Pop quiz, hot shot. There is a headline on the front page. Your boss bought the paper because the headline caught their eye. If the boss reads this article on the way to work, the boss explodes when they get to work. The boss wants an answer from you and only you and they want the answer in an hour.
What do you do? What do you do?
Make a deal. Tell your boss that you will stipulate that there are a number of internal and external threats the organization has to account for if they stipulate that newspaper articles written by even the most objective news organizations are designed to not only inform but also elicit a reaction. You may also mention that some of these reactions probably shouldn’t be part of the conversation in which a management team, exercising appropriate levels of due diligence, should engage.
Move to reset the conversation. You propose a change in focus toward the high-value assets that impact organizational goals. Offer to do some digging, ask around, and pose questions to the business units to see what they think of the threat described in the article.
Get to work. The upside of working for the government is that everything gets written down and reported in at least five different directions. Use this to your advantage when you begin your analysis. Also, no matter what kind of threat the article is describing (operational, strategic, financial, etc.) keep in mind that your analysis method is the same:
Identify the high-value assets and projects to scope your analysis. If you focus on resources that are “most important” you give yourself at least a fighting chance to make the one-hour deadline. Leverage information in the Business Impact Analysis to identify high-value assets and reference the Strategic Plan to identify objectives and goals. Identify and prioritize the threats that correspond to these resources. The key is to be like Domino’s – get as much information as you can from wherever you can in 30 minutes or less. You have two pathways:
- Interview subject matter experts and any personnel involved with these most important resources. What do they think about the article? Does this article change the way they perceive the threat landscape? Have they accounted for this threat already? If so, where? How would they rank the threat (High Med Low)
- Do your own digging. Leverage information in the Disaster Recovery Plan to identify the catalog of threats for which the organization has already accounted. Review Incident reports to identify detected, contained and eradicated threats. Ask yourself the same questions you would pose to organizational experts.
Document the threat information you collect alongside recommended risk mitigation or risk acceptance responses as well as any effort associated with each mitigation task. Some mitigation efforts just require new or improved policy and procedures others may require additional levels of effort.
Present the results to your boss and add any takeaways or context you may have discovered during your drill down analysis. Provide your boss additional assurance that since these threats have now been identified, they can now be periodically monitored to ensure appropriate action is taken.
This approach enables you to replace fear and doubt with data and information. It also allows you to provide insights into your organization’s risk posture, keeps your boss from going fetal, and lets you live to fight another day– which is the main thing.
Scott Severns is part of the GovLoop Featured Blogger program, where we feature blog posts by government voices from all across the country (and world!). To see more Featured Blogger posts, click here.