12 Tips for Communicating Risk to Your Board

Karen A. Frenkel Avatar

Updated on:

12 Tips for Communicating Risk to Your Board

12 Tips for Communicating Risk to Your Board12 Tips for Communicating Risk to Your Board

In a world of proliferating digital threats, every CIO must be skilled in communicating the value of IT security to the business and the board.

Know Your IT LandscapeKnow Your IT Landscape

Before you report to your board on IT operations and risk, make sure you understand the entire IT landscape being used throughout the business and the risks they could pose to the organization.

Align IT to Corporate ObjectivesAlign IT to Corporate Objectives

You know what tech exists, but you must be able to explain why, as well as the business units they support and their ROI. Aligning IT and business strategies fosters information sharing and risk management across the organization, creating a culture of collaboration.

Communicate the Business Impact of IT RiskCommunicate the Business Impact of IT Risk

Businesses may understand the risks to their operations and processes, but not in terms of information security, governance and compliance. By linking IT risks to business objectives, processes and goals, the Board can associate a dollar amount to these risks and better understand their impact on the bottom line and organizational growth.

Recognize Where Value Is CreatedRecognize Where Value Is Created

When you understand where value is made in business processes, you can prioritize the processes, their risks, and the supporting information technologies. You can also understand how IT risks relate to business value.

Know Your Organization's Risk AppetiteKnow Your Organization’s Risk Appetite

Risk is not always bad, but assuming too much risk can be debilitating for IT departments and the business overall. Know how much risk the business can tolerate and keep IT risk thresholds within those tolerances.

More on Mitigating RisksMore on Mitigating Risks

Understand how IT efforts mitigate the risks the board is most concerned about and how much residual risk exists after IT performs its duties. Make sure your staff is well-aware of the organization’s risk appetite so that everyone from the trenches to the C-suite is on the same page when risk levels must be adjusted.

Speak the Board's LanguageSpeak the Board’s Language

Avoid jargon and communicate in terms that correlate to corporate objectives and business value. Answer questions in terms the board understands.

Dollars and CentsDollars and Cents

Speaking in dollars and cents goes a long way to bridging the gap between IT and the Board of Directors.

Keep Messages SuccinctKeep Messages Succinct

Report on only the most pressing items. The board regards C-level executives as the eyes and ears for managing risk. Make sure you get the main points across in a concise and effective manner for maximum impact.

Practice Before PresentingPractice Before Presenting

Your delivery will make or break the board’s decision to buy into your risk assessment. Practice before you go in front of the board. Thoughtful preparation will help you recognize the necessary level of detail and help avoid misinterpretation, providing insight the board seeks.

Be Prepared to Back Up Your AnalysisBe Prepared to Back Up Your Analysis

Be prepared to dive into the details one level at a time and have the metrics to substantiate your report. At some point, the details will be more than the board wants to know and their reaction may be: We never thought of that. We worry about something else that’s not on your list. Your list has items we don’t care about.

Listen to FeedbackListen to Feedback

Listen to the board’s feedback and know how to use it. Make sure you understand all feedback, and if you don’t, know how to ask.

Karen A. Frenkel Avatar