• Prodotti
  • Casi d'Uso
  • Settori
HR IT Products
  • Risultati migliori grazie alla collaborazione tra Risorse umane e IT
  • Aumenta la produttività e attrai talenti di qualità offrendo ottime esperienze ai dipendenti.
Security Fundamentals
  • Informazioni di base sulla sicurezza in ambito sanitario
  • Promuovi l'eccellenza in campo clinico e migliora i risultati di assistenza con un sistema connesso.


Forrester Report
  • Il valore dei workflow digitali
  • Immetti app sul mercato in metà tempo e a un terzo del costo garantendo una maggiore soddisfazione.


Customer Success
  • La ricetta per il successo
  • Ottieni risultati in tempi più brevi con un piano di azione dettagliato che include best practice comprovate.

Scopri di Più

Value Calculator
  • Sfrutta tutto il tuo potenziale
  • Determina il valore non sfruttato della tua azienda in soli 60 secondi.

Risk is a number

It's a dangerous world. Companies need a unified approach to managing risk

By Richard McGill Murphy

Risk surrounds us, as any parent or actuary will tell you. At a high level, Merriam‑Webster defines risk as “the possibility of loss or injury.” Insurers, lenders and investors make business decisions every day by calculating the probability that a given loss or injury will actually occur, whether it’s death, default, or a market crash.

More formally, statisticians define risk as the spread in values across a given set of probabilities. Also known as variance and/or volatility, this spread can be expressed as a number. Investors typically use variance statistics to measure the risk they assume when purchasing a given security.

Inside companies, however, different constituencies speak different languages when it comes to risk. For example, security pros have traditionally measured risk in operational terms. In a risk presentation to the board of directors, a chief information security officer (CISO) might announce, “Good news! We’ve reduced our vulnerable assets by 40% year over year.”

Cue glazed eyes around the boardroom table. The disconnect happens because business leaders define risk mainly in financial terms, not operational ones. For them the core question is always: “How much will it cost us if this dreaded event comes to pass?”

To win over peers and leaders outside the security domain, CISOs need to couch risk in business terms. The same board presentation might go like this: “Good news! We successfully reduced our cyber risk from a range of $100‑200 million year to a range of $25‑80 million a year, because we reduced vulnerable assets by 40% year over year.” Now cue head nods around the table, and perhaps a lavish annual bonus for the CISO.

The same rules apply to any risk conversation inside a company. PR pros think about reputational risk. HR leaders worry about flight risk. CFOs and general counsels obsess about financial and compliance risk. CIOs are paid to worry about IT risk, which includes everything from event management to cloud sprawl, cloud compliance, availability, resiliency and vulnerability.

If you want the board’s attention, you need to quantify all these risks in terms of their business impact, measured in dollars or the currency of your choice. And if you’re looking for budget approval as well, it helps to contrast the relatively modest sums needed to mitigate security risk with the massive financial impact of a major breach.

“A $2 million spend to mitigate billions in risk is a no‑brainer for the board,” says my colleague Sean Convery, VP and general manager of the security business unit at ServiceNow.

For more tips on how to get your board’s attention, check out Kristin Burnham’s nearby article, “4 essential CISO skills.” Spoiler alert: They include rock star level communication skills, business acumen, strategic vision and a learning mindset.

This isn’t just good advice for CISOs or even C‑level executives. Anyone who aspires to a successful business career needs the ability to get out of the operational weeds and frame risk in business terms. Failure to do so is downright risky.

Richard McGill Murphy is the editor in chief of Workflow. A journalist and social anthropologist by background, he runs a research and publishing program at ServiceNow that studies how emerging technologies are shaping the future of work.

Thank You

Thank you for submitting your request. A ServiceNow representative will be in contact within 48 hours.

form close button

Contact Us

I would like to hear about upcoming events, products and services from ServiceNow. I understand I can unsubscribe any time.

  • By submitting this form, I confirm that I have read and agree to the Privacy Statement.