process to that, right?
05:01 Which is different than, I think, some.
05:02 But I have a whole process that I use for that.
05:04 But I think a lot of people are still stuck in...
05:07 If they're doing something more than the auditor comes by and asks for your
05:11 risk register, they're doing a stock chart, or they're doing low, medium, high.
05:16 I think we can agree something's better than nothing, generally speaking.
05:21 But I think my real question is they're like, what do you think the limitations
05:25 are to that kind of approach, kind of more specifically, as opposed to...
05:31 Well, I guess before, let's back up and define qualitative versus quantitative.
05:39 Well, qualitative is typically characterizing risks using a color
05:50 scale, red, yellow, green, stoplight scale, t-shirt size, small, medium, large,
05:55 like that, right?
05:58 And I think the icon of a qualitative risk management program is a five by five
06:07 matrix that's red at the top, and top right, and green at the bottom left.
06:11 And you scatter the risks across that playing field as a way to analyze them.
06:20 The challenge is...
06:24 And I absolutely...
06:25 First of all, we agree that it's a whole lot better than nothing, right?
06:32 And it's also, for an organization just getting started with building a risk
06:38 management program, it's a reasonable place to start, right?
06:43 It's also...
06:45 Look, some of my risk nerd friends make fun of me because I'm a big fan, even
06:51 when you've moved to a quantitative program, I'm a big fan of using that five
06:58 by five matrix as a consensus building tool.
07:03 And forget the absolute scales, right?
07:06 Just forget the absolute scales.
07:09 But if you're bringing a group of a team from your security program into a
07:17 room, and you've got like 20 risks identified, and you need to do a quick
07:22 triage, then having the team bucket them to say, we don't know what the
07:30 likelihood is, but this one here is more likely than that one, and that was
07:34 more likely than this one.
07:35 So now we can start to sort them across relative likelihood and relative
07:41 impact, and use that to build consensus, and keep it in relative terms.
07:48 I think it's a really valuable tool.
07:51 I think where qualitative runs into problems is that it presents risk in a way
08:00 that is, from my view, inconsistent with the language of business, right?
08:05 So if you're a CISO, and you're going into a board meeting to ask for a special
08:10 allocation of $10 million, because you've got this hair on fire risk, and so
08:16 you're like, well, I've got this risk and it's red.
08:19 Well, what will it be after we get to 10 million?
08:23 Well, it'll still be red, but maybe a little less red, right?
08:30 And that's where you run into problems.
08:33 And then you've got a colleague coming in who is asking for 10 million for a
08:38 special project that's going to add, that he has a model suggesting we'll add
08:44 $100 million in revenue to the bottom line, right?
08:48 Which of you is going to get the funding?
08:50 The guy who marches in with the crayon, or the guy who will march in with the
08:53 spreadsheet?
08:54 Yeah, I think there's, one of my approaches that I've kind of done with this a
08:57 lot is, even though it's very qualitative in nature, I agree with you.
09:02 I think it's beautiful to kind of see that chart.
09:05 And you're right, the consensus building thing, I've never really thought about
09:08 it in those terms.
09:09 And that's, I think the allure to a lot of this, or a lot of the qualitative
09:12 is, you can just see really quickly and you can kind of make a quick judgment.
09:16 I think there's a lot of value in that.
09:17 One of the things that I've done a lot is, when I do those risk judgments, I
09:22 actually do have some quantitative measures on there.
09:25 And they're higher level thresholds, right?
09:28 But if it's over this kind of a value potential, then it's going to be high, or
09:33 it's going to be a critical, or very high, whatever we call it.
09:36 I think there's ways to mix that.
09:37 But yeah, I mean, I think there's, one of the things that I've always kind of
09:41 run into, and there's lots of models out there for everything, right?
09:46 But one of the things I've always run into is this idea that quantitative
09:50 approaches can be really complicated, and they can be very complicated.
09:56 How do you overcome that?
09:57 I mean, well, first of all, do you agree?
10:00 And how do you kind of overcome that?
10:01 Well, they can be complicated.
10:04 And frankly, there are, I think risk quantification
10:11 has earned a bad name, has earned a bad reputation for being
10:21 complicated, by forgetting to keep it simple, and forgetting to use it for as a
10:31 decision-making tool, not as quantification for quantification sake, right?
10:39 And so, because when you're, you can, you know, when it's a decision-making
10:46 tool, then you can stop when you've got enough insight to make the right
10:53 decision, right?
