Best Practices for Risk Assessment Reporting
Managing risk is one of the top responsibilities of any leadership team. But leaders can manage only the risks they know about. Effective leadership, it turns out, depends on risk reporting. Reporting risks to your company’s executive team and board of directors will help your organization make the right decisions about reducing risks.
This article focuses on the reporting of risk itself. That means finding the right information to share with your company’s leadership team and sharing it so it can be acted on effectively.
Reporting risks that matter to a company’s leadership
Risk means a lot of things to a lot of different people. If you talk to IT people about risks, you’ll hear about the risk of server outages or data breaches or software vulnerabilities that could lead to data breaches.
You might also hear about unauthorized devices, bring-your-own-device (BYOD) policies, and how difficult it is to monitor what employees are doing with the company’s data on their home networks now that they’re working remotely.
All those things, from server outages to remote employees, represent risks of one form or another. But if you’re in charge of reporting risk to your company’s executive team and the board, do you really want to give them a list of unpatched systems or an estimate of how many employees are using BYOD devices?
What risks does your company’s leadership team ultimately care about?
To answer that, let’s ask about risk itself. Fortunately, there’s a generally agreed-upon definition of risk, at least among IT professionals. ISO 31000, the International Standards Organization’s guidelines for risk management, defines risk as “the effect of uncertainty on objectives.”
“Uncertainty” seems straightforward enough. If something is certain, there’s no risk involved. If we know absolutely that our servers will never crash, there’s no risk of them crashing.
But what about “objectives?” Every employee, team, department, and business has objectives. When reporting risk to the executive team and the board, you need to ask yourself which objectives they care about. It’s not that they’re indifferent to the goals of individual teams and projects. Rather, it is the job of a company’s leadership to focus on the big picture.
Here are three objectives you can be sure your company’s leaders care about:
- Data confidentiality, integrity, and availability
- Business continuity
- Regulatory compliance
There may be other objectives, such as a certain percentage of revenue growth or a good reputation in the marketplace. But you can be sure that your company’s leadership cares about managing and protecting its important data, avoiding IT outages that bring business to a halt, and ensuring that the company never makes headlines about regulatory fines.
Each of these objectives will likely require detailed reporting to support the objective’s overall risk assessment. For example, the data the board cares about encompasses everything from customer data to employee data to financial records to intellectual capital such as product designs and patents. All those need to be managed and secured.
Different types of data may be facing different types of risks of varying severity. The board will need to know how much this objective is at risk overall, as well as what specific types of data might require new investments in security or personnel training.
Before you prepare a report about risk in your organization, make sure you understand your leadership team’s objectives. Some of those might be posted on your company’s website. Others might be listed in an internal, long-term strategic plan. One way or another, you need to know what those objectives are because you’re going to use them to frame your discussion of risk.
Your risk report should provide the leadership team with the information they need to make smart decisions about which actions to take to mitigate risks related to the company’s strategic objectives.
Identifying risks helps you think like an attacker
There’s an added benefit to framing your risk reports this way. When you’ve identified risks to your data and to the company’s business continuity, you’ve also identified the weak points that criminal syndicates and hostile nation-states might attack.
After all, when a cybercriminal tries to break into your company’s IT systems, what are they doing? Most likely they’re trying to get to your data to steal it or leak it, or trying to get to the systems that process your data and disrupt them, possibly through ransomware or some other form of attack.
Because you’re now measuring and reporting risk based on strategic objectives, you have a detailed, weighted report on the weakness and vulnerabilities related to your data and the systems that store, process, and present your data. You know what’s most likely to be targeted and how to go about protecting them, based on your detailed knowledge of vulnerabilities and probabilities.
All this supporting information makes the risk assessment you’re presenting to the board much more credible and useful. The board sees how data and business continuity are at risk, what controls are in place to mitigate those risks, and how those controls could be improved or broadened to reduce risks further in keeping with the company’s overall strategy.
Risk reporting is an ongoing practice
Risk reporting should be an ongoing practice. Risks are continually changing, whether they’re arising from new business initiatives or new types of cyber threats. Automating data collection and risk assessment helps provide your company’s leadership team with the vital information they need to make the right decisions to mitigate risk and advance the company’s objectives.
Not sure about your risk levels? Get your risk report here.