In this video, Kip Boyle discusses strategies for sharing cost, benefit, and other data points related to managing information risks. Explore how to prepare proposals for management to explain top risks.
- Now that you know both the costs and the benefits of your ideas for risk reduction, it's time to prepare a specific proposal package. Let's call each risk reduction idea a project. You'll want to summarize each project on one page or less, so it's easy for your boss to quickly understand each one. Here's the essential information you'll need, the project's name, the name of the risk it's managing, and your estimated costs. Now summarize these into three or four categories, such as the number of hours from people on staff, the amount of money needed to purchase equipment, and money needed for outside services.
You always want to include a summary of expected benefits, an estimated completion data, and a list of the teams most affected, so they can be given advance notice. After you have summarized your entire project portfolio, let's create a visualization that will show how the projects relate to each other in terms of cost and benefit. By doing this, not only will we determine priorities, but we'll end up with an excellent communication tool. Start by opening up Visio, PowerPoint, or any other program with basic drawing tools.
Next, create an XY-axis grid. Now, put cost labels on the X-axis. Zero goes to the far right. Then, put the cost of the most expensive project to the far left. It's helpful to put in a midpoint cost as well. You'll see why the X-axis looks this way in a few moments. Now, put your business value labels on the Y-axis. Put the lowest score of any project near the bottom of the Y-axis, and then put the highest score of any project near the top.
In my experience, using the approach we discussed previously, typical scores are between 50 and 80. Now, plot each proposed project into the grid. Here, you can see three projects. Project one, in the upper right corner, is low cost and high value, which makes it a no-brainer. Project two, in the upper left, is high cost and high value, so you can think of it as a big investment in the future. Project three, in the lower left corner, is a high cost, low value project, which has little chance of getting approved unless everyone agrees it's absolutely critical, such as a compliance mandate.
Here's a finished example of a more mature visualization. The X and Y-axis are similar, but overall, it's busier. That's because there's more data being presented. Look at the legend on the right. You can see the colors indicate whether the project has been approved, is pending to start, or is currently active. And the sizes of the circles tell you how much improvement in scores we'll get as each project finishes. The size of the inner circle reflects the current score for that risk, while the size of the outer circle is determined by the risk score after the project has been completed.
You could think of these circles as a simplified radar diagram. You may need to do more work to prepare your proposals for submission. Check with your boss and the project management office, or PMO, to find out what's required. Ask them to help you form a plan to gain approval from the other decision makers.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance