Risk Management & Preparedness Every Step of the Way

Article by Hoi Wai Khin, Technology Consulting Partner, RSM Singapore

My Personal Climb Challenge

In commemoration of RSM Singapore’s 40th anniversary, I set out a personal challenge — To climb 40 stories of HDB flats, one for each year! And so far, I’m proud to have completed 8 of these climbs. 

During a recent climb, I noticed my heart rate spiking significantly, peaking dangerously at 180 beats per minute after 10 stories. For safety, I took a 2-minute break before pacing myself with 5-storey intervals.

Midway through the climb, a worrying thought suddenly struck me: What if something went wrong? What if I twisted my ankle? Or worse, fell and hit my head, or suffered a heart attack?

Primarily emergency escape routes, these staircases are usually isolated with doors shut closed. In the event of a twisted ankle or a fall, I might still be able to call for help. But what if I lost consciousness from a head injury or had a cardiac arrest, the outcome could be fatal.

A Len for Risk Management

That moment instinctively triggered my security mindset – and I began a Risk Assessment to evaluate the worst-case scenarios.

For added preparedness and assurance, I followed up with a Tabletop Exercise – analysing those scenarios to develop effective risk mitigation strategies supported by informed decision-making. The table below shows my key findings.

Being a typical “Kiasu” Singaporean, my "saveHWK" protocol included these additional Risk Mitigation Controls:

• Pre-Climb Notification Protocol:
  Before each climb, I will notify my activity comrades WhatsApp group with:
  • Start time of the climb;
  • Location of the HDB block; and
  • Status updates (start, halfway, completion).

• Monitoring via Activity Comrades Group:
  These close friends are active 12x7 due to frequent SPAM messaging activity. They will be able to:

• • Track my climb in real time; and
  • Call for emergency services if no update is received within expected time (e.g. 35 minutes).

• Family Fallback:
  • Lastly, I will attempt to wake my wife to be a climb buddy; and
  • If unsuccessful, phone SOS and fall detection features will remain active.

So, what does climbing stairs have to do with cybersecurity?

During my personal climb challenge, I realized how each step mirrored the layers of a risk management strategy—starting with awareness, monitoring performance, identifying limits and risks, and adjusting along the way.

Just like in cybersecurity, skipping a check or pushing too hard without assessment can lead to vulnerabilities. This everyday activity became an unexpected but powerful reminder of the importance of security checks, risk assessments, and tabletop exercises to stay prepared for the climb ahead.

Tabletop Risk Assessment - Why it matters in Cybersecurity

For business leaders, risk assessments and tabletop exercises aren’t just buzzwords, they are strategic imperatives. These are essential practical tools enable proactive identification and management of cyber threats, helping your organization build resilience and prevent costly catastrophe.

Why Conduct a Tabletop Risk Assessment?

A tabletop risk assessment is a low-cost, high-impact simulation that helps identify potential risks, assess their impact, and test how well your response plan holds up under different scenarios. It is important to understand the risk, probability and impact to your business.

By applying the same mindset to my personal climb challenge, the exercise uncovered several potential high-impact scenarios (twisted ankle, fall, heart symptoms) and exposed assumptions that needed addressing (e.g., reliance on family availability, communication blackspots).

---------------------------------------------------

Risk Mitigation Measures - Key Parallels to Cybersecurity 

• Just as physical isolation on a stairwell requires alternative escalation paths, so too does a remote cyber incident require backup contacts and layered alerts.

• Delayed response (e.g., family members still asleep) mirrors scenarios where no one is monitoring security alerts.

• Emergency planning (e.g., fall detection, WhatsApp escalation) reflects the need for real-time incident detection and response mechanisms in IT systems.

Without this tabletop review, I might have overlooked hidden dependencies or gaps—just as organizations often do in cybersecurity if they fail to simulate attack scenarios before they happen.

---------------------------------------------------

Additional Risk Mitigation Controls - Building a Layered Cyber Defense Mindset 

Drawing from cybersecurity best practices, I implemented multiple risk mitigation layers to improve both preparedness and response time. These can be directly mapped to how we should approach IT and cyber risk.

• Pre-Activity Notification – Like Pre-Breach Threat Intel Sharing
  Before each climb, I send a proactive WhatsApp message to my activity group chat with: Climb time / Location /Expected duration. This is akin to threat intel sharing in cybersecurity—keeping stakeholders informed in advance allows faster detection of anomalies.

• Real-Time Monitoring – Like SIEM or SOC Alerting
  The activity group acts as a live monitoring team, similar to a Security Operations Center (SOC). Their high level of activity (12x7) ensures near real-time monitoring. If no check-in is received within 35 minutes, they would know something is wrong and can escalate immediately—just like an alert being triggered for abnormal network behaviour.
  
  
• Automated Fall Detection – Like Endpoint Detection & Response (EDR)
  Enabling fall detection and SOS alerts on my phone is equivalent to deploying endpoint detection tools that trigger automated responses when malicious activity is detected—e.g., ransomware execution or suspicious privilege escalation.
  
  
• Human Fallback (My Wife) – Like an Incident Response Escalation Tier
  When possible, I engage a human buddy as a fallback. In cybersecurity, this reflects the importance of escalation paths and manual overrides in case automation or alerts fail.

Conclusion - Cybersecurity Lessons from a Staircase

1. Risk awareness must be grounded in realistic, scenario-based thinking;

2. Assumptions must be tested—not just documented;

3. Layered defense (technical, human, procedural) is critical; and

4. Communication and escalation paths must be clear, tested, and reliable.

As a security professional, auditor, and internal CISO at RSM, I often combine practical observations with internationally recognised standards—such as the NIST Incident Response Framework and ISO/IEC 27001 incident management control requirements—to develop actionable and reliable response processes.

This sharing seeks to provide a more relatable understanding of the critical role risk management plays and reinforce the value of thorough preparation. Sometimes, even simple life experiences can inspire effective procedures for managing cybersecurity incidents. Together let’s build stronger organizations as we resiliently climb in today’s ever-evolving digital landscape.