Author: Rick McElroy, Security Strategist, Carbon Black

In my previous blogs, we discussed the importance of risk management and highlighted a list of questions CEOs should know the answers to – answers that help you to stay informed, up to date and ready for any security issues.
The next question we will dive into is: What are the top five risks and has the priority changed recently?

While it is necessary to track major risks in your organization, not all will be information security related. CEOs are probably familiar with the diversity of risks, from taking new business initiatives to withholding sensitive customer information. As we discuss this question in detail, focus on the management of risks as a whole instead of risks related to a specific department.

Asking this question provides you with sufficient overview on your risks in present-time, helps you to understand the maturity of your risk management strategy and ensures that information security risks are being accounted for. This will also encourage your team to get into a habit of constantly tracking and managing information on risks that can be made readily-available when required. Narrowing down your risks to the top five is a great number for CEOs to start with, and as your organization matures, this number can be increased accordingly.

The events in 2017 showed just how important it is for CEOs to be engaged in the risk management process. Those who failed to do so had to answer to legislative bodies and faced expensive fines that could potentially harm the survival of the company.

In today’s business climate, it is increasingly important to take proactive steps to mitigate risks while being transparent with all your actions. This includes understanding that risks need to be re-prioritized regularly. For example, you are aware that your business is exposed to high risks of a cyber breach for the last five years, yet no action was taken. Today, a breach actually occurs. As a CEO, you would have a real hard time justifying why nothing was done to mitigate, or at least reduce your business’ exposure to this risk.

The output of your risk assessment process should allow you to make an informed decision to accept, transfer or mitigate risks while strengthening your management strategy. CEOs need to develop a process that works for their organization and track key risks throughout the life cycle of the business.

A key point to remember is that most of the significant failures that could have been easily avoided are caused by poor risk management, and not because the organization took risks.

It’s your job to ensure your team is managing risks appropriately and flagging the ones that require immediate mitigation. After you have set your Commander’s Intent, you need to regularly ask this question to ensure your intent is being managed effectively. The right management strategy will allow your team to take the right risks at the right time and take action against the potentially damaging ones.

Asking this question will aid the process of protecting your organization from failures, but it also provides you with the information you need to avoid legal implications when things go wrong. There is no such thing as ZERO risk in businesses, there is only a way to manage them.