In his recent report on linking risk and security to corporate performance, Proctor had these eight practical tips for communicating benefits to executive decision makers:

Formalise risk and security programs

A formalised program is one that is repeatable and measurable. It contains four key phases: a govern, plan, build and run phase.

Measure program maturity

Using a maturity scale to measure your program identifies gaps and opportunities to improve. Maturity is also a good abstraction for executive decision makers who do not always understand technology.

Use risk-based approaches

Risk management is an explicit recognition that there is no such thing as perfect protection. Organisations must make conscious decisions about what they’ll do, as well as what they won’t do to mitigate risk. Stakeholders in non-IT parts of the business must make these decisions, not leave it up to IT professionals alone. But more importantly, risk managers must take a proactive approach to risk assessment and management. They need to manage risk, not be managed by it.

Use lead indicators of risk conditions

Risk managers need to define new leading indicators of business performance that includes both key performance indicators (KPIs) and key risk indicators (KRIs). They should not focus exclusively on IT-centric KPIs. Doing so perpetuates the notion that IT risks relate only to IT.

Map KRIs to KPIs

Most organisations have a plethora of operation risk and security metrics. While these are extremely valuable for internal operations, they have little value to business decision makers. Good KRIs are simple and measurable and have a direct impact on multiple KPIs.”

Link risk initiatives to corporate goals

Using fear, uncertainty and doubt to get executive support doesn’t work. Executives don’t want to hear how bad everything will be if they don’t invest in risk management and security. It’s equally useless to cite returns on investment because risk does not return a tangible dollar for dollar value. The best way to win executive support is to demonstrate business value.

Remove operational metrics from executive communications

Don’t use operational metrics to communicate at a business executive level. Executives lack the background and training to understand the meaning in a business context.

Clearly communicate what works and what doesn’t

In a risk-based world, a business-oriented audience wants to know: What are our risks? What is our posture? What do we do about it? Communicate that well and you’ve won half the battle.
Read Also: Avaya Partners HP For Cloud-Based Services
VMware Launches Solution For Data Centres