If you have read one of our previous posts around risk assessments, you probably have a good idea of why a risk assessment matters.
You’re probably also familiar with compliance requirements in frameworks such as HITRUST, ISO 27001, or SOC 2.
A key component of performing a value-added risk assessment is including the right people in your workshops to gain insight into high-risk areas through each subject matter expert’s lens.
So, Who to Pick for Your Risk Assessment?
Once you have completed some of the preparatory work during your risk assessment, such as reviewing assets in use, data flow diagrams, and critical business processes, you should select key business players that can help manage security, privacy, and compliance risks that your company may face.
Depending on how much time is available to perform the risk assessment and the resource availability, I recommend one-on-one working sessions as it reduces opportunities for peer pressure or groupthink and helps individuals speak candidly about the risks they are facing.
Functional group interviews are great opportunities to identify common perceptions regarding risks and can be supplemented by targeted individual workshops if time or resource scarcity is a factor.
Risk Assessment Workshop Candidates
- Chief Technology Officer (CTO): In a technology organization or a SaaS firm, the buck often stops with the CTO regarding security, and risks that impact the company’s offerings. They are also well-tuned to technology and market risks and will likely serve as a key management stakeholder when it comes to prioritizing risks. (Note: In a services organization, the appropriate person may be the Chief Operating Officer or VP of Services.)
- VP/Director of Development: This is often the best person to identify technical risks and opportunities affecting the products, with insight into the overall resource allocation that can be used to support risk treatment. They also are a great resource for identifying asset-based threats, vulnerabilities, and risks. (Note: In a services organization, this would likely be a practice lead.)
- Engineering/Development Personnel: While the CTO and VP of Engineering can likely address product-level risks, technical personnel, such as developers, can highlight operational risks that impact the product and underlying intangible assets. (Note: In a services organization, this would likely be a delivery team member.)
- Site Reliability Engineering (SRE): If you have an SRE team, it is worth taking the time to talk through your risk management approach with them, and to document the technical risks they believe the organization faces.
- Information Technology (IT): IT is often one of the largest control owners within an organization, owning many of the assets in use in the company, and frequently access control. Not only does it make sense to speak with the Director of IT but with the broader IT function.
- CISO/VP of Security: The security function may be the team conducting the risk assessment, but even then, the CISO/VP of Security should be consulted on the risks and challenges the business is facing. It is especially important to consult this individual on risks from evolving threats, and of not accomplishing security program objectives.
- General Counsel: If your legal function is in-house, they will have a good understanding of the risks the company faces, including market, contractual, or legal risks. Even if your legal function is outsourced, it may be worth paying their hourly rate to have a conversation about risk.
- Human Resources (HR): HR often has the best understanding of risks associated with one of the organization’s most important assets: personnel and knowledge. Having at least one workshop with HR is key to understanding security and enterprise risks associated with human resources.
- Chief Finance Officer (CFO): CFOs often are already experienced risk managers, especially financial risks, and as a result, they often have a great understanding of the risks and challenges the organization faces. They can also be champions for the prioritization of resource allocation for security or compliance initiatives, so obtaining their buy-in on risk management early is a significant benefit to the process.
These titles may vary based on your size and organizational structure. However, you should ideally be able to identify people in the organization that fill the roles highlighted above.
Even if it is one person wearing multiple hats, having these conversations with them may help identify the risks that impact your organization.
If you have questions about who you should include from your organization or in the risk management process, feel free to reach out to me here, or to risk3sixty for support on developing a risk management program.