risk

For those who are uncomfortable with statistics, it is better to ask them how often something might happen rather than the probability of its happening. Second, this variable is better able to capture events that occur more than once per year (or period). A frequency of two per year is easy to comprehend, whereas a 200 percent probability is not on

Most battles are won before the contest begins—by those who are most prepared.

80/20 outcome of picking a viable small set of metrics that represented the majority of the risk outcome. Leading metrics as opposed to even well calculated and modeled lagging metrics were the most transformational - especially when subject to Board limits (mandates).

CFOs understand risk and tradeoffs well, so present your security plan in that light. Rank your risk areas and clearly (in a non-jargon way) explain the impact of the risk area on the company, the coverage, and how the investment will help mitigate the risk.

what are our most critical assess and business processes, what risks do they face and how do we mitigate those, how do we monitor that risk mitigation to make sure it remains effective and who and how has deemed any residual risk acceptable? Finally, how do we independently challenge this to make sure we’re not getting too comfortable?

It is important to clearly communicate to the target audience which items on the list are threats, assets and controls (however weak they may be). Executives must understand how the combination of these categories of things can be manipulated to cause harm to the enterprise.