The proposed new standards for cyber risk management proposed by the federal banking regulators do not introduce new governance burdens on board of directors. They still hold key responsibilities such as setting target residual risk levels. Yet, there is a new expectation to conduct that effort quantitatively. Once the board sets an approved level for residual risk, how do we track our progress against it?
Once a covered entity (regulated financial institution) begins quantifying their cyber risk landscape, it empowers the board to make determinations about risk appetite, risk tolerance, and residual risk. By residual risk, we typically mean the risk organizations retain following the implementation of certain controls and the verification of their operational effectiveness. This is the type of risk that is frequently reported to the board by organizations.
Risk is a lagging indicator of the effectiveness of a program to manage the risk landscape (threats, assets, and controls). In accordance with the proposed standards enhancements, how effectively we manage risk is indicated by how closely risk aligns to board-approved levels. Using the RiskLens platform, covered entities can represent their residual risk in relation to board-approved levels.
Comparing risk levels with risk appetite
First, we can consider the residual risk within a given reporting period (e.g. quarterly). The first image shows the current residual risk as a distribution. The red appetite line represents the board approved residual risk level.
Comparing average exposure and approved levels of residual risk
Second, we can look at the trend of residual risk over time and how it tracks to the board approved level. In the second image, we can compare our average exposure over time to the board approved level of residual risk represented by the red line.
Residual risk is a key metric for understanding how much our decisions move the needle. Reports such as the two above allow covered entities to see their progress over time and understand how cyber initiatives affect exposure to loss. Once we know how much residual risk we have, we can set a line in the sand for how much risk we should have, as approved by the board of directors.