10:54 When it's quantification for quantification sake, you can spend weeks, months
11:00 refining those probability estimates, or gathering more data for those
11:07 probability estimates.
11:08 So, but you know, I promise you, you don't need probability to, you know, three
11:14 digits right to the decimal point to use it as a decision-making tool, right?
11:20 And if that's where you're focused, you're going to exhaust yourself, right?
11:25 Without generating value.
11:27 Same on the impact side, right?
11:29 I mean, you know, look, I did a risk quantification study for a company, maybe,
11:36 oh God, it's been seven or 10 years ago.
11:40 And we had a group of experts around a boardroom table and made some impact
11:48 estimates, threw some impact estimates on a spreadsheet.
11:52 And then they were like, and they were like, well, that's really big.
11:55 We've got to refine that number because it's so big.
11:58 Well, how about it's so big, we know it's a big number.
12:04 Let's implement a control to bring that risk under control.
12:08 Well, no, they wanted to, so they spent six months, commissioned to study, did
12:13 a data pull from every manufacturing location around the globe and like
12:18 assembled all this data.
12:19 And after six months of study, the impact number changed by less than 10%.
12:24 But at the end of the day on day one, we knew it was a big number worth doing
12:31 something about, right?
12:32 Is a 10% variance in that number really worth it, right?
12:35 So that's, that's where, you know, that aiming like profession is the enemy of
12:41 good enough, right?
12:42 That, that, that saying, right.
12:43 We've got to keep it, we've got to keep it good enough.
12:46 Don't aim for perfection, keep it simple.
12:48 And remember that this is about making a decision.
12:52 So it's not about, it's not about, you know, risk navel gazing.
12:59 Yeah.
13:00 And I was going to say, I mean, my, my follow-up question to that was there's,
13:03 there's always that pushback of we don't have enough information, right?
13:06 And, and you're right.
13:07 It's so funny.
13:08 It's it's the decimal precision doesn't really matter in this, in this kind of
13:12 realm.
13:13 Right.
13:13 And, and the farther down the path you go on that, the more complicated you
13:17 make it.
13:18 Right.
13:19 And I guess, I guess one of the questions that I kind of have that kind of
13:24 dovetails on that is, you know, how I think a lot of companies, a lot of
13:28 organizations struggle with that risk, risk register sort of view and kind of
13:33 understand like you can have, if you, if you measure every risk possible, how
13:39 do you manage anything?
13:41 What do you, what are you kind of your, your strategies, your approach to
13:44 determining what, what measure, what, what risk?
13:48 Yeah.
13:48 I, I'm an advocate of having some constraints on the risk register personally,
13:54 like a new risk needs to earn its space, so to speak.
14:03 Right.
14:03 Okay.
14:04 Yeah.
14:05 Yeah, for sure.
14:07 I've seen a couple of interesting ways to deal with that.
14:10 Well, I've also seen like a bloated risk register is a really big problem.
14:17 And I've seen risk management programs fail because of risk register bloat.
14:22 Right.
14:22 Yeah.
14:23 Oh, we've got, we're doing so well.
14:25 We've got 1200 risks on the risk register.
14:28 You've wait, you've got what?
14:30 Like how many?
14:33 Yeah.
14:34 Yeah.
14:34 That's always the question.
14:35 Well, how often do you review those?
14:36 We, we just keep adding, we don't go back and review anything.
14:40 Right.
14:40 That's the, that's, so, and I, I, I worked with one organization and they had,
14:46 when they first created the risk register, they gave it, I forget, I forget how
14:50 many slots, let's see.
14:53 They gave it 15 slots.
14:56 We're going to, we're going to track no more than 15 risks.
14:58 Right.
15:07 And only when they identify something that after some analysis is
15:16 clearly not some variation or some risk of one of those other risks, will they
15:17 expand the slot?
15:22 So they've got governance around the risk register, which I'm a fan of because
15:26 it's the only way to keep it managed, keep it manageable.
15:28 Go back to my machine analogy.
15:29 Risk management is building machine.
15:31 You've got to build a machine that you can afford to operate.
15:34 Nobody can, I've, well, I haven't met anybody who can afford to operate a risk
15:39 management machine that can keep up with 1200 risks on the risk register.
15:43 Right.
15:44 That's, and I also saw one, one time that had, they, they had grown from a five
15:49 by five matrix to a 15 by 15.
15:53 And that was nightmarish too.
