Risk · Resilience · Research · Nordic Noir

Hannimari
Savola

Risk strategist. Published researcher. Nordic noir author. Based in Frankfurt.

I specialize in risk and resilience strategy, geopolitical risk, organizational advisory, and ICT risk methodology for complex international environments. More than a decade of building frameworks, leading teams through disruption, and translating weak signals into decisions before they become crises.

Everything else on this page explains why.

Professional Profile

Risk, resilience, strategy, advisory.

My entry point was credit risk at American Express, where I first understood that risk is not about avoiding loss. It is about knowing which signals actually matter and which ones are just noise wearing a formal shirt.

Over more than a decade I have worked across enterprise risk, operational resilience, ICT risk strategy, business continuity, crisis management, and governance, including DAX-listed environments and international financial institutions. I move between strategic design and operational execution, and I have repeatedly built capabilities from zero where organizations said they urgently needed them but had not yet started. This is less heroic than it sounds. Mostly it involves a lot of blank documents and the quiet realization that nobody has written anything down yet.

My work is second-line by structure and advisory by nature. I develop methodology, translate complex risk signals for senior decision-makers, and build frameworks that are meant to be used rather than filed. I think in systems. I stay until the thing works.

My geopolitical layer is not theoretical. It comes from living across multiple countries, formal study of Russian trade in St. Petersburg, and growing up Finnish, which means growing up in a country with a structural relationship with resilience that most nations only discover when something goes wrong.

  • ICT Risk Strategy and Methodology
    Framework design and second-line advisory in regulated financial environments. Proprietary signal-based methodology published and in active development.
  • Operational Resilience and BCM
    Built BCM and ITSCM programmes from zero. SOC2 delivery under pressure. Crisis management across complex international structures.
  • Geopolitical and Organizational Risk
    Russian trade and language specialism. Finnish comprehensive security background. International career spanning Europe, the Americas, and Asia.
  • Governance and Regulatory
    ISO 31000, ISO 22301, ISO/IEC 27001, NIST CSF, DORA. Frameworks as tools, not trophies.
  • Senior Advisory and Leadership
    Strategy input to CRO and CISO level. Team leadership through organizational change. Comfortable with the version of events nobody wants to plan for.
Risk Strategy
Enterprise and ICT risk. Second-line methodology. Signal-based frameworks that give senior leadership something to act on, not just something to approve.
Resilience and Continuity
Operational resilience, BCM, ITSCM, crisis management. The capability that only reveals its value when the plan breaks down. Worth building properly in advance.
Geopolitics and Advisory
Organizational risk through a geopolitical lens. What happens at the border eventually arrives at the boardroom. Understanding the connection early is the whole advantage.
Research and Methodology

Ideas with evidence attached.

I don't separate professional practice from intellectual contribution. The research I publish is the same thinking I bring to the work, just with citations and a methodology section. In 2019 I was already writing seriously about AI before it became everyone's declared emergency. Simply curious about where the signals were pointing. Turns out they were pointing somewhere quite specific.

2019
Recruiters Just Wanna Have AI?
Research on the implications of AI in HR recruitment: algorithmic decision-making, organizational trust, and the risks nobody was formally measuring yet. Before the hype. Before the headlines. Just two researchers who thought the question was worth taking seriously.
Linköping University · 2019
2026
PRISM-C: Propagation Risk Intelligence and Signal Mapping
A signal-based methodology for translating weak organizational indicators into measurable, actionable risk intelligence, before those signals become crises. Built from first principles because the existing frameworks were not asking the right questions. Published on Zenodo. Also available at prismsignalsystem.com, where the methodology lives in a form you can actually use.
Zenodo · 2026
Ongoing
Active Research Portfolio
Current work spans AI intelligence continuity management, human resilience screening, strategic risk telemetry for executive decision-making, and a synthesis paper on organizational models for the AI era. Independent research. What happens when you cannot stop asking the next question and have the discipline to write it down properly.
Independent Research
How I Think

Some views, stated plainly.

