This post was inspired by an online interaction I recently had on LinkedIn. No matter how tempting it might be to assign a hard number to everything that we have to measure, certain high-impact strategic-level factors that the IT risk managers often deal with are hard or impossible to quantify. Experts offer creative quantification solutions for some cases. Several excellent books are available on the subject including the two in the How to Measure Anything collection: How to Measure Anything: Finding the Value of Intangibles in Business and, specifically for assistance with the IT/cyber risk analyses, How to Measure Anything in Cybersecurity Risk.
On the other hand, as Dr. Deming observed, “The most important figures for management are either unknown or unknowable, but successful management must nevertheless take account of them.” When it comes to business risk prioritization, one of the key hardest-to-measure factors, which will impact the risk analysis and ensuing risk mitigation work, is the combined effect of the individual biases, personal agendas, and power alliances of key decision makers. Walking into an executive or board meeting being aware of only the latest technological and cyber threat developments may significantly reduce the IT risk manager’s ability to gain support for a desired plan of action. To be more effective in their job and in securing executive buy in, it is imperative for the IT risk professionals to understand the explicit and, as much as possible, the more subtle human relationships and power dynamics that affect IT risk decision making in their organization.
The first step in gaining insight in the human power dynamics is identifying and mapping out stakeholders and performing basic stakeholder analysis. The generic definition of a stakeholder is anyone who has an interest in an outcome of the project or initiative. This wide-ranging definition covers not only the internal (users, management, etc.) and commonly acknowledged external (customers, partners, regulators, etc.), but also includes the competition and openly hostile parties, whose interest is in the failure of implementing effective preventive and detective controls, for example. For our purposes, we shall only focus on the most influential internal stakeholders—the risk owners, the people who control key resources necessary for the IT risk management work to be successful. There are many excellent resources to assist with preliminary stakeholder analysis and mapping including Smartsheet’s nice introduction “What Is Stakeholder Analysis and Mapping and How Do You Do It Effectively?” and Boréalis’s “Stakeholder Mapping: How to Identify and Assess Project Stakeholders.” For an in-depth look at stakeholder management, see R. Edward Freeman’s Strategic Management: A Stakeholder Approach. Regardless of which toolkit you decide to use, recognizing the role that stakeholders play in the success of your initiatives, mapping out stakeholder profiles, and managing their engagement is an important first step toward greater effectiveness of your work and your work products.