Sure, as a CIO or IT manager, you know what IT risk management is. It’s all about applying risk management principles to IT, including the adoption, ownership, operation and influence of IT within the larger context of the enterprise but in terms of risk management language, are these principles communicated properly across the organisation?
Now try to explain that to your board directors and get beyond their glassy-eyed stare to help them understand how vital this is to the survival and success of the company, and to get their green light on any necessary budget. The following five tips could help to get a meaningful dialogue going.
- Know how your IT context relates to the business. This requires two things: knowledge of all the IT assets, and understanding of how they relate and contribute to the business objectives of the enterprise,
- Calculate business impact in dollars and cents (or whatever currency your enterprise uses). Money is a common language between you and your business colleagues. Calculating impact in monetary terms is a useful exercise in its own right, because it obliges you to measure and compare both negative and positive risk (threats and opportunities).
- Understand the risk appetite of your enterprise. You may be dealing with a board whose overriding objective is to stabilise the share price, or on the contrary to build a market reputation for innovation and leadership. Your suggestions for IT investment and operations will need to take the right risk appetite into account.
- Keep it short (and simple). Once that glazed look sets in, it can be difficult to spark a board’s interest again. The information, analysis and recommendations you offer will need to be to the point, easy to grasp, and expressed in business language. Notwithstanding, make sure you also have all the data to support your recommendations and to answer questions if your audience wants to drill down (a good sign, as this means you have their interest).
- Take their feedback on board. If you’ve done a good job on telling your directors about IT risk management issues and recommendations, they may well have feedback for you. Don’t fall at the last hurdle by neglecting to listen or to convert their “business speak” back into IT-oriented requirements and actions.