Unilever says risk model is paying dividends

IT and security professionals should present IT risk in terms the board can understand, and stick to standardised assessment methods to achieve that goal, according to Unilever’s global security director.


Unilever is benefiting from presenting IT risk in terms the board can understand and has created standardised assessment methods that are helping it to better manage its risks, it said this week.

Speaking at Gartner’s IT Security Summit in London, Unilever's global security director Andrew Strong said the Anglo-Dutch consumer products group was using a risk model known as criticality and risk management assessment –or Carisma for short – and it had proved a successful means of explaining risk to non-specialists.

Strong said the Carisma model was enabling Unilever’s board to make more informed decisions and to agree upon approaches to define and tackle risk across the organisation.

“It has proved effective in convincing chief executives and financial directors of the need to talk about risk in more understandable terms,” he said. “In business we all know there are risks to our information, but what we also have to do is assess those risks consistently.”

Using Carisma, Strong said Unilever’s IT security department had established common processes and gained the initial backing of the financial director to enalbe it to proceed with assessing the criticality of each risk and providing a detailed assessment to executive management.

It has also built up a "harm reference table" that puts each potential risk into categories ranging from "‘mild" to "severe" to give a clearer demonstration of the cost implications of certain scenarios in order to better prioritise preventative action.

Strong told other security directors that, if they adopted a similar approach, the degrees of risk should be carefully graded according to their company’s appetite for certain forms of risk.

Now read:

Unilever IT programme drives £1bn-a-year savings

Firms need structured security policies, says Gartner

'Manage your IT risk or lose your good name' – Gartner

Water firm warns on disconnect between IT and business risk

"Recommended For You"

Are FTSE 100 executives cyber-literate? It's a tricky question How the NIST cybersecurity framework can help secure the enterprise