Re: How do you communicate risk to leadership?

Charlene · ‎01-31-2022

Curious how you are communicating risk to leadership. Is the conversation focused on vulnerabilities and remediation? Do you find leadership focused on global events? Does your organization have clearly defined goals and risk limits"

tmekelburg1 · ‎01-31-2022

If it's internal leadership, don't be afraid to ask what's important to them when discussing risk. Some people like digging into the details of a risk matrix or register and some don't.

For the BOD, keep it short and sweet with a PowerPoint slide for each bullet point:

What's the risk?
What's the likelihood/probability?
What's the cost if it occurs/manifests?
What's the cost to fix it?

If they have more questions, hopefully they do, then more detail can be given verbally rather than a death by power point.

Recommended reading for anyone who manages risk: Risk: A User's Guide: McChrystal, Stanley, Butrico, Anna: 9780593192207: Amazon.com: Books

Steve-Wilme · ‎02-01-2022

Also have a look at the FAIR methodology https://www.fairinstitute.org/fair-book

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

CraginS · ‎02-01-2022

Consider adding a step to your thought process: Identify the type of risk to WHO or WHAT?

Financial risk, civil liability risk, criminal liability risk, or reputational risk?

Risk to the enterprise (company) or personal risk to the executive leader?

Risk to the individual leader's career?

Risk to the leader's income?

Civil liability risk to the enterprise or to the leader?

Criminal risk to the enterprise or to the leader?

Consider that decisions even at the top levels are more likely made based on "what does this to ME" as opposed to "what does this do to the company?"

Cynical? Yeah a bit.

Realistic? Yeah. a lot.

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

Charlene · ‎02-01-2022

Thanks for the feedback.

I enjoyed the book. I really liked the opening sequence.

I also recently published Amazon.com: Ensure Your Business Success With Risk Informed Decisions: How to easily quantify risk e...

What tools /methods do you use?

Charlene · ‎02-01-2022

Right - thanks. Yeah, I certified on FAIR.
Have you implemented that in your organization?

Charlene · ‎02-01-2022

I like how you suggested operational, financial and strategic impacts. That's also called out in the NIST guidance. Do you apply NIST guidance in your organization?

Steve-Wilme · ‎02-02-2022

It might sound cynical, but only when the UK law was changed to make Directors personally accountable for non compliance with legislation on cookie consent, did action get taken to implement the inform and consent model in most organisations. Back when it became part of the Privacy and Electronic Communication Regulations in 2010 not a great deal was done, except in the public sector, as the organisation running a site was liable as the legal entity. So making it personal works.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

Steve-Wilme · ‎02-09-2022

One of the interesting comments I heard at a conference was that turning up to present on risk with masses of information and giving a very technical explanation is definitely not the way to go. Directors will not want to be made to feel stupid for not following an overly complex the explanation and the more complex you make it the more they're likely to see it as a technology problem rather than a business risk.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

Charlene · ‎02-09-2022

Steve - you're right. Making it personal is very effective! LOL