Everyone agrees that risk is essential. They just have different versions of what risk is, Evan Schuman reports.
It’s time to rethink risk – both how to operationalize it and how to define it. With all the incompatible views of risk from different stakeholders through an enterprise, it’s hardly surprising that so many organizations struggle to get beyond checklist security mentality.
At the large enterprise level, the definition of risk varies based on who is answering the question. CISOs and CSOs approach it from a strictly security perspective, CIOs get close to that view but are more focused on internal audiences, compliance executives take a purely regulatory view, other line of business (LOB) execs take it all very personally (“How will complying with this request help me with my budget goals? Will it improve my division’s time to market, efficiency, perhaps brand loyalty? What’s in it for me?”) and senior-level C-levels (CFO, COO, CEO, etc.) and board members view it tactfully and fund it as little as is – in their view – absolutely necessary. Even chief risk officers – assuming the enterprise has one – take the broadest view of risk, but their influence on other parts of the enterprise can be highly limited.