,

To Bring Value in a Risk Analysis, Tell a Story and Provide a Solution

/

bring-value-in-risk-analysis-tell-story-provide-solution-featured.jpgImagine this – an issue is assigned to your risk analyst team, either by your management, someone in the business, or perhaps it's some area of weakness your own team identified. After completing the analysis, now it's time to prepare a presentation on the risk results.

Tell a story

When presenting risk assessments, my experience has shown this is best done by telling a story. Your story begins with the scope, then moves onto walking through the analysis process (including assumptions, where did the data come from, etc). The story reaches its climax as you get to the final results. 

When building your story (commonly referred to as a presentation), make sure you speak to your specific audience. If you think they will want to get down in the details, then give them enough information to feel satisfied. If they want to stay high level, show them a summary of the results but make sure they understand the context of how they were produced. 

For example, in Illustration 1 the scope is fully outlined and the loss event is clear and concise. Illustration 2 shows how the loss event will take place.

Illustration 1

bring-value-risk-analysis-tell-story-scope-chart.png

Illustration 2

 

bring-value-risk-analysis-chain-of-attack-chart.png

Provide a solution

But wait! You’ve told the story, but it shouldn't end there: A good presentation for risk results leads the audience to some future decision or action. 

  • Identify a proposed risk reduction solution (control enhancements, encryption, etc.), and forecast risk reduction. Showing the comparison of the current state to this future state enriches your message. 
  • Remember not to infer a specific conclusion, rather inform your audience, so they make the appropriate risk-based decision. 
  • Acceptance can be a good risk-based decision. This means sometimes your story's ending may be in fact not taking any action (ex. no new controls need to be implemented). 

In our example above we talk about a breach of a database containing PII data and the anticpated risk reduction if encryption were implemented. In Illustration 3 the risk reduction is evident within the comparison report. If encryption were implemented in this environment the organization would see a reduction in their responses to customers and a potential for a reduction in reputation damage. 

Illustration 3

bring-value-risk-analysis-tell-story-comparison-chart.png

You've put in hard work to complete a well-thought-out FAIR risk analysis -- make sure your presentation is equally positive by telling a very valuable risk management story and what business decision we are helping to make.

Interested in more presentation tips and tricks?  Check out the FAIR Analysis Fundamentals video training course

 

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37

Recent Blogs

SEE ALL
FAIR

Visionary Investor, Cisco Chairman Emeritus John Chambers to Keynote FAIRCON24

FAIR

Join Us in San Francisco for Happy Hour at RSAC24, Learn the Latest on FAIR Automation

FAIR

How to Think about Materiality for Regulatory Compliance (FAIR Inst Europe Summit Video)

FAIR

FAIR Inst Europe Summit: EU to Confront AI, Starting at Paris Olympics

FAIR

FAIR Institute Launches India Chapter

FAIR

What’s New about Generative AI Risk?