The four slide risk presentation to the board

Recent Gartner survey of security / risk professionals showed that;

45% think risk management data influences decisions at the board level

However

31% think that risk management data does not influence decisions at board level

15% think thew board do not understand risk management data

6% said it wasn’t even reported at a board level

and 4% didn’t know..

Personally I would have liked to delve into more depth on these questions

For example;

  • for those who think it influences board decisions – how, why and does it have enough influence
  • for those who think it doesn’t, why not and what could be done to improve things

 

What are the roles of the board and the CISO in enterprise risk management?

  • Board – balance Risk Indicators with Risk Appetite
    • ensure the executives understand what the risks are and are comfortable they fit into the overall rail appetite (e.g. how risk adverse they are)
  • CISO – moving from the traditional of Asset performance to Business performance

When reporting to the Board, how can you relate risks to business objectives that most concern the board?

Brief four slide presentation;

  • Slide 1:  List the half dozen most important enterprise strategies and objectives
  • Slide 2: Name the IT risks that have a potentially significant impact on the most important enterprise strategies and initiatives
  • Slide 3: Describe risk management initiatives
  • Slide 4: Wrap it up!

 Details / examples;

Slide 1: Enterprise Strategy Objectives

  • Acquisitions in emerging markets, new product development, customer retention, migration projects.
  • Guiding principle – Business objectives are IT objectives.  
    • Highlight that your security objectives are aligned with the business strategy and goals.

Slide 2: IT Risks

  • Acquisition Strategy
    • Acquired entities BC/Dr strategy
    • Acquired entities controls vs. our regulatory environment
    • Replacing / merging acquired systems with corporate systems
  • New product development
    • Application development security – SDLC – compliance
    • Infrastructure to support products in emerging markets
  • Customer retention
    • Customer experience with focus on acquired entities
    • Privacy
    • Social Media
    • Reputation

Slide 3: Risk Management Initiatives

  • Acquisition Strategy
    • Systems and controls analysis as part of M&A due diligence
    • Responsive, rapid IT on-boarding
    • Vendor consolidation
  • Product Development
    • QA program for application development including Six Sigma, ISO 9000 and ISO/IEC 27001
    • IT product development role specifically working to minimise risks in emerging markets, including product localisation – reduces time to market
  • Customer retention
    • CRM and SFA upgrades at acquired entities
    • Privacy management
    • Advanced analytics
    • Guiding principle – IT risks are business risks

Slide 4: Wrap it up

  • With current and proposed risk management initiatives there are no material or significant risks anticipated
  • IT is leading initiatives to manage risks to business objectives and other legal and regulatory risks – coordinating with departments across the business
  • Next steps include budget approval for the major initiatives
  • Details on risk and control assessments are in the board package
  • Thank you for your  support

Recommendations;

When communicating directly with the board, focus on:

  • What enterprise objectives and strategies matter most?
  • What’s the potential impact of IT risk on those things?
  • What are the current and proposed approaches to managing these risks?
  • What are the next steps?

In short, keep it simple and relevant to the concerns of the board.  Avoid technical jargon and focus on business goals and outcomes 🙂

K