As I work with more and more organizations that are on the path towards designing, developing and implementing quantitative risk management programs, I’ve begun to see patterns emerge.
For some clients, the road towards a successful quantitative risk management program seems to be fraught with false starts, a noticeable lack of involvement from necessary colleagues, even outright refusal to be a part of the process. While for other clients, of course there are challenges along the way, but they seem to be able to build consensus around the new approach, cultivate relationships that results in more allies instead of enemies, which in turn causes the risk team to be sought out instead of hidden from…who would have thought that was possible?
What is it about those latter organization’s that allows them to be so successful? What have they implemented that the former has not? I don’t believe there is any one factor that has led to their success, and of course each organization is different, which is to say what worked in one organization may not work in another.
Yet there is one thing, one skill set that has been put on the back burner in lieu of greater quantitative proficiencies that I believe unites all of the successful….What I’m referencing are soft skills.
Most organizations would agree that no one person can design, implement and most importantly, maintain a successful program, period; risk or otherwise. More often than not, it takes a small village of people, some more fully dedicated than others, to make any new idea, or in our case, a quantitative risk management program prosper.
Yet in my experience, there seems to be few organizations that take the time to prime the organization for the cultural change, invest in building relationships and developing approaches that look to benefit their stakeholders, as well as themselves. So here are few recommendations for those on their path to adopting FAIR, and designing a quantitative risk management program that have building relationships at the forefront.
Get the word out
This new approach should not take people by surprise. They should feel that they are a part of it, possibly even on the ground floor of something really new and industry-changing. With that, you may want to consider developing a “road show”, or hold a few introductory sessions with people within your organization that give them a good understanding of FAIR, your goals, the new approach and how this new process will benefit them and the organization.
Craft an elevator pitch
Once you’ve had an opportunity to hold your road show, the evangelizing should not stop there. I am by no means advocating that you pontificate about FAIR and hold court about your new program whenever you see fit…. NO; this is where those soft skills really come into play. When and where appropriate, you and your team should have your 5-minute elevator pitch down pat on FAIR and your program. It should almost feel nonchalant, and fit easily into the conversation you’re having at the moment. Repetition is the name of the game here. The more people hear about FAIR and the services you can provide, the more likely they are to remember you when a need arises. The key though is that it’s a positive association, and not a bad one.
When reaching out to SMEs...
During any interaction with your SME’s, whether it be just to provide an overview on FAIR, or you’re looking for their help on data points, a key component of that interaction should be on how what you’re doing will benefit them. How this process will help solve a portion of their pain, or that how this process will provide them with additional insights that could be useful for their own work processes. By doing so, you exponentially increase the chances that the next time you reach out to them, that they respond to your email instead of moving it to the trash.
Start quantitative risk analysis in their comfort zone
When it comes to presenting your results, don't be surprised if you have to meet your stakeholders where they're at, at least for a little while. Presenting results in a quantitative format requires education, which means that you should consider taking baby steps to wean your stakeholders off the traditional red-yellow-green heat map, by tying quantitative ranges to said colors.
As I further outline in a previous blog post, 4 Steps to a Smarter Risk Heat Map, by taking this approach, you present your results in a format they're comfortable with, while increasing the chances that you're all on the same page when you say that this is a red risk.
These are just a few of the things that you don't hear much about in developing a quantitative risk program but that I've found to be exceptionally beneficial. Soft skills and building relationships I would say are just as important to the success of your program as the quantitative model you use to assess your risks. By keeping this in mind, you’ll develop more allies instead of enemies, people who would like to see you succeed rather than fail.
RiskLens services experts have built, trained, enabled and executed a vast array of quantitative cyber risk management programs and projects. Learn more about our services.