woman doing indoor rock climbing
PHOTO: bady qb

When the New Year rolled around I was thinking about the changes I would like to see in both practices and thought leadership around the management of risk, when I saw a new video from my good friend, Alex Sidorenko.

Alex had been attending a risk management conference in Dubai led by another friend, Alex Dali. In this video, he shares a key takeaway.

Related Article: 4 InfoSec Trends for 2019

Two Indicators of Effective Risk Management

The risk management leaders at this global conference said there were two indicators of effective risk management.

The first is that business decisions are informed and intelligent (my words). The consideration of risk is integrated into the setting and execution of strategies through daily decisions.

My caution is that when we are talking about "risk," we should be thinking about all the things that might happen, not only harms.

In fact, as I wrote in my last book, we should be avoiding the word "risk" as management has a negative perception of it.

  1. Most think it only relates to harms.
  2. Managers tend to think of risk management as a compliance activity.

In fact, if we think instead about anticipating what might happen and making informed and intelligent decisions with that in mind, there will be a common purpose and understanding between practitioners and the leaders of the organization.

That’s the second set of indicators: a common understanding and language around risk.

My preference, which I will restate, is that we discard the technobabble of the risk practitioners in favor of using the language of the business. (Where everybody in a mature organization is comfortable with technobabble, then continue to use it — as long as it is not focused solely on harms.)

Related Article: Stop Managing and Start Taking Risks

A Change in Focus

In a Deloitte study from a few years ago, executives were asked whether risk management helped them set and then execute on strategies. Only about 13 percent said it made a significant positive contribution.

So my vote for an indicator of success is when the leaders of the organization in the executive suite and on the board wholeheartedly answer the Deloitte question with an enthusiastic thumbs up!

In 2019, let’s press the regulators, consultants and other thought leaders to focus less on managing harms (especially in silos like vendor risk management) and more on helping those leading the business anticipate what might happen and make intelligent and informed decisions.

I welcome your thoughts.