12 Tips for Communicating Risk to Your Board
In a world of proliferating digital threats, every CIO must be skilled in communicating the value of IT security to the business and the board.
Before you report to your board on IT operations and risk, make sure you understand the entire IT landscape being used throughout the business and the risks they could pose to the organization.
You know what tech exists, but you must be able to explain why, as well as the business units they support and their ROI. Aligning IT and business strategies fosters information sharing and risk management across the organization, creating a culture of collaboration.
Businesses may understand the risks to their operations and processes, but not in terms of information security, governance and compliance. By linking IT risks to business objectives, processes and goals, the Board can associate a dollar amount to these risks and better understand their impact on the bottom line and organizational growth.
When you understand where value is made in business processes, you can prioritize the processes, their risks, and the supporting information technologies. You can also understand how IT risks relate to business value.
Risk is not always bad, but assuming too much risk can be debilitating for IT departments and the business overall. Know how much risk the business can tolerate and keep IT risk thresholds within those tolerances.
Understand how IT efforts mitigate the risks the board is most concerned about and how much residual risk exists after IT performs its duties. Make sure your staff is well-aware of the organization’s risk appetite so that everyone from the trenches to the C-suite is on the same page when risk levels must be adjusted.
Avoid jargon and communicate in terms that correlate to corporate objectives and business value. Answer questions in terms the board understands.
Speaking in dollars and cents goes a long way to bridging the gap between IT and the Board of Directors.
Report on only the most pressing items. The board regards C-level executives as the eyes and ears for managing risk. Make sure you get the main points across in a concise and effective manner for maximum impact.
Your delivery will make or break the board’s decision to buy into your risk assessment. Practice before you go in front of the board. Thoughtful preparation will help you recognize the necessary level of detail and help avoid misinterpretation, providing insight the board seeks.
Be prepared to dive into the details one level at a time and have the metrics to substantiate your report. At some point, the details will be more than the board wants to know and their reaction may be: We never thought of that. We worry about something else that’s not on your list. Your list has items we don’t care about.
Listen to the board’s feedback and know how to use it. Make sure you understand all feedback, and if you don’t, know how to ask.