There’s an oft-quoted mantra in business that “you can’t improve what you aren’t measuring.” In the world of risk management, that line is better adapted to “you can’t mitigate the risks you aren’t measuring.”
You’re also going to have a pretty hard time communicating the consequences of failing to address the risks facing your business if you can’t measure and report risk impact — financial or otherwise — to leaders and decision makers.
Having a good system for measuring and reporting risk is a crucial part of building an effective, holistic risk management program. The success of every other part of the program, from prioritization to controls to incident response, rests on the objective foundation created by quantifying risk.
Anthony Riley, OKTA’s Director of Security Risk Management, has built a career on measuring and reporting risk, both in the financial services industry and the software-as-a-service world. He recently joined the GRC & Me podcast to share his best practices for making sure you — and everyone else in your organization — are on top of the risk you face each day.
Watch here, and keep reading for highlights from the conversation.
Categorize, then rate your risk
The first thing Riley does when starting to get a quantitative handle on risk is identify what category each of the risks falls into. Are they human capital risks? Cyber risks? Risks associated with change management? Each type of risk affects your business in different ways, and each should be addressed within that context.
Once you’ve got a grip on what parts of your business each risk is associated with, you can start to rank them within those buckets. You’ll want to assign likelihood and severity scores to each risk. This can be done through a variety of methods, most commonly risk matrices or analyses like Monte Carlo simulations.
“Those two scores are what is going to help drive your residual risk rating,” Riley said. “That’s what you’re going to use to prioritize mitigation.” Depending on your appetite for each risk, that might take the form of accepting the risk, transferring it to a third-party, avoiding it entirely, or putting controls in place to mitigate it.
Give a full picture, but don’t get into the weeds
With a good analysis of the impacts of your organizational risk in hand, you can start building out the reports that will help you obtain buy-in for getting ahead of or responding to it. The most important thing here is to know your audience.
Reporting to the board of directors or C-suite should take a very different form than reporting to your manager or team. “Reporting to the board of directors versus reporting to the risk owners versus reporting to your team, they all have different knowledge of risk management,” Riley said.
The board and executive leadership doesn’t need the same level of detail to make a decision as the people tasked with carrying out that decision. Give them the most important information and key takeaways up front, and save the more detailed data for an appendix. Otherwise, they may feel overwhelmed and lost.
And, make sure you focus only on the risks that truly pose a major threat to your organization. Not every risk has business-ending potential. “Not everything is critical, so don't say the world is always on fire. If it always is, then is it really?” Riley said.
Putting your reporting into action
Now that you’ve got buy-in from leadership, your reporting can be used to put together a plan for addressing your risk.
Starting with the risks that your reports surfaced as the most critical, begin testing your current controls to see which are insufficient or ineffective and improving them or putting better ones in place. This will go a long way in reducing residual risk.
Your reporting is also a great tool for building a culture of risk at your organization. Risk management is everyone’s job, and if everyone has a clear understanding of which risks pose the gravest threats, they’ll be much more vigilant about helping you avoid or address them.
“Reporting on risk consistently will help provide a risk-aware culture so that when the employees are doing something, they'll say ‘Hey, that actually might be a risk. Maybe I should let the risk management team know this,’" Riley said. “And so they're proactively identifying those risks and providing them to you. Then we're not just identifying risks through risk assessment, and that's when you know that your program is becoming mature. That's key. That's golden.”