Terminology · Jurisdiction · Competence
Whose definition is your assurance built on?
"Safe", "secure", "risk" and "resilient" feel like settled words. They are not. They mean different things across disciplines, across legislation and across the people who sign them off. That gap is where assurance quietly fails.
Most organisations assume three things hold still: the words in their risk vocabulary, the law their obligations rest on, and the competence of the people attesting to both. None of the three does. The exposure does not live inside any one regime. It lives in the gap between what a word was taken to mean and what it actually means to the discipline, the jurisdiction or the court that ends up testing it.
1. When the words don’t agree
"Risk", "safe" and "secure" are treated as fixed technical constants. They are not. In a single professional glossary the word "risk" can carry three different base definitions and "security" four, because competing standards such as ISO and NIST define the same term incompatibly. Different disciplines do not just describe risk differently, they calculate it with mathematically incompatible functions, so a control that is "safe" in engineering can be unacceptable in a toxicological or legal frame. And the meaning moves over time: there have been at least seventeen authoritative definitions of risk since 1901, so a ten-year-old corporate taxonomy has often aged out of alignment with the law.
The consequence is blunt. After an incident, a court does not adopt your internal glossary. It constructs meaning as a question of fact and measures your conduct against an external standard of what was reasonably practicable. A green dashboard that satisfied a narrow internal definition of "secure" is no defence if a court finds you ought to have known about a vector your definition excluded.
Against whose definition is your assurance given, and would it hold against the definition that matters legally?
2. When the law doesn’t travel
"Duty of care" is the boardroom shorthand for protective responsibility across much of the English-speaking world. It is also a parochial common-law term that carries no standing in civil-law, mixed or Sharia-influenced jurisdictions. France, Japan, Germany and many others reach a protective result through entirely different machinery and vocabulary. A record that satisfies "reasonable care" in one country’s court can be legally invisible in another, where the standard is set by prescriptive code. Treating one legal family’s vocabulary as the universal name for the obligation is a strategic blind spot dressed up as governance, and for any organisation that crosses borders it is where exposure actually sits. The durable answer is to govern by function, a jurisdiction-neutral protective obligation resting on the two tests almost every system shares, foreseeability and a reasonably-practicable response, rather than by one family’s dialect.
The same fragmentation appears wherever an organisation answers to more than one regime at once, in any jurisdiction. Multiple frameworks apply in parallel, each with its own definitions, registers and reporting cycles, and none of them is required to reconcile with the others. The same asset is counted several times against incompatible units of measure. The dangerous risk is not inside any one regime. It is in the seams between them, the territory no single body is required to own. Australia is a sharp worked example: a critical infrastructure entity can sit under four regimes at once and register the same asset three times against three units of measure that never agree. The pattern, not the place, is the point, and it recurs in every multiply-regulated environment.
The risk does not live inside any of the regimes. It lives at the seams between them, exactly where the organisation believes itself most assured.
3. When the signature outruns the competence
Boards are increasingly required to personally attest to all-hazards security and resilience programs for critical systems. The systems that appoint those boards rarely test for any security, safety or risk competence. The result is an inverted gradient: maximal authority over maximal criticality, held by people whose capability in the domain is unestablished. Workplace safety law in many jurisdictions already shows the better model, a personal duty on directors to acquire and keep current knowledge, where ignorance is no defence. Security and resilience regimes too often accept a signature instead.
This matters because the legal tests are knowledge-indexed. "Reasonably practicable" and "ought reasonably to have known" are measured, after a failure, against what a competent person should have known, and that standard does not shrink to fit a board’s ignorance. A governance credential is education about risk, not tested competence in it, in the way a national qualifications framework measures capability. An unregistered profession advising an untested board, assured by an uncredentialed firm, is not assurance. It is a paper exercise.
A safety or security system that merely satisfies its own internal definitions is a well-documented illusion waiting to be tested by reality.
Where I can help
These are not theoretical concerns. They are the three places I have spent a career working, and they are where I advise boards, executives and risk functions now.
Definitional defensibility
Auditing what your foundational terms actually mean, in your glossary, in the standards you cite, and in the law that would judge you, and finding where those three diverge. The deliverable is knowing, for every consequential use of "risk" or "secure", which definition is in play, where it came from and what it excludes.
So your assurance survives the definition that matters, not just the one you wrote.
Jurisdictional and protective-obligation mapping
Moving a global program off the "duty of care" label and onto a jurisdiction-neutral protective obligation, mapped by legal family rather than country by country, built on the shared spine of foreseeability and reasonably-practicable response, with evidence aligned to each local standard. Where obligations overlap, naming who owns the seams between them.
So your posture is defensible in every jurisdiction you operate in, not just the ones that speak your dialect.
Board and assurance competency review
Benchmarking the competence behind a signature against the authority it carries and the criticality it covers, using a national-qualifications lens rather than a membership credential. Testing whether boards, audit committees, risk functions and external assurers can actually interrogate what they attest to, before a regulator, coroner or court does it for them.
So the capability is in the room at the start, not retrofitted after the failure.
If any of this is uncomfortably familiar, that is the point. The work begins with a plain question about your own assurance, and an honest answer about whether it would hold.