The first step, it is thought, to performing a risk assessment is to identify the risks. Then you institute measures to control them, and to mitigate the impact if your controls don’t work.
Bank examiners have recognized that there’s an important preliminary step: learning how to recognize this risks in the wild.
“Examiners Head for Cybersecurity School,” Wall Street Journal, December 1, 2014 C3. Regulators recognized the need for additional skills to deal with cybersecurity risks.
Is the same thing true of information governance? Is it time for new skill sets? Should the directors and senior managers get “dipped” in information governance and information-related risks?