Directors: Cybersecurity HAS Joined ERM

January 15, 2019  Jeff B. Copeland

The 2017 Enterprise Risk Management Benchmark Survey by The Risk Management Society (RIMS) found that 73% of organizations surveyed across 14 industries report “either having fully or partially integrated ERM programs in operation” and 61% said that ERM informs and influences their corporate strategies. The driver is the increasing interdependence of risks facing enterprises.

Just look at the NotPetya virus of 2017 that started as a cyber risk then became an operational risk as ships were halted at sea and factories stopped producing, then became a financial risk as lost sales due to the disruption hit the bottom line. Yet the cyber risk discipline has largely been left out of the ERM movement. What's going on? Here’s the story:

What is Enterprise Risk Management (ERM)?

As RiskLens board member and corporate governance expert James Lam explains in this book Implementing Enterprise Risk Management (John Wiley & Sons, 2017),  these are the key points to understand ERM.

  1. It is “a management process based on an integrated and continuous approach, including understanding the interdependencies across risks and implementing integrated strategies”.
  2. The goal is “not minimizing or avoiding risks but optimizing risk/return trade-offs”. In other words, ERM recognizes that there are both downside risk decisions (like buying insurance) and upside risk decisions (like investing in a new venture) and that risk is best viewed as a bell curve, a distribution of possible outcomes.
  3. Risk management must support Board and senior management decision-making, particularly on risk appetite, capital policy and strategic investments.
  4. “Key components of ERM include governance and policy (including risk appetite), risk analytics, risk management, and monitoring and reporting.

This integrated approach works when the organization shares a common understanding of risk, and a common language to communicate about risk, namely in financial terms, and that requires the ability to quantify risk in dollars, yen, euros, etc.

In ERM, cybersecurity is usually MIA

And that’s where cybersecurity, as it’s too often practiced, gets left out of the ERM process. Many infosec shops lack the models or tools to quantify cyber risk in financial terms – they’re stuck in the era of heat maps or high/medium/low ranking, qualitative not quantitative measurement of risks based on analyst opinions.

Worse, cybersecurity is stuck with the mentality that, when it comes to risk, the only goal is “minimizing or avoiding.” That leads to an over-reliance on compliance standards and checklists, which always leads to the conclusion that more spending on controls is better.

Optimizing risk/return trade-offs?  Forget it, with no financial analysis, there’s no basis.

Determining a risk appetite based on high/medium/low? Not much guidance there, either.  Without better information, “every organization I’ve encountered defines how much cyber and technology risk it’s willing to live with as ‘Medium-Low’,” writes Jack Jones, creator of the FAIR model for quantitative information risk analysis, in his blog post A FAIR View of Risk Appetite. It just sounds right.

Supporting Board and senior management decision making? Not in an ERM environment, where the rest of the business is able to report up based on an integrated, financially driven look at risk, while the infosec group can only report on infosec-centric metrics.

With risk quantification and the FAIR model, cybersecurity joins ERM  

The FAIR model, and the RiskLens software platform, enable analysts to quantify cyber risk in financial terms, based on internal company data and industry data on the frequency and impact of cyber events that cause losses. Data for a risk scenario gets run through a Monte Carlo engine that generates a range of probable outcomes in a bell curve to support decisions on risk/return tradeoffs for operational and cyber risk. With the RiskLens platform, analysts can also compare results against a stated risk appetite.

And analysts can readily produce reports in line with an “integrated and continuous approach” to risk management. FAIR is also compatible with COSO, used by many companies as their ERM standard and framework (see a graphic of the framework above).  As RiskLens CEO Nick Sanna wrote in a blog post,  How FAIR Can Ensure The Success of COSO Risk Management Programs, COSO explains how to incorporate risk into business strategies, but does not say how to assess risk to inform those strategies. “That gap can be filled by using a proven analytical risk model such as FAIR”.

Organizations that power cyber risk analysis with FAIR can answer Board level questions such as:

  • “What is our cyber risk exposure in economic terms?”
  • “What is our exposure relative to our capital?”
  • “How much cyber insurance should we carry?”
  • “Should we invest in new digital ventures that also bring cyber risk?”
  • “How do we know that our cybersecurity program is working effectively?”
  • “Can we meet regulatory requirements for cybersecurity risk disclosure in financial terms (per the new SEC guidance)?

“The history of ERM indicates that managing risk by silos doesn’t work because risks are dynamic, they have critical interdependencies, and they need to be aggregated at the enterprise level,” James Lam said in an interview when he joined the RiskLens board. "Unfortunately, cyber being the new kid on the block in many situations is managed as a silo with different methods and that’s a real pitfall.” But cyber risk can grow up, starting now.

Learn more about risk quantification: Join 3,000 other risk management professionals as a member of the FAIR Institute. The influential consulting group Gartner recently named cyber risk quantification as one of the 5 critical capabilities of integrated cyber risk management.