Risk exists to enable innovation, not to prevent it.
Most organizations treat risk management as a defensive exercise. This misses the point entirely. Good risk work makes a company secure enough to take the bets that matter. It is the infrastructure of innovation. The fact that this remains a minority view explains quite a lot about the state of most organizations. I find this professionally frustrating and personally very motivating. There is a lot of work still to do.
Every major failure leaves signals. We choose not to read them.
Crises are rarely surprises. They are patterns that were visible, reported, or intuited, and then ignored, misclassified, or buried under more comfortable information. The skill is not crisis response. The skill is signal literacy. Everything else is expensive damage control with a lessons-learned slide deck attached.
Resilience is not optimism. It is preparation.
Resilient organizations are not cheerful about disruption. They are honest about it. They have thought through the version of events nobody wants to plan for and built the muscle memory in advance. Finland has a word for this: kokonaisturvallisuus, comprehensive security. Less marketable than "agile." Considerably more useful.
When people do well, the organization does well. This is not complicated.
Organizations that discard human capacity through poor decisions or rigid structures are making a risk management error. The strongest indicator of organizational resilience is whether the people inside it are supported to be genuinely good at what they do. Everything else follows. This is not idealism. It is systems thinking applied to the part that organizations prefer not to measure.
Background

Why I think this way.

I grew up in Lahti, Finland, in the 1990s. Finland has maintained a doctrine of comprehensive security (kokonaisturvallisuus) since the post-WWII era: the idea that preparedness is a shared responsibility of government, businesses, organisations, and citizens. It is not a policy most Finns read consciously. It is background noise. You absorb it. You grow up understanding that preparedness is not paranoia. It is the responsible default.

This is also a country that produced Nokia, leads in quantum computing research, and built one of the world's best education systems from a position of geographic and economic disadvantage. Fixing problems that were not supposed to be your problem is a cultural reflex in Finland, not a professional specialisation. I grew up diagnosing and repairing my own computers because that was the only way to have a working one, and driving whatever was available, which in Lahti meant mopeds and tractors before it meant anything else. You learn to work with what exists rather than wait for something better to arrive. None of this felt like a skill at the time. Later I understood it was exactly that, and also a reasonable preview of a career in which "we have never done this before" functions less as a warning and more as a starting point.

Russia was never abstract to me. As a child I visited through charity work, helping at orphanages through an association. In 2011 I studied Russian trade and language formally, completing my Russian specialisation at Inzegon in St. Petersburg. I have loved Russian culture throughout my life. I have also watched, from close range, what happens when geopolitical risk is treated as someone else's problem until it is not. That proximity shapes how I read organizational risk signals today.

I also lived in Stockholm for roughly a decade. Watching Finnish structured preparedness, Swedish consensus culture, and Russia's entirely different relationship with institutional trust from the inside gave me a comparative lens that no single-country career provides.

Life then took me further: Argentina, the US, Spain, Australia, eventually Germany. Each country added a layer. Different systems, different failure modes, different relationships between institutions and the people inside them. The pattern underneath was usually the same.

Finnish Upbringing
Comprehensive security as background noise. A country built on preparedness, engineering, and the productive refusal to accept that problems cannot be solved.
Russia, Up Close
Childhood charity visits. Formal study in St. Petersburg, 2011. Russian trade and language specialisation. Culture loved. Geopolitics observed at close range.
Nordic Comparative Lens
Finland, Sweden, and Russia as three distinct models of institutional trust and national resilience. Studied from the inside, not from a textbook.
International Career
Finland, Sweden, Argentina, USA, Spain, Russia, Australia, Germany. International business, Latin American markets, Russian trade. Life can take you anywhere. It did.
Always Learning
Six languages and counting. Licences, certifications, and qualifications across domains. The question is always: what if this turns out to matter?
Engineering Culture
Nokia, quantum computing, world-class education built from disadvantage. Problem-solving as a cultural reflex, not a professional choice.
"Be water, my friend."
Bruce Lee
The water metaphor belongs to Bruce Lee, and before him to the Taoist tradition. But sisu is the Finnish version: quieter, less poetic, and equally stubborn. It means you do not announce that something is impossible. You find out what it takes. You do it. You do not make a performance of the difficulty.

I have moved countries multiple times, learned languages under pressure, built capabilities from scratch that organizations said they urgently needed but had never actually started, and led situations I was handed without a briefing. Sisu is not a personality trait. It is a decision, made repeatedly, often quietly, usually when no one is watching.
Outside the Office

Everything else I have done.

