Risk Assessments are required by various compliance and regulatory mandates but they also help us prioritize our Security Initiatives. However, too often I see Risk Assessments completed using a check-the-box mentality and the assessment eventually turns into a laborious exercise to complete. To compound issues further, your Executives and Business Leaders aren't going to care about your assessment that much unless it directly and explicitly helps them to do their jobs better. Your Executives and Business Leaders want to know Compliance and Security risks are addressed, but once they know the risk has been mitigated they will focus their interests and time back to managing and growing the business.
The challenge is to get Executives and Business Leaders engaged in managing Security and Compliance risks year-round. In order to do this you need to appeal to them on topics that of interest--strategic business goals and objectives. When conducting a top-down risk assessment as part of your Risk Management Program and you've identified their business goals, one question to ask is:
"What are the barriers or obstacles preventing you from achieving your goals and objectives?"
Asking this question will give professional appeal to your Executives and Leaders because they often receive bonuses based on delivery of this business strategy. From here, this is where assessing Risk is an art form: https://www.youtube.com/watch?v=vqxzg79FPHo (start at 1m46s). As a risk management professional you'll have to guide the Executive or Business Leader to the level of answer you want; some will answer in a very high level response, others will give a lot of detail you'll have to wade through. There's a fine line here, if your answers are too high-level then your assessment of risk might be too subjective and if you get too much detail you might miss the big picture issues.
Once you've aggregated this risk information, merged common themes, started to identify risk "hot-spots" from your Leadership team. You now have the capability to cascade these top-level risks down to your Security and Compliance program or other business unit such as IT, Finance, HR. You can now begin to assess risk on a more micro-level this is where you can gather detailed risk calculations, figure out risk transferrance mechanisms (i.e. Insurance policies), and this is where assessing risk becomes a science: https://www.youtube.com/watch?v=vqxzg79FPHo.
For Security and Compliance professionals, once you've started to show and prove that your program can mitigate business risks and show that Security and Compliance programs can enable Business Growth and Strategy you'll have a much easier time advocating for budget and headcount, but you'll also be seen a trusted business advisor. Most importantly, you can prove that your department and staff is directly supporting business strategy.
The first year of delivering this philosophy in your Risk Management Program will be a challenge to get the time and attention from the Leadership team, but you need to persevere. Once your Executive and Leadership team sees the value they will be looking for this assessment every year because it helps them be better at their job.
