topic Re: How do you communicate risk to leadership? in Governance, Risk, Compliance

How do you communicate risk to leadership?

Charlene — Mon, 31 Jan 2022 14:28:27 GMT

Curious how you are communicating risk to leadership. Is the conversation focused on vulnerabilities and remediation? Do you find leadership focused on global events? Does your organization have clearly defined goals and risk limits"

Re: How do you communicate risk to leadership?

tmekelburg1 — Mon, 31 Jan 2022 15:46:12 GMT

If it's internal leadership, don't be afraid to ask what's important to them when discussing risk. Some people like digging into the details of a risk matrix or register and some don't.

For the BOD, keep it short and sweet with a PowerPoint slide for each bullet point:

What's the risk?
What's the likelihood/probability?
What's the cost if it occurs/manifests?
What's the cost to fix it?

If they have more questions, hopefully they do, then more detail can be given verbally rather than a death by power point.

Recommended reading for anyone who manages risk: Risk: A User's Guide: McChrystal, Stanley, Butrico, Anna: 9780593192207: Amazon.com: Books

Re: How do you communicate risk to leadership?

Steve-Wilme — Tue, 01 Feb 2022 08:49:31 GMT

Also have a look at the FAIR methodology https://www.fairinstitute.org/fair-book

Re: How do you communicate risk to leadership?

CraginS — Tue, 01 Feb 2022 16:08:18 GMT

Consider adding a step to your thought process: Identify the type of risk to WHO or WHAT?

Financial risk, civil liability risk, criminal liability risk, or reputational risk?

Risk to the enterprise (company) or personal risk to the executive leader?

Risk to the individual leader's career?

Risk to the leader's income?

Civil liability risk to the enterprise or to the leader?

Criminal risk to the enterprise or to the leader?

Consider that decisions even at the top levels are more likely made based on "what does this to ME" as opposed to "what does this do to the company?"

Cynical? Yeah a bit.

Realistic? Yeah. a lot.

Re: How do you communicate risk to leadership?

Charlene — Tue, 01 Feb 2022 17:52:34 GMT

Thanks for the feedback.

I enjoyed the book. I really liked the opening sequence.

I also recently published Amazon.com: Ensure Your Business Success With Risk Informed Decisions: How to easily quantify risk eBook : Deaver-Vazquez CISA CISSP, Charlene, Austin Ed.D, Sara: Kindle Store

What tools /methods do you use?

Re: How do you communicate risk to leadership?

Charlene — Tue, 01 Feb 2022 17:53:39 GMT

Right - thanks. Yeah, I certified on FAIR.
Have you implemented that in your organization?

Re: How do you communicate risk to leadership?

Charlene — Tue, 01 Feb 2022 17:54:38 GMT

I like how you suggested operational, financial and strategic impacts. That's also called out in the NIST guidance. Do you apply NIST guidance in your organization?

Re: How do you communicate risk to leadership?

Steve-Wilme — Wed, 02 Feb 2022 08:42:30 GMT

It might sound cynical, but only when the UK law was changed to make Directors personally accountable for non compliance with legislation on cookie consent, did action get taken to implement the inform and consent model in most organisations. Back when it became part of the Privacy and Electronic Communication Regulations in 2010 not a great deal was done, except in the public sector, as the organisation running a site was liable as the legal entity. So making it personal works.

Re: How do you communicate risk to leadership?

Steve-Wilme — Wed, 09 Feb 2022 09:23:47 GMT

One of the interesting comments I heard at a conference was that turning up to present on risk with masses of information and giving a very technical explanation is definitely not the way to go. Directors will not want to be made to feel stupid for not following an overly complex the explanation and the more complex you make it the more they're likely to see it as a technology problem rather than a business risk.

Re: How do you communicate risk to leadership?

Charlene — Wed, 09 Feb 2022 14:21:51 GMT

Steve - you're right. Making it personal is very effective! LOL

Re: How do you communicate risk to leadership?

Charlene — Wed, 09 Feb 2022 14:24:31 GMT

Steve - I agree. The higher up the chain of command we go the simpler and more clear the message needs to be. And, everything needs to be discussed in terms of risk to the business in business terms, specific to the business goals. Otherwise, as you say, they will see it as a "cyber" problem not a 'business' problem.