Kevin Campbell | November 16, 2020
In last week’s article I spoke of the importance of discussing IT risk in the same language of the Board and of the business. I also put out a plea that we should stop using Traffic-Light reports when we talk about risk! My hope is you agree with both…
This week let us discuss some results of quantifying IT risk. How would you respond to these questions about you and your organization:
- How do you quantify the impact of a risk?
- Are the risks ranked in such a manner to dictate order of importance to the organization?
- Is your remediation plan for each risk actionable?
- Will your actions change behavior within the organization?
If your organization uses a common risk identification and quantification tool then you are above the average curve. Common tools either internally developed or third-party provided are an essential aspect of any risk management program. These types of tools force all of the participants into a common set of terms with common definitions. But these tools also force all the participants to use and understand a common ranking scale. Having a common scale gives clarity to executive management and to the Board on the greatest threat that lies before them.
But the Board’s obvious next question is, “How do we address the risk and how much will it cost?”
Whatever line of business your organization is in the pressure to financially quantify the risk and then financially quantify the cost of mitigating that risk is increasing. The dollar is the ultimate and common yardstick by which business measures both risk and value. That is the bottom line. Of the two aspects of risk quantification, the first part is the most difficult.
It is up to each CIO to adequately translate the impact of any risk found within a technology, a system, a process, a component, etc. into a single financial number whose value represents the exposure to the company if the risk is left unaddressed. Given the numerous unknowns that may surround any singular risk, this task to justify this number should never be taken lightly. “If X happens the impact could be $Y,” — it is the $Y number that CEOs and Board Members will always remember!
Two items to underscore when it comes to mitigation plans:
- The plans must be as simple as possible, and must be as real as possible.
- The plans must be actionable and the plans should modify the behavior of an organization (both people and processes).
Without the first you never really get the opportunity to affect the second. …and it is the second where the true benefits lie.
Broad grand multi-phase plans with committees, new systems, checkpoints, reports, liaison representatives, etc. very rarely bring short-term value. It is difficult for the average employee to grasp such endeavors. Error on the side of a series of small, simple, and highly actionable efforts to reach the final goal. Employees can more easily understand such steps and will quickly identify the results. That enables them to change their personal behavior. Organizational behavioral change follows soon after.
Actionable insights beget behavioral change.
Next week I provide some thoughts on the positive effect of a governance program on risk management. Stay tuned.