15:56 Right.
15:59 Yeah.
16:00 Yeah.
16:00 That's, that's, that's almost back to that decimal precision problem, right.
16:03 Of like, did it really matter?
16:05 It's still red.
16:06 It's just a little bit lighter shade.
16:07 Right.
16:07 Yeah.
16:08 Yeah.
16:08 I mean, that's, it's just sort of interesting because, you know, you've all
16:11 been in those conversations where the, you know, somebody will use the phrase
16:14 and I've used the phrase like, Hey, we need to track that as a risk or Hey, we
16:18 need to drive on that.
16:19 Right.
16:19 And that's not necessarily always something you want to add to the risk
16:21 register.
16:23 You know, I always think of it as, as sort of the pain in the future of having
16:27 to update and manage that.
16:28 And I think if people sort of realize that once it's on the register, you, you
16:32 become accountable for actually reviewing it and making sure it's updated.
16:37 Once they realize that they might change their view on how many things they
16:42 want to throw on that risk register.
16:44 Yeah.
16:45 Well, I, I agree though.
16:46 I think it's, it really does come from, right.
16:48 You have to really think through that governance process and how you're going
16:51 to do.
16:52 You know, I think, you know, Phil Venables, Phil famous quote from Phil
16:56 Venables years ago when he was, when he was CISO at Goldman Sachs, he said, if
17:02 quantifying the risk costs more than buying the control to mitigate the risk,
17:08 just buy the damn control.
17:12 Yeah.
17:12 Sorry.
17:13 I, I, I said a bad word, but it was in the context of a quarrel.
17:17 Yeah, for sure.
17:19 You know, that's, that's part of the governance rails that you want around a
17:23 risk management program and why a risk needs to earn that.
17:26 It needs to earn the oxygen it takes to put it on that risk register.
17:31 I really, I love, I love that phrase.
17:35 You know, the risk needs to earn its way on the risk register.
17:38 I think that that's really important.
17:40 I think there's also possibly the inverse of that too of just cause you don't
17:45 want to track the risk doesn't mean it doesn't need to be on the register.
17:48 But yeah, I, I think it's really interesting and thinking about, you know, I
17:52 mean, how many, how often are you going to review your risk register?
17:56 How much time will it take you to review those items?
17:59 And I think in a lot of cases you kind of back your way into, you know, Hey,
18:04 this is, we can't exceed more than X number of things.
18:07 And a lot of them, when you, when you see that bloat, there's so many that like
18:12 put them in buckets, right?
18:14 There like, you know, find do an affinity analysis and get that and get that
18:20 risk register condensed into categories of risk and manage at that level.
18:25 Right.
18:25 And then you can have categories and exemplars of risk, right.
18:28 That that's, that's another approach.
18:32 Yeah.
18:33 Yeah.
18:33 And, you know, to that point there was, you know, I was having a conversation
18:36 with someone the other day and we were talking about, you know, TPRM third
18:40 -party risk.
18:41 You've got hundreds, thousands of vendors, right.
18:43 And you can assign a risk rank, a risk score to each of those vendors.
18:46 But just because the vendor is listed there as high doesn't mean it goes on
18:49 your official register.
18:51 Right.
18:52 It's, it gets bucketed into something else.
18:54 And that's why I think people get, get very confused about this and they, and
18:58 it just becomes over.
18:59 Yeah.
19:00 I, I, I think that would be a really bad move to put every, every vendor in
19:04 every high, every high risk vendor.
19:09 Right.
19:09 Yeah.
19:10 Well, where does that, where does that end?
19:13 Right.
19:13 You had, you had a, an assessment done and they came back with critical
19:17 findings.
19:17 Does that every critical finding go on the register?
19:20 No, it's, you know, it's yeah.
19:23 There's, there's a lot of other ways you can bucket that.
19:25 Yeah.
19:25 No, I'm, I'm, I'm completely on board there.
19:28 I think there's, I think that is an interesting thing that I've actually very
19:31 recently noticed in some conversations that I've had in the last, we'll say
19:35 three weeks where I've had this conversation two or three times with different
19:39 folks in different areas where it looks so overwhelming because they got, well,
19:45 I've, what, what happens when I do my, my tenable scans and I've got all these
19:50 vulnerabilities, like that doesn't go on your risk register.
19:52 So, but, and it always turns, right.
19:55 And it always turns around to, well, then what does go on the risk register?
