Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
Integrated Risk Management Part 5: Aggregating risk data and reporting to Executive Management
By this point you should see your risk program coming together. Last week we talked about risk response and key risk indicators. Risk response from the owner is important because you, as the risk management professional, can rate the risk whatever you want but without the business owner validating the risk and rating you won't be able to document your report to management with creditability and no one will be bought-in to help you remediate the risk. Think of it of a system of checks and balances.
By this point you've completed your business-unit or function specific risk assessment and you should have a fair amount of risk-related data to aggregate. In the process of aggregation, it's important to look across the business and see if other business-units of functions are having similar risks. This can be a simple process of talking to team members or owners in other business units about risks recently identified to uncover any potential commonalities. If you begin to find commonalities across business units this could be your first indication that there are some larger governance related risks that the business needs to address.
There was a good topic discussion last week from TripWire (www.tripwire.com) about Risk Management, and whether managing risk is an Art or Science? You can find the post here: www.youtube.com/watch?v=vqxzg79FPHo
It's the opinion of NuHarbor that managing risk is both and Art and a Science. The science of Risk Management lies in the Risk Assessment. Risk Assessment can be very quantitative in nature, and even risks that are naturally qualitative can fit into a methodology to drive repeatable evaluation and measurement. The Art of Risk Management lies in bringing risk together and communicating your risk program. Let's face it, you program means squat if you can't effectively communicate your ideas and objectives; and no executive is going to fund your program if can't communicate the risk or value add from mitigating the risk.
Which brings us to purpose of today's post, at this point in your program you should be reporting your risk findings to Executive Management. You need to be adjusting the Executive message and report about risk in a way they can understand…this is the art of risk management. If you do a good job, you add a lot of value to the executive management team by hand delivering a list of risks that prevents the company from effectively and efficiently achieving the business goals.
To be successful here you need to know what the business goals/strategy of the company and if possible the hot points of the Executive Leadership team reading your report. Massage your message to the Executive to fit their needs in order to convince them to fund and support your program. Your message should include an enterprise-wide view, and clearly articulate why the risk provides a barrier to achieving business initiatives in the context of the overall business strategy.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.
Subscribe to our blog to get insights sent directly to your inbox.