Any manager asking the Board for resources to address information risks in a complex threat environment might as well be talking a foreign language. Here is a run down of the reasons for this, and a few ways to ensure the IRM message gets heard.
Why is communicating IRM so hard?
- Board members focus on business benefits, costs and return on investment, whilst the security manager thinks of risks, controls and compliance.
- The Board is faced with competing requests for resources and most of these concern risks that are understood and have measurable benefits, whereas the benefits of managing information risk effectively are not understood and can’t be measured so easily.
- IRM is not generally seen as a business enabler and it often only gets management attention when there is a breach or a compliance audit is due.
- Risks to information are not generally seen as ‘normal’ business and management is often devolved to the CFO to manage, the CSO to monitor and the IT department to implement.
- Information risk is seen as a solely technology issue and is therefore something to be handled by the IT team on its own.
- Security professionals often use terminology and jargon that is not commonly understood by managers.
The net result is that information risks are not explained clearly at the right management level and therefore risks are not generally managed by those roles in the organisation with the necessary understanding of the issues, the essential business wide vision to recognise the impacts, the ability to make decisions or the authority to allocate resources.
Tips to get the IRM message heard
Phil Bindley of The Bunker argued recently that ‘security’ should be represented on the Board (read the article here – Give Security a Voice in the Boardroom ). Here at Ascentor wefully endorse his view to have a voice that can explain information risks to the decision makers. We must get across the positive message that IRM can directly support business initiatives by identifying risks early on and proposing cost effective solutions to help to reduce costs.
The task of the Information Risk Manager is to communicate the options for managing risk clearly and to recommend pragmatic, appropriate and cost effective mitigations so that the Board can make informed decisions.
Here are a few ideas to help get the IRM message across:
- The IRM message has to be in Boardroom language and must have a strategic, not tactical vision.
- Don’t use specialised terminology or jargon.
- Have someone on the Board responsible for information risk – this will be a respected voice that can explain risks to decision makers and get the positive message across.
- Explain how effective information risk management can be tailored to what the business does and clarify how it can support the business.
- Ensure that the approach is positive and supports innovation; ‘what can IRM do to help the business deliver’? Be realistic but avoid the doom and gloom of overwhelming threats.
- Managing the risks of doing business is the responsibility of the whole organisation and IRM should be part of normal business management and not a specialist ‘security’ matter.
- Effective IRM is not a result of a bigger security or IT budget for new tools – it comes from engaging with all levels and areas of the business.
- Solutions to manage risks are not just IT based but should comprise a range of physical, personnel and procedural mechanisms in a cost effective mix.
- One size of risk management approach doesn’t fit all so what the business context is crucial.
If they can’t speaka your lingo, learn to speaka theirs!
Getting the message across at Board level about the business benefits of managing risks to information is hard, but it can be done and the tips above should help. Effective communication is the aim, so if they can’t speaka your lingo, learn to speaka theirs!!
For more information about IRM and for help in getting the message about its benefits across download our Board’s Guide to Information Risk Management and call Steve Maddison or Dave James to arrange a free consultation.
Article by Steve Maddison , Director and Principal Consultant at Ascentor.
Other articles you might like: