Enterprise Risk · Security · Resilience
About Tony Ridley
A soldier, a commercial risk operator, a chief risk officer, and a researcher. Three times I believed I had become a security and risk professional. Three times I was partly right and not finished.
This is the story of how the work got harder to fool, and why your work is safer for it.
The short version
Experience, then commercial mastery, then science. Each felt like the summit. Each turned out to be a ledge. What follows is how I climbed, what I kept, and why it matters to the work you need done.
Act One. I thought experience was enough.
My foundations were laid in the Australian Defence Force, including service in a specialist military unit. That is where I learned to source information under pressure, to decide when the picture is incomplete, and to live with the consequences of the call.
For a while I believed that was the whole of it. I had stood in real environments where failure was not theoretical, so I thought I understood risk better than people who had not. That belief is common in this field, and it is half true. Operational experience is real and it does not transfer to anyone who has not earned it.
But experience answers what happened to me. It does not answer what is true in general, or what will hold up when someone who was not there challenges it later. I did not know that yet.
Act Two. I thought commercial mastery was enough.
So I went and did the work, at scale, for two decades.
I founded and led a hyper-personalised travel risk business, built the algorithm and the platform, raised the capital, stood up the board, and ran a 30-person operation around the clock. We analysed over one million international journeys. The thesis was that two travellers on the same itinerary do not face the same risk, and a defensible programme has to reflect that.
I took a Commonwealth Executive Level 2 operational-risk appointment inside a $40 billion federal social insurance scheme, partnering more than twenty business units and governing risk across thirty to forty concurrent technology programmes. I governed an AML/CTF remediation back from the brink for a retail bank. I sat as an independent member on a council audit and risk committee overseeing a regional economy worth billions. I ran, in effect, as chief risk officer for a state-owned critical infrastructure entity covering rail, freight and telecommunications, owning the SOCI work, rebuilding the enterprise risk framework, and reporting to the board.
And I was tested in the hardest room there is. In a major international investment arbitration (Tethyan Copper Company v Islamic Republic of Pakistan, ICSID Case No ARB/12/1), I gave expert security risk evidence on a contested resource project. Years before, I had written the original security risk assessment for that project, and in it I had ranked the host government, not the insurgents everyone fixated on, as the primary threat. That call materialised. The dispute ran to one of the larger awards of its kind, my analysis was argued on the record against an opposing expert, and it held.
By now I had the certifications, the scale, the standards and a vindicated forecast. I believed I had become a complete security and risk professional. That belief was the strongest, and it was the one most worth interrogating.
Act Three. I learned the method matters more than the man.
Here is what that matter taught me on reflection, and it was not flattering.
The call was right. But the canon I had used to make it, the practitioner and popular risk literature of its day, was not the reason it was right. I had reached a sound judgement on instruments that could not fully explain or defend themselves. If a sharper opponent had pressed not on my conclusion but on my method, I would have felt the floor move.
So I went back to school in earnest, mid-career, with nothing left to prove on paper and everything left to prove to myself. I completed an MSc in Security and Risk Management at a UK Russell Group university, then began doctoral research, now a fully funded PhD in transnational security, risk, safety and resilience. My doctrine moved from tradecraft and assurance ritual toward risk science, the Society for Risk Analysis body of knowledge, and Aven's strength-of-knowledge treatment, where you do not just state a finding, you state how strong the knowledge behind it is.
That is the turn. Experience tells you what you saw. Commercial mastery tells you what works often enough to bill for. Science tells you why a finding holds, where it breaks, and how to say so out loud before someone else finds the seam. The three do not replace each other. They stack. Most of the field stops at the first or second. The work I do now refuses to.
That is also why I keep returning to a problem most of the field steps over: the words themselves. "Safe", "secure", "risk" and "resilient" do not mean the same thing to different disciplines, different legislation or the different people who attest to them, and that gap is where assurance quietly fails. More on that here →
Why this matters to you
You may be anywhere on that same road. You might be the experienced operator who trusts the gut. You might be the seasoned practitioner who trusts the standard and the certification. You might already sense, as I did, that neither is quite enough when the stakes are real and the finding has to survive a regulator, a coroner, a court or your own board.
Wherever you are, I have stood there, believed it was the summit, and found out it was a ledge. That is the common ground. I am not here to tell you that you are doing it wrong. I am here because I made every one of those climbs, kept the parts that held, and can tell the difference under pressure.
If that is the kind of work you need, start a scoping conversation. No intake forms. No sales team. Outline your situation and we will establish scope and fit. If it is not the right match, that is said clearly.