The Executive Risk Review

If this sounds like Management 101, it is.  It is the same kind of management control system that is used to manage financial metrics.  The only thing that might be new is applying the idea to risk. 

Meeting the demands of key customers and regulators to manage cyber risk is yet another challenge for the executives of small and medium businesses.  As if you needed one more thing to worry about, along with revenue, product, and cash flow!  Yet it is possible to make a credible, practical, and above all useful start on managing cyber risk without breaking the budget or getting mired in endless detail.  A simple way to get started is with a quarterly risk review.  Here is how to go about it -- without buying a Lexus when all you need is a Corolla.  This will work for any organization, whether a business or not, that is big enough to have quarterly business reviews.

Simply this:  add a risk review to the standing agenda of the quarterly business review.  A risk review addresses three basic questions:

• What are the most important risks facing the company in the next 12 months?
• Are these risks acceptable to management and the owners, given our current circumstances, or should we be doing something to manage those risks better?
• What action should we now take to manage our top risks better, and what progress have we made in actions previously agreed?  Who will take responsibility to do them, and when should they be complete?  How will we know if they have been effective? 

 As management exercises its judgment about what the most important risks are and what to do about them, it is automatically setting risk management priorities.

Despite its simplicity, this approach has much to recommend it.

• It makes management think consciously about risk.  That is the first step in managing it.
• It establishes a recurring and repeatable routine.  That lays the groundwork for bringing almost any risk into acceptable bounds.
• It results in decisions and actions, so it gets things done, in priority order.
• It is a structure that can be matured over time to any level of sophistication.  Soft words like “important risks” can be made more objective and quantified.
• It is very efficient, a good use of scarce executive time, once the cadence is established.
• It shows that management is paying attention to risk.
  

“Paying attention” deserves some elaboration.  Sooner or later a key stakeholder will insist on having assurance that management understands its risks and is managing them.  Stakeholders include the board, current and prospective investors, key customers, regulators, and auditors.  To credibly assert that, “Yes, we do know our risks, we review them regularly, and we take appropriate action to manage them,” you can do a few simple things to create auditable evidence that your stakeholder with expect or insist upon.

• Put “risk review” formally on the agenda of the meeting.  (Every business review should have a written agenda.)
• Prepare a simple two-page “risk report” ahead of the meeting and discuss it.  It can even be an email to the management committee.  The CFO, VP Finance, or CIO might be responsible to prepare it. 
• Document the results of the risk review in the meeting minutes.  (Yes, have minutes!)  This can be as terse as a note that risks were reviewed and certain actions were assigned.  Cite the risk report and say it was reviewed.

The secretary of the meeting, who could be one of the participants or an administrative assistant, should be responsible to collect, organize, and preserve these documents, so that they can be audited later.  All documents should be dated and bear evidence of having been distributed to relevant executives, such as by email.

Another note will get into what a risk report should have.

Overcoming the Cyber Security Hurdle for SMBs

You have a brilliant concept for a new product or service.  You’ve gotten funding and created the core of a great team.  To see you dreams become reality, you willingly pay the price of 80-100 hour work weeks.  But sometimes it seems the rule-makers are doing everything they can to get in the way.  This time it’s cyber security.

Finally, you have your first big customer lined up, and here comes their due-diligence team.  They send you a questionnaire with hundreds of items about cyber security, backups, disaster recovery, encryption, and myriad other arcana. It is a sobering moment.  Your customer takes this seriously because they’ve been whacked by their regulators after a nasty and all-too-public data breach.  The information risk management folks are in no mood to compromise, having gotten the word that if there’s another breach heads will roll. 

What does it take to satisfy IRM and win the business?  All it takes, it seems, is answering Yes to 400 detailed questions like “Do you do background checks on all employees?” and “Do you protect all your critical data with strong encryption?” – most of which you have never thought about before.  On top of that you “must have” certification of your security controls by an independent third party, like a SOC2 or ISO 27000 audit.  Then you learn that the next customer has its own requirements.

It’s enough to drive one mad.

You need a strategy to address this big new business risk, and quick!

In a series of notes like this one, I’ll give the small-medium business executive some practical tips on how to meet these challenges in a rational, businesslike way – without going either broke or crazy.  What is easily lost in the technical minutiae and, lately, the fear, uncertainty, and doubt about cyber security, is that managing cyber risk boils down to the same basic management principles you use in the rest of your business.  My aim is to show you how to apply those principles in a simple and intuitive way, so you can focus on growing your business.

The first step is to know your risks, and that will be the next topic.