I attended a webinar recently that was presented by the CEB Information Risk Leadership Council entitled “Managing Risks That Impact Multiple Stakeholders.”
A few examples of these shared risks are upgrades to an enterprise application used by multiple business units, a single business unit’s use of enterprise-wide customer data, and a data center that supports multiple business units.
A number of valuable takeaways for me, some new and others providing good reinforcement, from the hour well spent:
- Include shared risks in each business unit’s risk portfolios, rather than segregate them into a unique portfolio that no one takes responsibility for or that becomes my responsibility by default. This increases visibility and motivation by the business unit leaders to take action.
- A business unit leader needs to own the risk, not me. Increasing visibility among all business unit leaders increases the likelihood that peer influence (aka: peer pressure) will help identify an owner and funding I need to contribute to risk mitigation efforts. My job is to make the risk visible and support the business unit leaders’ efforts to mitigate it, not to bludgeon them into action.
- Don’t try and quantify the unquantifiable. A consistently applied qualitative rating to express risk severity, e.g. High/Medium/Low, will have more value and be more widely adopted than a complex quantitative approach. While the latter may provide more precision, it will also result in more confusion. Even if that’s not the case, will the outcome be any different? Likely not. Keep it simple! This is one I need to remind myself of regularly, given my “ultra-C” DiSCRstyle.
I’m interested in what approaches you’ve used to navigate this particular minefield, both those that have worked well and those that haven’t. Drop me a line!
Image courtesy of ShutterStock