Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)

Risk Blog 8: How to Mitigate the Risks of Miscommunication

Risk Blog 8: How to Mitigate the Risks of Miscommunication
Written by


Published on

20 Jan 2019

Risk Blog 8: How to Mitigate the Risks of Miscommunication


Everyone approaches GRC differently because they’ve had a different upbringing. And then over time organizations and departments evolve organically, adopting distinct ways of working, and following different methodologies.

Take for example, when it comes to integrated risk management, IT risks are largely dealt with in the following four ways.

  • Treat: implementing specific controls to mitigate the risk.
  • Tolerate: accepting that you are exposed to certain risks based on your risk appetite.
  • Transfer: choosing to outsource certain things or insure your organization against them.
  • Terminate: avoiding risks or dropping them completely.

However, even something as common as these four T’s can be termed differently; mitigate, accept, outsource and avoid. Not only the words but the definition also varies within.


Common language



Do words matter?

Because everyone approaches GRC in different ways, it means that they also use different words to describe their risk management. However, because the principle meaning is the same, it doesn’t really matter.

Or does it?

The reality is that for integrated risk management the actual words you use can be the difference between success and failure. Using different words, even if they mean the same, can block your systems, methodologies, and people from working together because they’re not speaking a common language. Talking in different languages puts you at greater risk of miscommunication as people could be reporting different datasets for different controls.

80% of employees say miscommunication occurs frequently in their organization. Source: Fierce Conversations and Quantum Workplace

Technology is irrelevant

Every organization needs to implement a control framework to help mitigate the risks they’re exposed to. Most organizations turn to technology to assist them, but implementing a GRC system, either with or without a dedicated solution, isn’t going to be successful unless you’ve addressed the basics first.

For your risk management framework to integrate seamlessly across your organization, you need to start by mitigating the risk of miscommunication. It doesn’t mean your departments suddenly need to start adopting new working practices. It could be as simple as agreeing on common words or reporting data in the same way, so everyone is talking about risk in the same terms. For example, your business units could agree to score the severity of a risk’s impact on a scale of ‘1 to 5’ rather than ‘1 to 4’.

Once you’ve agreed a common vocabulary around risk and compliance, it means that when your functional business units score risks in their individual management systems, the data is being captured in the same way. Now, when risks are reported on, everyone has the same understanding of the information that’s being communicated, and that data can be easily compared and analyzed across the organization.

Keep it simple

In defining your organization’s common language, there’s no need to start writing a dictionary and defining every word. It doesn’t have to be a mammoth undertaking, but it does need to be done to establish a solid foundation on which to build your integrated risk management framework.

Start by looking at what you have now, and you’ll quickly start to see how certain words can be tweaked, or reporting methodologies adapted, to create a language everyone understands.

In SureCloud’s recent webinar, we shared an integrated risk management framework that easily adapts to your way of working, and helps you gain that common understanding of risk across your organization.

The webinar is available on-demand through BrightTALK here.

Alternatively, if you have a specific question about integrated risk management or how the SureCloud platform can help you meet your challenges head-on, you can contact the team directly through