The person who stifles innovation, the control freak, the person
who restricts adoption of new & cutting edge technology, the person who
says "NO" – to a new business proposition, to Facebook in office, to BYOD, to
download & installing freeware… who would that be? Ask anyone and the
answer would be: The CISO or CRO or someone in a similar role!
While this probably is the feeling amongst general
employees, what does your boss & the senior management feel? A knight in
shining armor, defender, guardian, superhero..? Nice dreams… Now wake up to the
reality.
When someone proposes a new but potentially risky solution,
which is endorsed by the Senior Management, how does the CISO/CRO convince them
to take the right decision?
Ideally, the CRO / CISO should provide a solution to
implement the idea in a way such that the risk is minimized to an acceptable
level. However, if the risk cannot be mitigated or minimized, then the CRO
needs to put his/her foot down… So what could be the best way to say “NO” and
convince the management?
I prefer "Chanakyaneeti" the diplomatic method mentioned in the Indian
scriptures like Mahabharata and also made famous by the Indian philosopher
Chanakya. The method suggests four steps to be used progressively and I have
tried to apply them in the present scenario:
Sāma: (Reason) explaining the reason with logic. It is
important to make the organization the potential risk and impact if the
solution were to be implemented.
Dāma: (Price) Assess and present the financial impact in
terms of business losses – top line and bottom line impact the organization may
be exposed – the price which the organization may have to pay.
Danda: (Penalty) Present the potential regulatory impact in
terms of potential sanctions and fines.
Bheda: (Discrimination) The damage to the reputation is the
most hard hitting – if the customer, partners and employees were to know the
risk, would they still want to be associated with you? The probability of
customers turning their back on your organization would hopefully dissuade the
management from going ahead with a solution bringing on unacceptable risks.
If none of the above works, then we always have the Risk
Acceptance Form!
