At the recent FAIR Institute London Summit, three FAIR veterans gave some pithy insights on making cyber risk quantitative analysis accessible – and persuasive -- to business leadership to win support for a cyber risk management program.
As Jack Whitsitt, Director of Cyber Risk Quantification, Ostrich Cyber-Risk, summed it up, “Communication is about storytelling…The numbers are meant to help us tell better stories.”
On the panel with Jack Whitsitt:
>>Cedric De Carvalho, Head of Group Cyber Risk & Advisory, Richemont Group
>>Tom Callaghan, Co-Founder, C-Risk
Watch the panel on communicating cyber risk to the board and senior management.
A FAIR Institute Contributing Membership is required to view. Join now!
Some key bits of advice from the panel:
>>Listen to these stakeholders to understand their needs before you even do analyses.
>>”The storytelling for me always starts with visibility,” said Cedric. Establish current loss exposure before moving to risk scenarios.
>>”Tune the story to the business and the board,” said Tom. “Sometimes we forget how much we know about this and how little executives understand.” One way to bridge that gap: Find key risk indicators that align with the business.
>>Any report you present should be “clear with no interpretation” required, said Cedric. At the same time “don’t babysit the board” and oversimplify.
>>Keep in your back pocket reporting that is much more extensive. “We have one report we present and one that goes very deep,” said Cedric. Tom added, “They’re not going to consume huge amounts of detail, but if the detail isn’t there you’re not going to have a credible presentation.”
>>Always “explain what you want out of the conversation,” Tom said. “If there is a decision to be made, try to articulate what that is.”
Get more tips on communicating about risk-based decision-making: Watch the video of the panel discussion. A FAIR Institute Contributing Membership is required.
