Home > Risk > Collaboration between the business risk and IT security teams

Collaboration between the business risk and IT security teams

January 20, 2018 Leave a comment Go to comments

OCEG and MetricStream[1] have made available a free illustration on the topic of How Business, IT and Security Teams Gain a Common View of Risk:

OCEG Illustration Agility and risk

As usual, there are some good points in the OCEH/MetricStream work.

But, also as usual, I have some problems.

There is no such thing as IT risk, nor cyber risk or information security risk. These are just sources of business risk.

We should be concerned about how a failure to manage any of these areas might affect the achievement of business objectives.


Let’s take two situations.

In the first, the company is about to release a breakthrough new product.

In the second, the company is mid-cycle on its latest release and is starting to consider how to move forward in the next generation.

In both cases, success of the business is dependent on keeping its intellectual property (details about its product and related marketing and sales plans) safe. The likelihood of a breach and subsequent theft of its IP is identical.

But the effect on the business, and therefore the level of risk, is far more in the first than the second case.


It is fairly easy to come up with similar scenarios. Consider a retail chain and its dependency on the reliability of its computer systems. First, think of the level of risk should the systems go down mid-week in February. Now think of the level of risk should they fail during the week prior to Xmas or Thanksgiving.

How about a start-up company that finds out that its financial systems have been penetrated by a crime syndicate? Is the risk the same six months before going to investment banks and starting the process to go public as it would be in the midst of a public offering? Clearly not.


Yes, all of the groups included in the illustration need to be working together. But let’s add in the strategy and planning groups, operating management, and perhaps everybody else.

You need to consider how a failure in the use or management of technology could affect the operation of the business today and in the future if you want to manage risks (and their sources) effectively.


Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?


I welcome your comments.


BTW, I strongly recommend joining OCEG (www.oceg.org). Membership of the nonprofit is free and there are lots of resources, including webinars.

[1] Full disclosure: I have worked with both but am independent.

  1. GSosbee
    January 20, 2018 at 3:03 PM

    You are spot on Norman. There are all kinds of silo risks, but all are business risks and have to be managed under one umbrella.

  2. Patrick Claude
    January 21, 2018 at 9:52 AM

    I fully agree! But it is a continuous challenge for the risk managers to make these siloes working together. It starts with this willingness of segmenting the risks into categories, while they should simply be connected with the objectives. And, of course, one risk can affect multiple objectives, but it seems that we want always to make the world more simple than it is actually. Thank you Mr. Marks for your tweets and posts.

    • Norman Marks
      January 21, 2018 at 12:08 PM

      It is critical to understand how risks managed in two silos should be aggregated because they affect the same objective

  1. January 20, 2018 at 2:20 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: