Managing risk is one of the top responsibilities of any leadership team. However, leaders can manage only the risks they know about. Effective leadership, it turns out, depends on risk reporting.
This article focuses on the reporting of risk itself. That means finding the right information to share with your company’s leadership team and sharing it so it can be acted on effectively.
Reporting risks that matter to a company’s leadership
Risk means a lot of things to a lot of different people. If you talk to IT people about risks, you’ll probably hear about the risk of server outages or data breaches or software vulnerabilities that could lead to data breaches.
You might also hear about unauthorized devices, bring-your-own-device (BYOD) policies, and how difficult it is to monitor what employees are doing with the company’s data on their home networks now that they’re working remotely.
All those things — from server outages to remote employees — represent risks of one kind or another. But if you’re in charge of reporting risk to your company’s executive team and the board, do you really want to give them a list of unpatched systems or an estimate of how many employees are using BYOD devices?
What risks does your company’s leadership team ultimately care about?
To answer that question, let’s ask about risk itself. Fortunately, there’s a generally agreed-upon definition of risk, at least among IT professionals. ISO 31000, the International Standards Organization’s guidelines for risk management, defines risk as “the effect of uncertainty on objectives.”
“Uncertainty” seems straightforward enough. If something is certain, there’s no risk involved. If we know absolutely that our servers will never crash, there’s no risk of them crashing.
But what about “objectives?” Every employee, team, department, and business has objectives. When reporting risk to the executive team and the board, you need to ask yourself which objectives they care about. It’s not that they’re indifferent to the goals of individual teams and projects, but the job of a company’s leadership is to focus on the big picture.
Here are three objectives you can be sure your company’s leaders care about:
- Data confidentiality, integrity and availability
- Business continuity
- Regulatory compliance
There may be other objectives, such as a certain percentage of revenue growth or a good reputation in the marketplace. However, you can be sure that your company’s leadership cares about managing and protecting its important data, avoiding IT outages that bring business to a halt, and ensuring that the company never makes headlines about regulatory fines.
Each of these objectives will likely require detailed reporting to support the objective’s overall risk assessment. For example, the data the board cares about encompasses things like: customer and employee data, financial records, and intellectual capital such as product designs and patents. All of those types of data need to be managed and secured.
Different types of data may be facing different types of risks of varying severity. The board will need to know the amount of overall risk is posed to a particular objective, as well as the specific types of data that might require new investments in security or personnel training.
Before you prepare a report about risk in your organization, make sure you understand your leadership team’s objectives. Some of those objectives might be posted on your company’s website. Others might be listed in an internal, long-term strategic plan. One way or another, you need to know the objectives because you’re going to use them to frame your discussion of risk.
Your risk report should provide the leadership team with the information they need to make smart decisions about which actions to take to mitigate risks related to the company’s strategic objectives.
Identifying risks helps you think like an attacker
There’s an added benefit to framing your risk reports this way. When you’ve identified risks to your data and to the company’s business continuity, you’ve also identified the weak points that criminal syndicates and hostile nation-states might attack.
After all, when a cybercriminal tries to break into your company’s IT systems, what are they doing? Most likely, they’re either trying to get to your data to steal it or leak it, or they’re trying to get to the systems that process your data and disrupt them, possibly through ransomware or some other form of attack.
Because you’re now measuring and reporting risk based on strategic objectives, you have a detailed, weighted report on the weakness and vulnerabilities related to your data and the systems that store, process and present your data. You will know what’s most likely to be targeted and how to go about protecting them, based on your detailed knowledge of vulnerabilities, probabilities and so on.
All this supporting information makes the risk assessment you’re presenting to the board much more credible and useful. The board sees how data and business continuity are at risk, which controls are in place to mitigate those risks, and how those controls could be improved or broadened to further reduce risks in keeping with the company’s overall strategy.
Risk reporting is an ongoing practice
Risks are continually changing, whether they’re arising from new business initiatives or new types of cyber threats. Automating data collection and risk assessment helps provide your company’s leadership team with the vital information they need to make the right decisions to mitigate risk and advance the company’s objectives.
Learn more about risk assessment and reporting best practices.