In a previous blog, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams.
In this blog series, I am going to take a deeper dive into each question and break them down one at a time. We will discuss why CEOs should care about each question and the type of answers teams should be providing.
The first question we’ll tackle is: “How are we managing risk? What’s the structure of the team?”
Asking this question should allow you to understand the overall structure and maturity of risk management in your organization. Your team should be able to briefly and succinctly identify the following when asked:
Who is actually responsible for managing and accepting risk in the organization?
Do you have someone responsible for Risk Management? Is there someone responsible for Information Security? Is someone responsible for compliance (if applicable)
Is this decentralized or centralized? How many staff members are dedicated to managing risk?
Your team should be able to describe how the overall program is managed and organized.
Bonus points for organizations who have this ready to give external auditors or customers who may ask. This should exist and be ready to go at any moment. This should not take a long data gathering exercise to respond.
What is our risk tolerance?
CEOs and boards should drive the acceptable level of risk tolerance for an organization.
“Risk tolerance is defined as the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame. An organization’s risk tolerance level is the amount of corporate data and systems that can be risked to an acceptable level. Having a defined risk tolerance level means the security program knows the degree that management requires the organization to be protected against the threats they face.”
Giving tolerance guidance to your team will ensure they align to your Commander’s Intent and allow them to drive risk to an appropriate level.
When is risk being considered? Is it baked into the upstream decision making process or is it considered throughout the life cycle of the business?
Your team should help you understand where risk decisions are being made and whether or not the gates are commensurate with the risk. This will also speak to the maturity of your risk management program.
Where is the current list of risks?
Risks come in all shapes and forms. Some risks are really business opportunities waiting to be taken advantage of. The organization that can manage risk well will not only do a better job protecting itself from cyber threats but will also give itself a long term competitive advantage over competitors. Just because it’s a risk does not make it inherently a bad thing.
For most organizations risks will fall into the following category:
- Compliance/Regulatory Risks
- Security Risks
- Financial Risks
- Privacy Risks
- Industry and Competitive Risks
- Management Risks
Knowing where to get the information when needed is crucial to making risk based decisions.
Mature organizations have moved these to online dashboards updated in real time based on downstream risk data.
How are risks being managed and communicated? What’s the cadence of meetings?
This final piece will allow you, as the CEO, to understand whether your organization embraces open and transparent risk discussions or whether or not there are still unknown risks which are not being identified/communicated or managed appropriately. This will also ensure risk discussions are ongoing and continuous and occur at the appropriate time frames for your organization.