Would you agree that without goals, life can be rather mundane and unproductive? For me this applies to both work and non-work activities. My non-work Big Hairy Audacious Goal (BHAG) happens to be Ironman triathlons. Back-to-back 2.4-mile swim, 112-mile bike ride and 26.2-mile run.
COVID resulted in the cancellation of my 2020 BHAG, the Ironman Mont-Tremblant in Quebec, and with no 2020 goal I lacked motivation for disciplined training. Consequently, my fitness level and psychological effects have been trending negative. For me, going through the motions of swimming, biking, and running without and end goal is very unproductive.
What’s this have to do with work, or risk analysis? This weekend I found myself on a bike ride thinking about the parallels between “swim/bike/run” and “scope/analyze/report.” Without an end-goal, both can be very mundane and unproductive! Both activities may qualify as “training” or the latter “work,” but without the BHAG the days of the year just pass by without recognition of improvement or accomplishment.
Steve Tabacek is Managing Director, Customer Experience, and the co-founder of RiskLens. He has competed in six Ironman triathlons, most recently Ironman Canada-Whistler in 2019. -->
Scope, analyze, report. Scope the scenario, collect data and run the analysis, and customize the reporting. I have talked to risk analysts that day-in, day-out scope, analyze, and report, however when I ask what value they have generated from their efforts, they rarely have an answer. I’ve asked, “What important decisions were made?” “Hmmm, I have to think about that…” As the days, weeks, months, and quarters pass by, many acknowledge completing analysis work, but the results aren’t used for anything productive.
Set Up Your Cyber Risk Management BHAG
My recommendation is to do analysis work with the BHAG in mind. What is your risk analysis BHAG?
Here is one example:
Help the company save money through cost effective risk management
By end of 2021 reduce control spending by 20%
- Understand the ROI of every expenditure over $100K
- Eliminate low ROI control spending or use risk analysis as negotiating power to reduce renewal cost for low ROI controls
When I set a personal BHAG, I sign-up for the race, make travel reservations, and establish a schedule for training milestone accomplishments. At this point, I’m all-in! One way of setting a cyber risk management goal is to write a charter. Within this blog “ How BCP’s Digital Risk Officer Ensures Success of Bank Cyber Risk Management with a Charter Document” Harold Marcenaro’s BHAG clearly articulates multiple facets of milestones and measurable objectives.
Similar to Ironman training, don’t initially overdo it and expect results overnight. With Ironman training, I don’t exceed a 10% increase in mileage per week, otherwise I risk injury. Within the corporate environment, pushing quantitative risk analysis too fast, too soon may be hazardous to your mental health! Organizations require phased-in education and cultural adaptation. Your one-year journey should begin with a BHAG (as a well written charter), carved-up into bite-sized weekly, monthly, and quarterly milestones. One workout at a time… One analysis at a time. Was your last analysis productive? Did the analysis provide enough data for effective decision support? Did it provide value? (Be patient. Sometimes the downstream effect of your work, for instance, clarifying your organization’s top risks, may take a while to influence decision-making.)
Defining your cyber risk management BHAG will set the path toward analysis productivity. It will turn what may feel like mundane unproductive work into tangible value for your business. Remember, BHAG’s are almost always a journey with many variables. Like Ironman training, routine swimming, biking, and running are not enough. Planning, executing, measuring, and adjusting to meet weekly milestones is critical for success. As you map out your cyber risk management BHAG for the year, set measurable milestones to ensure you cross the finish line exceeding expectations.