"My boss just doesn't get it."
The signs you're on this boat are noteworthy. You're rarely questioned about the legitimacy of the data you've collected. Feedback is positive, but non-descript (e.g. "We appreciate your work."). Your findings don't result in a change in direction, or worse, no one even asks for them.
The good news is that the ship has not sailed. There's still time to structure your program and present the results in a way that both educates and engages your leadership on the value of Risk Management. Below are three reasons your boss doesn't get risk management, and the steps you can take to satisfy their concerns.
You're Not Speaking Their Language
Your boss already has a host of concerns on their plate, and presenting a list of top 10 risks without context will result in nods of disengagement. Yes, your job is to identify new and emerging risks. But begin with today's concerns and demonstrate your value in providing transparency, intimate understanding, and potential solutions.
Don't report on cyber risk when your boss is concerned with talent retention. Rather, use your risk assessments, documented controls, and understanding of the enterprise to further your leaderships understanding of the problem. Who on the front line is effected by these issues? Who is having success handling them? What activities are in place or in process that might provide increased assurance over their concerns?
Your Reports are not Actionable
An unfortunate stereotype has emerged of the risk manager as a purveyor of the obvious, and risk managers enforce this stereotype by presenting high level, "fluffy" reports to their leadership. A top 10 risk report and pie chart of high, medium, and low risks might work in meeting 1, but will leave you with blank expressions and a lack of direction by meeting 2.
This means that you must have the flexibility and agility to aggregate data based on the concerns of your key stakeholders, and drill down when necessary to precise measures of success. A common example might be a high level report of your company's exposure to risk related to data privacy, accompanied by a more detailed report of the various activities, activity owners, and cost of the mitigation in place. Reporting based on categories or high level concerns is only meaningful if you can then walk through the more granular picture of how you arrived at the aggregate level.
You're Taking too Long
Many risk managers, unsure of what's expected of them and what their deliverable are, seek guidance through the creation of an ERM policy, charter, project plan or other procedural documents that effectively sets expectations for their department. These kinds of documents provide a great deal of assurance for risk managers that they're meeting expectations, but add little value in addressing the concerns your boss has today.
Rather than put energy toward these governance activities, spend time creating value by engaging process owners in one of your company's strategic objectives. A common plan we recommend is to involve one "risk-friendly" business area in effectively mitigating the risks to a key strategic concern, and use that quick win to spur greater outreach. The results of your work not only provide immediate impact, but also clarifies exactly what it is that needs to be in your governing documents.
As risk managers, we've been given a job that few organizations fully understand and one that can be difficult to measure. LogicManager can help, request a no-obligation conversation with one of our ERM professionals.