A Few Thoughts On Communicating Risk

In my new report, The Risk Manager's Handbook: How To Measure And Understand Risks, I present industry best practices and guidance on ways to articulate the extent or size of a risk. More than the interpersonal, political, and leadership skills required of a risk management professional, defining how risks are measured and communicated is where I believe they prove their worth. If risk measurement techniques are too complicated, they may discourage crucial input from colleagues and subject matter experts... but if they are too simple, they won't yield enough relevant information to guide important business decisions. Great communication skills can only hide irrelevant information for so long.

This report includes factors to use in the risk measurement process, ways to present risk measurement data in meaningful ways, and criteria to use when deciding which of these methods are most appropriate. As always, your feedback is welcome and appreciated.

In addition, I will be covering a related topic with our Security and Risk Council in a session called Creating A High-Impact Executive Report along with my colleague Ed Ferrara at Forrester's upcoming IT Forum: Accelerate At The Intersection Of Business And Technology, May 25-27, in Las Vegas. Please join us if you can make it. Later in the week, I will be available for 1-on-1 meetings with attendees, and I'll also present sessions on linking goverannce and risk and establishing good vendor risk management practices. I hope to see you there. 



The Risk of Sub-Primary Risk Neglect

Great topic Chris. Lack of clarity around risk measurement and definition protocols often serve as major roadblocks in effectively implementing comprehensive risk controls across an enterprise. This is especially true for IT risk areas that receive lower levels of risk control priority, such as spreadsheet risk, due to both misperception of reduced risk as well as difficulty in risk measurement and assessment.

Ignoring these oft overlooked areas can be at an organization's peril. The problem is that too often the risk control procedures in these segments deal with the symptoms rather than the cause. Implementation of best practices in spreadsheet development go a long way to effective risk mitigation.

Furthermore, not only can best practices be taught, but they can be effectively enforced through automated spreadsheet risk auditing tools (e.g.- www.audinator.com) utilized by the spreadsheet user - not just the internal auditor. This mechanism of continous self-audit not only prevents errors from surfacing until after it's too late, but perhaps even more importantly it reinforcingly teaches the spreadsheet user what the best practices are and what is not of acceptable risk tolerance.