Curious how you are communicating risk to leadership. Is the conversation focused on vulnerabilities and remediation? Do you find leadership focused on global events? Does your organization have clearly defined goals and risk limits"
If it's internal leadership, don't be afraid to ask what's important to them when discussing risk. Some people like digging into the details of a risk matrix or register and some don't.
For the BOD, keep it short and sweet with a PowerPoint slide for each bullet point:
If they have more questions, hopefully they do, then more detail can be given verbally rather than a death by power point.
Recommended reading for anyone who manages risk: Risk: A User's Guide: McChrystal, Stanley, Butrico, Anna: 9780593192207: Amazon.com: Books
Also have a look at the FAIR methodology https://www.fairinstitute.org/fair-book
Consider adding a step to your thought process: Identify the type of risk to WHO or WHAT?
Financial risk, civil liability risk, criminal liability risk, or reputational risk?
Risk to the enterprise (company) or personal risk to the executive leader?
Risk to the individual leader's career?
Risk to the leader's income?
Civil liability risk to the enterprise or to the leader?
Criminal risk to the enterprise or to the leader?
Consider that decisions even at the top levels are more likely made based on "what does this to ME" as opposed to "what does this do to the company?"
Cynical? Yeah a bit.
Realistic? Yeah. a lot.
Thanks for the feedback.
I enjoyed the book. I really liked the opening sequence.
I also recently published Amazon.com: Ensure Your Business Success With Risk Informed Decisions: How to easily quantify risk e...
What tools /methods do you use?
It might sound cynical, but only when the UK law was changed to make Directors personally accountable for non compliance with legislation on cookie consent, did action get taken to implement the inform and consent model in most organisations. Back when it became part of the Privacy and Electronic Communication Regulations in 2010 not a great deal was done, except in the public sector, as the organisation running a site was liable as the legal entity. So making it personal works.
One of the interesting comments I heard at a conference was that turning up to present on risk with masses of information and giving a very technical explanation is definitely not the way to go. Directors will not want to be made to feel stupid for not following an overly complex the explanation and the more complex you make it the more they're likely to see it as a technology problem rather than a business risk.