Developing a Common Risk Language to Break Down Organizational Silos
LogicGate | January 19, 2023
Getting everyone on the same page about the risks your organization is facing is a crucial part of effectively managing organizational risk. Unfortunately, it’s also one of the hardest parts about effectively managing risk.
Dimitrios Stergiou, Director of Information Security at fintech company Wayflyer, has spent his career solving this problem. His solution? Using risk quantification and standards frameworks to build a common language for understanding risk across an organization, break down silos, and obtain buy-in for risk management programs.
Show me the money
Few things are as effective for getting people to understand the big-picture impact of a particular risk than showing them the precise amount of monetary damage that failing to manage or mitigate it could inflict. That’s why Stergiou considers risk quantification to be the “holy grail” for communicating risk impact: Being able to assign associated costs to individual risks provides risk managers with the information they need to bring to the people whose skills and buy-in they’ll need to effectively address them.
Financial impact data lets the CTO understand how many hours of her team’s time will be needed to make the fix, and weigh that against the possible loss to the business if a particular risk materializes. It helps the CFO understand the costs of doing nothing and whether it makes sense to bring in a new tool to handle the risk. And, it can provide brand and public relations teams with perspective on the potential reputational damage that could result from ignoring the risk.
“Then the question becomes ‘Does it make sense, for this risk, to spend either the hours fixing it or the vendor money?’ Stergiou said. “It allows us—all of us—to have a discussion about the same thing within the same parameters.”
And, having financial figures to tie to risks makes triaging your risk landscape and deciding which risks to focus your time and energy on first much quicker and easier.
A framework for success
Another good strategy for getting everyone on the same page about risk management is to use standardized risk management frameworks, like NIST, ISO 27001, and SOC 2. Standardized frameworks are purpose-built for ensuring everyone knows what to expect from your organization’s risk management program, and that all stakeholders remain aligned to those expectations.
They also provide a great starting point for standing up a new risk management program, or a proven path for taking the next steps to evolve your existing program. “You’ll know at least that you’re not going to be nudged in the wrong direction in the controls that you apply. You’re not going to do the wrong things,” Stergiou said.
Beyond fostering internal security alignment, frameworks are also valuable for demonstrating to external entities—whether that’s your clients or external auditors—that your risk management program is not at “level zero.” This can be both reassuring to your partners and a competitive advantage. The more well-known the standard that you choose, the easier it will be for others to understand what you’re doing at a glance.
“If you're doing an ISO certification, it's very easy for people to understand that you have addressed 100 out of the 114 controls or whatever the number is, and that gives them an idea about your posture. They don't need to spend the time to come and meet with you themselves because they can rely on the certification,” he said.
But, he cautioned, there are so many sets of international standards out there that it can be all too easy to spend too much time and money building out the standard-specific infrastructure necessary to comply with all of them, even though the additional benefits may be minimal. “They have a lot of commonalities, and there are organizations that have worked to map one to another but it still remains that you need to hire the dedicated auditors, go through the dedicated process, and address the findings for each in a very specific way,” he said.
Still, modern GRC technology can help here by automating much of the evidence collection, auditing, and reporting required to demonstrate compliance with various standards.
Putting it all into practice
When Stergiou started at Wayflyer in 2021, he once again found himself facing this exact challenge. To get the job done, he started small and built to the point where he could use the common risk language he had developed to help leadership make the best possible risk decisions.
Working with the legal and compliance teams, he examined the company’s risk registry and the compliance work that had been done, then identified projects that could net some quick, early wins. “These were projects that couldn't really ruffle a lot of feathers in the company. Then, I started planning for the bigger projects that would require process changes or introduction of tools or even removal of things that people have today,” he said.
When it came time to obtain buy-in and resources for larger risk initiatives, Stergiou had already built the foundation for communicating the necessity of addressing risks to leadership, whether that was because the company needed a particular accreditation to satisfy a market demand, or because a risk had been escalated up from ground teams and Stergiou’s risk leadership had helped management become risk-savvy enough to understand that it couldn’t be left unaddressed.
“There were very few cases where management didn’t offer support,” he said.