11.3 Present Risk Information

In this activity you present background information to your organization's senior managers. Your goal is to set the context for the managers so that the protection strategy, risk mitigation plans, and action list make sense to them. You should explain any terms and concepts that may be new or different, for example, asset, threats, risk, and risk profile.

You might want to begin this activity by summarizing the OCTAVE process for the managers. Remember, they probably have not been involved in the evaluation since process 1. By reviewing the process for the managers, you can refresh their memories about the evaluation approach and provide additional context for the background information.

Review Risk Information with Senior Managers

One member of your analysis team should present risk information to the managers. Present the assets that were identified during the evaluation. Make sure that you focus the managers' attention on the critical assets that you identified during process 4. Review your rationale for selecting those critical assets.

Next, describe the basic structure of the catalog of practices and how it was used to construct the surveys used during processes 1, 2, and 3. Explain that you also used the catalog of practices to structure the organization's protection strategy and as a reference when selecting actions for risk mitigation plans. Present the following data to the senior managers:

• Composite, analyzed results of the surveys

• Protection strategy practices and organizational vulnerabilities grouped by practice area

• Threat, risk, and vulnerability information for each critical asset

Make sure that you summarize the above data in your presentation. You want to make sure that the managers understand the information, but you don't want to spend too much time on the details. After you have provided the background data, ask the managers if they have any questions. Let them know that they will next review the protection strategy and risk mitigation plans.