12 Tips for Communicating Risk to Your Board

 
 
By Karen A. Frenkel  |  Posted 07-25-2016 Email
 
 
 
 
 
 
 
 
 
  • Previous
    12 Tips for Communicating Risk to Your Board
    Next

    12 Tips for Communicating Risk to Your Board

    In a world of proliferating digital threats, every CIO must be skilled in communicating the value of IT security to the business and the board.
  • Previous
    Know Your IT Landscape
    Next

    Know Your IT Landscape

    Before you report to your board on IT operations and risk, make sure you understand the entire IT landscape being used throughout the business and the risks they could pose to the organization.
  • Previous
    Align IT to Corporate Objectives
    Next

    Align IT to Corporate Objectives

    You know what tech exists, but you must be able to explain why, as well as the business units they support and their ROI. Aligning IT and business strategies fosters information sharing and risk management across the organization, creating a culture of collaboration.
  • Previous
    Communicate the Business Impact of IT Risk
    Next

    Communicate the Business Impact of IT Risk

    Businesses may understand the risks to their operations and processes, but not in terms of information security, governance and compliance. By linking IT risks to business objectives, processes and goals, the Board can associate a dollar amount to these risks and better understand their impact on the bottom line and organizational growth.
  • Previous
    Recognize Where Value Is Created
    Next

    Recognize Where Value Is Created

    When you understand where value is made in business processes, you can prioritize the processes, their risks, and the supporting information technologies. You can also understand how IT risks relate to business value.
  • Previous
    Know Your Organization's Risk Appetite
    Next

    Know Your Organization's Risk Appetite

    Risk is not always bad, but assuming too much risk can be debilitating for IT departments and the business overall. Know how much risk the business can tolerate and keep IT risk thresholds within those tolerances.
  • Previous
    More on Mitigating Risks
    Next

    More on Mitigating Risks

    Understand how IT efforts mitigate the risks the board is most concerned about and how much residual risk exists after IT performs its duties. Make sure your staff is well-aware of the organization's risk appetite so that everyone from the trenches to the C-suite is on the same page when risk levels must be adjusted.
  • Previous
    Speak the Board's Language
    Next

    Speak the Board's Language

    Avoid jargon and communicate in terms that correlate to corporate objectives and business value. Answer questions in terms the board understands.
  • Previous
    Dollars and Cents
    Next

    Dollars and Cents

    Speaking in dollars and cents goes a long way to bridging the gap between IT and the Board of Directors.
  • Previous
    Keep Messages Succinct
    Next

    Keep Messages Succinct

    Report on only the most pressing items. The board regards C-level executives as the eyes and ears for managing risk. Make sure you get the main points across in a concise and effective manner for maximum impact.
  • Previous
    Practice Before Presenting
    Next

    Practice Before Presenting

    Your delivery will make or break the board's decision to buy into your risk assessment. Practice before you go in front of the board. Thoughtful preparation will help you recognize the necessary level of detail and help avoid misinterpretation, providing insight the board seeks.
  • Previous
    Be Prepared to Back Up Your Analysis
    Next

    Be Prepared to Back Up Your Analysis

    Be prepared to dive into the details one level at a time and have the metrics to substantiate your report. At some point, the details will be more than the board wants to know and their reaction may be: We never thought of that. We worry about something else that's not on your list. Your list has items we don't care about.
  • Previous
    Listen to Feedback
    Next

    Listen to Feedback

    Listen to the board's feedback and know how to use it. Make sure you understand all feedback, and if you don't, know how to ask.
 

Communicating risk posture and assessments to the highest levels of an organization is a demanding and increasingly pivotal responsibility in businesses that rely on IT. In a world of proliferating new threat vector and information risks , every CIO must be skilled in communicating the value of IT security to the business. By presenting this connection to the board, information chiefs show the role that risk plays in the business and how information risk helps fulfill overall corporate objectives. It is important to recognize the different cultures of IT and company boards. "IT and the board speak in different terms," says Chris Caldwell, CEO of LockPath. "A board decision to mitigate a vulnerability might mean to patch it. It might mean to invest in an automatic patch management system. It might mean to replace the system or put safeguards up around it." Here are Caldwell's 12 tips on how CIOs can better communicate risks to the board. His company provides governance, risk management and compliance solutions that focus on how companies can work with the board to better understand the impact IT risks ontheir bottom line and growth.

 
 
 
 
 
Karen A. Frenkel writes about technology and innovation and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...