From overhead to investment: how to sell risk management without scare tactics

Figuring out how to justify expenditures is never an easy task. In the field of risk management, it is usually fear that convinces organizations to spend money.Risk managers emphasize elevated risk levels to justify investment in staffing, assessment work, or electronic tools.However, this reliance on fear as a motivator often leaves a sour taste in the mouths of senior management. Here we present some of our experience in using other methods to make the case for risk mitigation.

People who say “fear sells” think that monkeys can write a business case

Waking up from risk complacency

The reality is that for most organizations, risk management is an overhead expenditure to be kept as low as possible. Risk managers are rarely given access to the resources needed to implement any improvements. Risks mount, reporting increases, and day-to-day operational activities consume the greater part of available resources.

Without access to additional funds or human capital, risk managers default to maintaining the business, otherwise known as “keeping the lights on”.

Day-to-day activities –responding to access requests, managing consent, investigating and reporting on breaches – become the main focus. Over time, the organization’s culture shifts towards complacency.

One can easily detect if an organization is in that position: policies are outdated; all new initiatives are reviewed by third party;any discussion of future opportunities ends with,“We don’t have the resources”. Yet privacy, information technology, and information protection experts are emphasizing that managing risk is more important than ever. Organizations hold more digitized information than ever before, and the increased use of portable devices, shared systems, and online portals creates new opportunities for information theft and hacking. Recent business and world news illustrate how data risks have materialized in the form of major breaches of citizens’ personal data.Affected organizations, particularly in the public sector,are under pressure to make changes.

Risk management as an investment

With these events in the background, privacy and security risk managers should seize the opportunity to reframe risk management as an investment rather than an overhead cost. We suggest three ways to persuade financial officers of the benefits of mitigating risk, without resorting to scare tactics.

  1. Risk management is business process improvement. Many privacy or security risks can be solved through business process improvements. In our experience, many of the recommendations in risk assessments have to do with processes. For example, a common issue with online portals is that the handoff between registration and billing for account holders is unidirectional: there is no process to confirm that registered users have paid their fees, or to suspend their accounts when their registration has expired. Filling this gap addresses the privacy issue of unauthorized portal access, and also generates revenue.
  2. Risk management is automation. Similarly, if privacy or security risks are a result of manual processes that can be automated, risk mitigation can be sold as increased efficiency. For example, if two departments host their own data sets pertaining to user profiles, investing in an automated validation tool will eliminate redundant efforts and reduce errors requiring staff attention.
  3. Risk management is a selling point for funding or investment business cases. Risk and compliance managers can show how risk mitigation is a differentiating factor in the eyes of external funders, clients, and business partners. Business cases for external funding or investment and responses to requests for proposals can cite risk management as a differentiating factor with regard to external competition.

These three principles can work for private or public sector, major or small organizations. Risk management provides both product and service companies with a competitive advantage by differentiating them others. Government organizations facing funding cuts can leverage process improvements to improve employee utilization and limit outsourcing.

Risk managers can sell risk management to financial officers as an investment factor, showing how it improves bottom lines and provides a competitive advantage.

Such an approach changes the question from, “What is the minimum I have to pay to manage this risk?” to “What is my return on investment?”


Viewers are also reading:

Senior Editor:

Esther Townshend

Photo Credit:


All rights reserved , © Waël Hassan

Waël Hassan, PhD, is the editor in chief and lead writer of Transigram, an online monthly magazine. Transigram explores legislative and regulatory changes, new technologies, and the needs and challenges of data custodians. It also provides insight into the development of our approaches to open data access strategies and models. Transigram offers summaries, analyses, insights, and commentaries on business transformation in the areas of Governance, Risk & Compliance, Project & Portfolio Management, IT Strategy & Operations, and Technological Tool Management.

Please join one Waël Hassan’s LinkedIn groups: