If this sounds like
Management 101, it is. It is the same
kind of management control system that is used to manage financial metrics. The only thing that might be new is applying
the idea to risk.
Meeting the demands of key customers and regulators to
manage cyber risk is yet another challenge for the executives of small and
medium businesses. As if you needed one
more thing to worry about, along with revenue, product, and cash flow! Yet it is possible to make a credible,
practical, and above all useful start on managing cyber risk without breaking
the budget or getting mired in endless detail.
A simple way to get started is with a quarterly risk review. Here is how to go about it -- without buying
a Lexus when all you need is a Corolla.
This will work for any organization, whether a business or not, that is
big enough to have quarterly business reviews.
Simply this: add a
risk review to the standing agenda of the quarterly business review. A risk review addresses three basic questions:
- What are the most important risks facing the company in the next 12 months?
- Are these risks acceptable to management and the owners, given our current circumstances, or should we be doing something to manage those risks better?
- What action should we now take to manage our top risks better, and what progress have we made in actions previously agreed? Who will take responsibility to do them, and when should they be complete? How will we know if they have been effective?
Despite its simplicity, this approach has much to recommend
it.
- It makes management think consciously about risk. That is the first step in managing it.
- It establishes a recurring and repeatable routine. That lays the groundwork for bringing almost any risk into acceptable bounds.
- It results in decisions and actions, so it gets things done, in priority order.
- It is a structure that can be matured over time to any level of sophistication. Soft words like “important risks” can be made more objective and quantified.
- It is very efficient, a good use of scarce executive time, once the cadence is established.
- It shows that management is paying attention to risk.
“Paying attention” deserves
some elaboration. Sooner or later a key
stakeholder will insist on having assurance that management understands its
risks and is managing them. Stakeholders
include the board, current and prospective investors, key customers,
regulators, and auditors. To credibly
assert that, “Yes, we do know our risks, we review them regularly, and we take
appropriate action to manage them,” you can do a few simple things to create
auditable evidence that your stakeholder with expect or insist upon.
- Put “risk review” formally on the agenda of the meeting. (Every business review should have a written agenda.)
- Prepare a simple two-page “risk report” ahead of the meeting and discuss it. It can even be an email to the management committee. The CFO, VP Finance, or CIO might be responsible to prepare it.
- Document the results of the risk review in the meeting minutes. (Yes, have minutes!) This can be as terse as a note that risks were reviewed and certain actions were assigned. Cite the risk report and say it was reviewed.
The secretary of the meeting, who could be one of the
participants or an administrative assistant, should be responsible to collect,
organize, and preserve these documents, so that they can be audited later. All documents should be dated and bear
evidence of having been distributed to relevant executives, such as by email.
Another note will get into what a risk report should have.
No comments:
Post a Comment