The goal of communication is multifaceted. It is typically expressed as one or more of the following: to inform, to persuade, to request and/or to build relationships. Risk communication is a blend of these four things with a primary purpose of making well-informed decision-makers. In modern IT practices, it is well-understood that IT serves the business. IT strategy needs to be aligned to support the achievement of business goals and objectives. To ensure the proper business value creation happens as a result of business investment in IT, we need to ensure that those same leaders understand what could go wrong and provide them options to help avoid them. It is precisely at this intersection that a problem arises: how to appropriately translate the layers upon layers of technology into consumable communications for business leadership.
Achieving those communication goals above happens best when we are able to blend together logos, ethos and pathos, as Aristotle identified in Rhetoric. Our risk communication must be logical and well-reasoned (logos). For this to happen, it has to withstand scrutiny, which is why risk ratings need to be underpinned by solid quantitative reasoning. You should be able to provide numbers underneath a rating of “high,” for example, by being able to articulate how often the risk scenario may occur and how much value is at risk if it does happen. Ethos reflects your personal ethics and knowledgeability. It is here that we can improve our risk communication by summarizing and connecting technology failures into loss scenarios that are meaningful to the business. Creating a narrative risk statement helps reflect your understanding of the business operations, and by extension improves their perception of you as someone knowledgeable about the topic.
Those same narrative risk scenarios will help better connect with the business leader’s pathos or emotions as well. One of the other well-understood modern IT business practices is that risk belongs to the business, not IT. To improve the business’s sense of ownership, and by extension, its governance of IT, we need to translate IT risk into things it cares about – which brings us back to those narrative risk statements. If the risk register you are presenting is more like a list of broken things, it will be perceived as a shopping list and not the potential for loss that we want the business to see them as. Translate the broken things into narrative risk statements that have a doer (threat actor), a deed (what control are they overcoming, bypassing, or manipulating, etc.), and an impact (think confidentiality, integrity, availability [CIA] but translate into meaningful terms the business will recognize).
Once you have done these things, you are much further down the path of better risk communication.
Editor’s note: For further insights on this topic, read Jack Freund’s recent Journal article, “Communicating Technology Risk to Nontechnical People: Helping Enterprises Understand Bad Outcomes,” ISACA Journal, volume 3, 2020.