Cyber risk is a top concern for many CEOs and board members. However, 62% of CEOs and 77% of board members are not “highly engaged” in addressing cyber threats. While CEOs and board members recognize risk management is a problem, they often are not sure what to do — or if they are, they are ineffective at implementing solutions.
For leaders to balance risk management with company performance, they must keep open lines of communication with risk managers. In doing so, risk managers can effectively inform the CEO, and in turn, the board, of potential risks and challenges.
What Risk Managers Need to Tell the CEO
Risks will always exist. The more sophisticated and complex the project, the greater the chances something will not go according to plan. When communicating risk to the CEO, risk managers must have a transparent view of all business units. In order to do this, risk managers should employ risk registers, a document that delineates all risks that could potentially affect the company. The four main components of a risk register include: 1) identification and classification of risks, 2) risk analysis, 3) evaluation and 4) solutions and monitoring. This information provides key stakeholders, like CEOs, a transparent view into the potential impact of risks, their severity and the actions required to keep them in check.
Rather than read through an entire risk register to a CEO, risk managers must take a moment to understand what CEOs care most about when discussing risk. The CEO’s focus is to align risk with his or her top responsibilities and understand how these risks can affect the company’s direction. Consider the CEO's top three priorities and how to assess risk within each one. These priorities can include setting a vision for the company’s direction, managing company resources, and recruiting and retaining employees. Taking these priorities into consideration will help risk managers have a more valuable and productive conversation with the CEO.
Related Article: 5 Questions Boards Should Ask About Risk Management
What CEOs Need to Tell the Board
With the risk manager’s information in hand, it’s now the CEO's responsibility to effectively share the information with the board. It’s unlikely a company’s board is comprised entirely of security experts, so CEOs will need to tie their findings back to the overall strategy, goals and business units. In doing so, CEOs can provide the board with a better understanding of how risk metrics truly impact the business.
CEOs should be leading proactive risk discussions with the board on an ongoing basis. During these conversations, CEOs must be able to address and explain the risks — including where the company is secure, where vulnerabilities lie, and where the company needs to invest. Again, these insights only come from CEOs meeting regularly with their risk managers. Frequent conversations can lessen the surprise for the board should there be a breach or vulnerability.
Lastly, CEOs must consider the company’s industry. For industries that handle a lot of user data, it will be important to keep the board apprised on whether the company is staying compliant with regulations like GDPR or the upcoming California Consumer Privacy Act. As more regulations arise, companies' potential liability will become substantially higher.
For successful risk management, CEOs and risk managers must work together to provide the board with the information that connects risk back to the overall business strategy and goals. By having these conversations on an ongoing basis, all parties involved will have a transparent view of any potential risks and a better understanding of the company’s overall risk management strategy.
Related Article: Is It Finally Time for a Federal Privacy Law?