Assessing Project Risks In Relation To Business Goals

I had a conversation with a Head of GRC and he said that he didn't think his team's risk assessments added any value to the organization no matter how much effort they put in. 𝗖𝗼𝗻𝘁𝗲𝘅𝘁: Here's how it started: - ISO 27001 Clause 6 requires they do a risk assessment - so they do - A GRC team member does an interview based risk assessments every year - They produce a report and log results in an excel risk register 𝗧𝗵𝗲 𝗣𝗿𝗼𝗯𝗹𝗲𝗺: - There is no "formal" approach to doing the risk assessment. It is left up to the judgement of the person doing the work. As a result, quality varies. - Sometimes the risk assessment is really a controls gap assessment. - The risks identified do not drive business decisions and aren't taken seriously be leadership. Leadership basically ignores it. - The risk register is not widely shared and issues aren't tracked. In fact, there has been times where the "official" risk register has been lost on SharePoint somewhere. - Last year the risk assessment quality was so poor the CISO buried it rather than presenting the results to the executive team. 𝗛𝗲𝗿𝗲'𝘀 𝗪𝗵𝗮𝘁 𝗪𝗲 𝗔𝗿𝗲 𝗗𝗼𝗶𝗻𝗴 𝘁𝗼 𝗙𝗶𝘅 𝗶𝘁 The GRC team engaged risk3sixty to level up. Here's what we are doing: - We are doing targeted risk assessments based on current business objectives rather than "same as last year" approach. This takes some pre-planning, but makes our work more relevant and timely. - We are standardizing a few things: How we select targeted assessments, codifying methodology, risk rating system, risks vs. gaps language, and requirements for risk owner response - We centralized the risk register and project remediation tracking to fullCirlce (rather than excel). This helps with project management and year-over-year progress reporting. - We standardized a meeting rhythm to track remediation projects. This way the GRC team can be a good accountability partner and earn more relevance with the business. 𝗧𝗵𝗲 𝗥𝗲𝘀𝘂𝗹𝘁 Here is what I'm seeing so far: - We think these fixes will make the risk assessment work more relevant to the business and give the GRC team a higher profile internally. - We also think it will shift from a "ISO Requirement" to a tool the CISO wants to tap into to drive business objectives. ---- Recently the CISO made a "request for risk assessment" from the Head of GRC to "get their business perspective". First time that has ever happened. Early results are promising.

Stop doing risk assessments no one reads. You already have to do one every year—why not make it useful? Most assessments get buried because they’re qualitative, vague, and disconnected from the decisions that actually matter. Here’s the fix: → Upgrade to a semi-quantitative assessment that clearly shows what’s most likely to go wrong—and what it would cost. → Then take your top 3–5 material risks and run a simple quantitative analysis. Think: loss expectancy, downtime thresholds, incident response costs. You don’t need a math degree. You just need better structure, tighter inputs, and a little courage to stop playing the compliance game. Because when done right, that same assessment suddenly becomes: - A tool for executive reporting - A foundation for budget justification - A forcing function for business alignment Risk assessments shouldn’t sit on a shelf. They should drive action.

As the self-proclaimed OG of the statement "Ask Your Client How They Make Money" I'm compelled to remind you that asking the question is just the beginning. It’s now mainstream for MSPs to say, “Ask your client how they make money.” Which is awesome! If you're an MSP, you’ve heard it by now because it resonates. It’s the starting point for aligning risk assessments with your client's core business drivers, helping you shrink their risk to revenue. But, from my observation, you need help on the next (and most important) steps. Asking the question is just step one. If you're not doing anything with the insight, you're just having a conversation. ->You need to know what to do next to make it actionable. Here’s how to actually follow through: 1-When you ask how they make money, focus on what directly impacts their revenue. Is it a proprietary platform? Sensitive customer data? These are your golden nuggets. 2-Now that you know what drives revenue, follow the bouncing ball. Where does this data live? How’s it processed, shared, stored? Protecting these data flows is your top priority. Start mapping your threat models here. 3-Dive into who has access to systems, what security measures exist, and where shadow IT hides. Don’t overlook potential vulnerabilities in their tech stack. This is where the real risk is...human and technical. 4-Don’t treat all risks the same. If the client’s revenue hinges on a specific app, assess the risks to that app. If it’s a customer database, focus on data protection. If it's phones, focus on the phone system. Make it specific to their needs. 5-Your report needs to speak THEIR specific language. Focus on how each risk impacts revenue. Don’t drown them in technical jargon. Use clear, relatable language to show how mitigating these risks will directly protect their income. 6-Identifying risk isn’t enough. Offer specific, actionable recommendations, whether it’s additional security measures, better access controls, or employee training. Ensure the solutions align with their business goals. ->Asking about how your client makes money is smart, but if you’re not following up with a tailored, actionable risk assessment, you're missing opportunities. The real value lives in understanding those business drivers, mapping risks to them, and providing clear steps to mitigate exposure. MSPs who execute this well will stand out, build trust, and win long-term client relationships. The next time you ask the question, have your actionable steps ready and ensure your recommendations directly protect their revenue. #msp #business #risk #security #OG