20:03 And I think it's a very interesting thought experiment that like, and the risk,
20:06 the risk of all those scans is you've got unknown, you've got vulnerabilities
20:10 in your environment that could lead to.
20:10 A vulnerability is not a risk.
20:14 A vulnerability is a weakness, right?
20:15 Weaknesses may cause risk probability to go up or risk impact to go up, but
20:24 they are not risks, right?
20:27 The risk might be, we have a vulnerability in our manufacturing environment.
20:32 And the risk of that is that it could lead to a shutdown if it was compromised
20:37 in the following way.
20:39 Well, is there a pathway whereby it could be compromised in that way, right?
20:44 Well, if there is, then you have, you have a risk from that vulnerability and
20:51 yeah, you, you, you ought to do something about it.
20:54 But if that conversation costs more than it would to just go in there and patch
21:00 it and there's a patch available that you can deploy, then you know what I
21:04 would do.
21:09 I've had the time on, on talking about it, do it, right?
21:12 Yeah.
21:13 Yeah.
21:13 I think it's, it's, it's, you know, that down that vulnerability chain of like,
21:17 it's, it's not, it is, it is a matter of, well, why, why didn't you fix it?
21:23 Why wasn't it patched already?
21:24 Why did that happen?
21:25 And you can always tease out.
21:27 It's, it's, it's, I mean, it's root cause analysis at some point, right?
21:30 But what was the, what was the reason that that vulnerability revealed itself?
21:34 I think it's, I think it's really interesting.
21:36 And, you know, do you not have enough people?
21:38 Yeah.
21:38 And not having enough people to manage vulnerabilities, that could be a risk
21:43 that could lead to a risk that in fact, that in itself is a vulnerability
21:48 because it's a weakness in your program.
21:51 Right.
21:52 And it's, and it, it, it could lead to a variety of risks as the, as the sort
22:00 of source point right now, I don't want any of your listeners to take away an
22:06 idea that vulnerability management is not important.
22:10 Vulnerability management is extremely important.
22:13 And I would argue it's becoming more and more important because there are
22:17 threat groups out there that are mechanizing the exploit of vulnerabilities as
22:23 soon as they reveal themselves by a patch being made available.
22:29 Right.
22:29 And so, you know, the, so now I'm, I hear people talking about instead of a
22:35 zero day, they're talking about one day vulnerabilities.
22:37 Yeah.
22:38 Right.
22:39 And so, yeah, that vulnerability management is very important, but let's, let's
22:43 not conflate vulnerabilities with risks.
22:46 That's, that's a trap.
22:47 Yeah.
22:49 That's a, that's a, that's a really, really great point.
22:51 And yeah, like I said, I've had that conversation a lot lately and it just, it
22:55 really, I've been waiting to ask you that and kind of, yeah.
23:00 So, and you kind of talked about this a little bit, you know, when you, when
23:04 you have the, you know, risk conversations often tend to struggle with, with
23:07 boards, with, you know, when you're, when you're competing for those
23:10 priorities, for those budgets, you know, how does a quantitative risk change
23:14 the way that you approach those conversations?
23:17 And I want to, I, I, I just recorded a, a, a video with Phil Venables.
23:24 So I've got Phil Venables on the mind.
23:26 I'm a big fan of Phil's and, you know, Phil, Phil has written a lot about the
23:30 evolution of the CISO role.
23:32 And he talks about CISO 2.0 being CISO as an executive, as the chief digital
23:42 risk officer, as the CEO of the security program.
23:47 And so to evolve our, evolve into that role requires that we
23:56 take on the actions and mannerisms of a business executive.
24:02 And the language of business is dollars, right?
24:05 Or financial terms, I should say.
24:08 And so we have to learn to talk about what we're doing in those terms, to
24:13 justify what we're doing in those terms, to justify decisions and priorities
24:18 we're making in those terms.
24:20 And to do that, we've got to embrace quantitative risk management.
24:24 It is a game changer.
24:26 And I've had, I've had CISOs, well, I know, I know a lot of CISOs who are using
24:33 it very effectively in their board communications to, to the benefit of their
24:38 program.
24:40 There's a lot of conversation about resilience in the security world these
24:45 days.
24:46 And, you know, think about the bottom line on resilience.
24:50 Because for an organization's, the bottom line on an organization's resilience
24:56 is financial.
24:58 Because if that organization has the financial wherewithal to make it through
25:04 an event and live to fight another day, then it has demonstrated resilience,
25:10 right?
