Unilever is benefiting from presenting IT risk in terms the board can understand and has created standardised assessment methods that are helping it to better manage its risks, it said this week.
Speaking at Gartner’s IT Security Summit in London, Unilever's global security director Andrew Strong said the Anglo-Dutch consumer products group was using a risk model known as criticality and risk management assessment –or Carisma for short – and it had proved a successful means of explaining risk to non-specialists.
Strong said the Carisma model was enabling Unilever’s board to make more informed decisions and to agree upon approaches to define and tackle risk across the organisation.
“It has proved effective in convincing chief executives and financial directors of the need to talk about risk in more understandable terms,” he said. “In business we all know there are risks to our information, but what we also have to do is assess those risks consistently.”
Using Carisma, Strong said Unilever’s IT security department had established common processes and gained the initial backing of the financial director to enalbe it to proceed with assessing the criticality of each risk and providing a detailed assessment to executive management.
It has also built up a "harm reference table" that puts each potential risk into categories ranging from "‘mild" to "severe" to give a clearer demonstration of the cost implications of certain scenarios in order to better prioritise preventative action.
Strong told other security directors that, if they adopted a similar approach, the degrees of risk should be carefully graded according to their company’s appetite for certain forms of risk.