Seventeen years of conservatory flute. Summers packing beverages at Hartwall. Bar work, waitressing, coat checks at clubs. A hunting licence at sixteen, not because I intended to hunt, but because knowledge has unpredictable value and the question "what if I need this someday" has never once led me wrong. I have never gone hunting. I remain prepared to.

Along the same lines: I also hold a truck licence and a motorcycle licence. The reasoning is straightforward. If a situation ever requires me to drive anything at short notice and at speed, I will not be the person standing in the car park having a skills gap. Think of it as a personal continuity plan. Jason Bourne would understand.

I did Muay Thai for four years. I scuba dive. I sail, with both inland and sea licences. I paint. I dance. I bungee jump on occasion, which is a sentence I cannot believe I need to include on a professional website, and yet here we are. In 2018 I ran the Padasjoki nakukymppi, a ten-kilometre race run without clothes, which is exactly what it sounds like. A reporter happened to be there and asked if he could write a story about it. I said yes. It appeared in Iltalehti. I remain entirely unbothered by this, which probably tells you something useful about my approach to reputational risk.

I should also mention yoga. I genuinely disliked it. Sweaty hands, uncertain purpose. But enough people said it was worth learning that I decided to investigate properly. I booked a teacher training course from India without fully reading the details, and arrived to discover I had signed up for Ashtanga training, which is the most physically demanding yoga style in existence. I completed it. I am now a qualified Ashtanga yoga teacher. If you are going to learn something, you might as well learn it correctly. This is a principle I apply consistently, sometimes against my own better judgment.

I spent two months living with Buddhist monks in Thailand. I learned a great deal about meditation. I did not agree with much else they said, and I am now a qualified meditation trainer, which I consider a fair outcome. You can take the methodology and leave the dogma. This principle applies to more things than just meditation.

I am always learning the next language. Currently six. The list is not finished. I am also a board member of the Finnisch-Deutsch Handelsgilde in Frankfurt, the Finnish-German trade guild, which is what happens when you move to Germany and immediately find the Finns.

Music
Conservatory flute, 17 years. The most disciplined thing I have ever done.
Muay Thai
4 years. Good for the mind. Also the posture.
Sailing
Inland and sea licences. The weather does not negotiate.
Meditation
Qualified trainer. Learned from monks. Kept the practice, left the rest.
Ashtanga Yoga
Qualified teacher. Booked the wrong course. Completed it anyway.
Driving
Car, truck, motorcycle. A personal continuity plan. Jason Bourne would approve.
Sport
Muay Thai, scuba diving, bungee jumping. Not simultaneously.
Painting
Same eye for pattern and contrast. Different medium.
Languages
Six and counting. Always learning the next one.
Travel
Many countries lived in. The curiosity shows no signs of stopping.
Writing

The fiction I write when the frameworks are not enough.

Nordic noir exists because some truths are easier to approach sideways. I write stories at the intersection of institutional corruption, human resilience, and the systems people build to protect each other when the official ones will not.

Spending years studying how organizations fail gives you very good material for crime fiction. Everything I have observed about what happens when bad decisions at the top quietly become everyone else's operational problem finds its way in eventually. My protagonist would diagnose a crime scene the way I diagnose a risk register: systematically, with mounting exasperation at the data management.

The writing is in Finnish. The themes are universal. Corruption does not require translation.

AKKATEMIA
A trilogy. Eeva is young, technically gifted, and trying to survive something the system has already decided not to prosecute. What she finds buried in files she was never meant to see is a corruption network reaching further than expected, and a judge named Anja who decides, quietly, that law and justice are occasionally different things. Book two moves to Tallinn. The network does not stay tidy when someone starts pulling the thread.
Trilogy · In progress
Financial Crime / Cross-Border
Next project. The systems that move money across borders are also the systems that move everything else. More when the time is right.
In development
Contact

Let's talk.

I am genuinely interested in hearing from people working on hard problems in risk, resilience, geopolitics, or research. If something on this page made you think "I want to talk to this person," that instinct is probably correct. Reach out. I read everything and reply to the interesting ones, which, based on the people who tend to find pages like this, is most of them.