25:11 And so we've got to understand those resilience limits in financial terms.
25:17 Like how much, if, because, you know, you look like, you look at it, you look
25:23 at an event like what just happened with Jaguar Land Rover, that was, that was,
25:28 that was an event that, that tested the economic resilience of an entire
25:33 industry sector in the UK, right?
25:37 And that was a big one, right?
25:39 Understanding those, like as, and talk about governance, that's governance at
25:45 the, at the macro level, right?
25:47 Maybe look, maybe we should do some, some risk management there too, to
25:50 understand like what could go wrong, brings an entire industry and our economy
25:54 down, right?
25:55 Maybe that's a good idea.
25:57 Yeah, well, we'll, we'll start, start with baby steps, Dave.
26:04 You know, I think, I think for me, because I try to contextualize this into,
26:08 for me anyways, into how I can, you know, you always try to do something a
26:12 little bit better tomorrow, right?
26:14 And one of the strategies that I've always done, and I've always been an
26:17 advocate of what's, you know, my, my methods have never been purely like a
26:21 qualitative risk management.
26:23 There's always been some quantitative approach to it because of exactly what
26:26 you said, right?
26:28 You know, you have to, if you, if you can't speak in, in actual probabilistic
26:32 terms and show the money, it's, it's really hard to say, well, how much do you
26:38 need to mitigate that risk, right?
26:40 If you're not coming to the table with that and it doesn't, you know, what
26:43 exactly are you asking for, right?
26:46 I guess I'll ask you a very loaded question, which I did not prepare you for.
26:53 Okay.
26:54 There's lots of risk methodologies and frameworks out there.
27:00 What are your, what are your favorites?
27:03 Well, my favorite is, is the one that, the one that we created at Axio, that's
27:09 my favorite, which, you know, risk, risk quantification experts that have, that
27:19 are friends of mine that know our methodology have described as kind of, you
27:26 know, a mashup of some other methods who bear among them, but, you know, it's,
27:32 it's a mashup, but really what we've tried to do at Axio is make risk
27:37 quantification accessible, democratize it, make it easy enough to get started
27:44 that you can actually succeed in building a quantification based risk
27:50 management program.
27:52 And, and I think we've, I think we've succeeded and look for, for, you know,
28:02 yeah, I have, I have very strong opinions about how to get started.
28:06 Yeah.
28:06 Yeah.
28:07 And that's my next question.
28:08 I get there, but yeah, I think there's it's, it is always interesting when you,
28:13 I tried to, I did a presentation for a B-Sides event, I guess about a year ago,
28:17 we were talking, talking GRC in general, and obviously they are right in GRC.
28:22 And I had a slide up of, I want to say it's probably 16 or 18 different risk
28:27 assessment methodologies, approaches.
28:29 And I kid you not within three seconds, somebody asked, Hey, what about, and I
28:33 don't even remember what he asked about.
28:35 And then somebody else, the others, what about this?
28:38 And we're like, I guys, I, if I make the font any smaller, you can't read it,
28:43 right?
28:43 Like, it's so funny.
28:45 Cause it's, it's like, you just lit a match in the middle of the room about
28:48 somebody's favorite method to do something.
28:51 Yeah.
28:51 And I think, and this is kind of what you've been really hitting on is at the
28:54 end of the day, we have to figure out what is actually important to the
28:58 business and what's going to work for me and what's going to work for our
29:01 environment.
29:02 Exactly.
29:03 I was, I was just going to say, Lee, that, you know, I can say with absolute
29:09 certainty that the right methodology for you is the one that you will use.
29:15 Yeah.
29:16 A hundred percent.
29:18 Yeah.
29:18 Yeah.
29:19 And, and honestly, that's, that's, that I think to me is sort of that, that
29:22 biggest allure to the qualitative risk management is you're going to do it.
29:27 Just do something.
29:28 Yeah.
29:29 And then let's, and then, okay, maybe next year we're going to migrate and make
29:32 it better.
29:33 Yeah.
29:33 I would, I would argue, Lee, that you're actually doing quantitative risk
29:37 management, but you're displaying, you're displaying the output on a risk
29:43 matrix.
29:44 Because if you're actually, if you're actually putting thresh, dollar
29:48 thresholds on the impact scale, then you've, you've stepped into quant land, my
29:52 friend.
29:53 I don't, I don't, let's not, let's not put words in my mouth here.