cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Charlene
Newcomer I

How do you communicate risk to leadership?

Curious how you are communicating risk to leadership.  Is the conversation focused on vulnerabilities and remediation?  Do you find leadership focused on global events?  Does your organization have clearly defined goals and risk limits"  

10 Replies
tmekelburg1
Community Champion

If it's internal leadership, don't be afraid to ask what's important to them when discussing risk. Some people like digging into the details of a risk matrix or register and some don't.

 

For the BOD, keep it short and sweet with a PowerPoint slide for each bullet point:

  • What's the risk?
  • What's the likelihood/probability?
  • What's the cost if it occurs/manifests?
  • What's the cost to fix it? 

If they have more questions, hopefully they do, then more detail can be given verbally rather than a death by power point.

 

Recommended reading for anyone who manages risk: Risk: A User's Guide: McChrystal, Stanley, Butrico, Anna: 9780593192207: Amazon.com: Books



Steve-Wilme
Advocate II

Also have a look at the FAIR methodology https://www.fairinstitute.org/fair-book

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CraginS
Defender I

Consider adding a step to your thought process: Identify the type of risk to WHO or WHAT?

Financial risk, civil liability risk, criminal liability risk, or reputational risk?

Risk to the enterprise (company) or personal risk to the executive leader?

Risk to the individual leader's career?

Risk to the leader's income?

Civil liability risk to the enterprise or to the leader?

Criminal risk to the enterprise or to the leader?

 

Consider that decisions even at the top levels are more likely made based on "what does this to ME" as opposed to "what does this do to the company?"

 

Cynical? Yeah a bit.

Realistic? Yeah. a lot.

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Charlene
Newcomer I

Thanks for the feedback.  

I enjoyed the book.  I really liked the opening sequence.  

I also recently published Amazon.com: Ensure Your Business Success With Risk Informed Decisions: How to easily quantify risk e...

 

What tools /methods do you use?

Charlene
Newcomer I

Right - thanks. Yeah, I certified on FAIR.
Have you implemented that in your organization?
Charlene
Newcomer I

I like how you suggested operational, financial and strategic impacts. That's also called out in the NIST guidance. Do you apply NIST guidance in your organization?
Steve-Wilme
Advocate II

It might sound cynical, but only when the UK law was changed to make Directors personally accountable for non compliance with legislation on cookie consent, did action get taken to implement the inform and consent model in most organisations.  Back when it became part of the Privacy and Electronic Communication Regulations in 2010 not a great deal was done, except in the public sector, as the organisation running a site was liable as the legal entity.  So making it personal works.

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Steve-Wilme
Advocate II

One of the interesting comments I heard at a conference was that turning up to present on risk with masses of information and giving a very technical explanation is definitely not the way to go.  Directors will not want to be made to feel stupid for not following an overly complex the explanation and the more complex you make it the more they're likely to see it as a technology problem rather than a business risk.  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Charlene
Newcomer I

Steve - you're right.  Making it personal is very effective!  LOL