Risk and Performance Management

  • Are making progress towards our goals?
  • Do we need to make changes to our team?

Classifying security work for performance

  1. Articulate a problem
  2. Suggest a budget
  3. Propose a solution
  1. Write code to a specification.
  2. Follow a runbook for a procedure.
  3. Fulfill a delivery contract of goods from point a to point b.

Reasonably making progress with OKRs

  • An expert should not require substantial supervision in making their objectives.
  • An expert should not be constantly fluctuating Key Results with conveniently available pseudo-justifications they couldn’t foresee.
  • An expert should demonstrate that their knowledge is still developing from one performance cycle to the next.

Organizational Feedback

When a measure becomes a target, it ceases to be a good measure.

  • Knowledge workers are paid to provide risk measurements.
  • Knowledge workers also measure the risks they mitigate.
  • Performance management can corrupt risk measurement.


  1. Risk based knowledge work resists simple performance measurement.
  2. Knowledge workers are trusted to measure and manage themselves.
  3. OKRs and peer reviews are crucial for evaluating a knowledge worker.
  4. Objective measurement is efficient, but risk is a subjective concern.
  5. Overly quantitative management becomes subjected to Goodhart’s Law.




Writing about risk, security, and startups.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Mahjong Puzzler Hack Free Resources Generator

Zktube- A Great Unprecedented Solution That Will Revolutionize Cryptocurrency

Five Things a Private Investigator CAN NOT Do Under Any Circumstances

OneLogin Breach (2017) Retrospective

InsureDAO the Defi Insurance Protocol, Join and test now

{UPDATE} Mini Metro Hack Free Resources Generator

$SWG $SWGb Token Movement Report

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan McGeehan

Ryan McGeehan

Writing about risk, security, and startups.

More from Medium

The Importance of Data Protection and the Five Major Areas Where Companies are at Risk

Why You Should Have A Cloud Migration Strategy

IaaS 101: What is — Enterprise Storage

Insights from AWS Summit Brussels