Kevin Campbell | November 9, 2020
It would be an understatement to say that today’s CIO is unfamiliar with risk! I am confident that if IT risk was low on the priority list at the beginning of 2020 it is now firmly positioned at the top or very close to the top of the list today. Pandemics certainly have a way of re-prioritizing things for you!
But IT risk is not new. Caren Shiozaki, a fellow Fellow and superb CIO and leader, presented a series of articles last month on cyber-security, probably the most poignant topic today that illustrates risk in our digital world. Cyber-security aside, IT risk has been and presently surrounds us in practically everything we do as IT professionals and that IT risk translates very clearly into business risk. …and business risk is the language each CIO must master as we speak to our company’s executive management team and/or Board of Directors.
Experienced CIOs know – as evidenced by the many skinned knees and scars that we carry – that it would be unwise to walk into a Board meeting and start off a presentation on IT risk by stating, “An exposure exists with our firewalls going EOL in 3 months. We would be unable to geo-fence any URL originating from a domain not already white-listed within our ASA configuration tables.” Accurate statement? Sure. Understandable by the average Board member? Not a chance. …and at the end of the day the CIO exits the meeting and wonders why the IT Department did not get the funds they were requesting for such an obvious risk exposure.
So, once again, the lesson is learned: the language of IT does not translate into the language of the Board, or even the business. To have meaningful discussions every CIO must be able to translate the IT topic du-jour to the language of business and in doing so discuss the particulars of the topic in that vernacular. This is especially true when discussing the very nebulous topic of RISK.
One key to presenting any type of risk to your business colleagues is by using a common set of vocabulary and a common yardstick to measure one risk against another. This is obviously common sense, but how many times is it overlooked? One of my favorite sayings is, “Never overlook the obvious.” However when organizations address risk there always seems to be a disconnect between how risk is identified, interpreted, measured, and how it is ranked by each line of business, each department, and each discipline. I propose that these disconnects are directly related to inadequately establishing that common understanding of terms and not establishing a common, measurable scale (the “yardstick”) to compare all risks and to easily prioritize that which is most impactful to a business. Simple enough, but I predict a disproportionately large amount of time will be spent among all the participants initiating any risk management effort to establish that common vocabulary and yardstick.
If your thought right now is that your company already does this and produces the annual Risk Register Traffic-Light Report, then please reconsider. No Board member or CEO wishes to be presented with an 18 page report containing 112 risks where the first 28 have a small, red traffic-light image next to them. They are all critical and they all must be done. Why? Well, we don’t know but they do have a small image of a red traffic light next to them!
Put yourself in the shoes of that CEO. What they need to know is the quantifiable impact of that risk to the business if no action is taken. What will be the level of pain to the company? How do IT risks compare to all other discipline risks? Which do we address first?
Key questions, all. Next week I provide some thoughts on risk quantification. Stay tuned.
…and one more request: No more traffic light reports, please!