How BCP’s Digital Risk Officer Ensures Success of Bank Cyber Risk Management with a Charter Document

August 5, 2020  Steven Tabacek

Could spending 30 minutes on a writing exercise improve productivity and save your organization a lot of time and money? Yes, I am certain of it! Recently we have been on a mission to get every RiskLens customer to write a charter document simply outlining why they purchased RiskLens software and services and the expected value or ROI.

Our request was designed to align and prioritize RiskLens resources to the specific needs stated within each customer charter. For some customers, the task of writing a charter has been an easy exercise, and others… not so much.

Steve Tabacek is Cofounder & Managing Director, Customer Experience, for RiskLens

All our customers are enthusiastic about the idea of improving their risk management integrity by moving away from non-credible qualitative risk assessments to quantitative risk assessments. Many invested in RiskLens software and professional services to jumpstart their risk management program. However, without broad executive buy-in and alignment, companies might find it challenging to institutionalize them into their workflow and governance. This is where a charter can help.

The writing exercise we requested from the CISO or Executive Risk Manager included two basic components:

1. In qualitative terms, identify what you intend to achieve by implementing RiskLens

2. Identify specific milestones and timelines for achieving them

Harold Marcenaro, Non-Financial Risk Manager at Banco de Credito del Peru (BCP) wholeheartedly embraced the charter writing exercise and offered to share his work:

During 2020, we want to implement a systematic method for identifying  cybersecurity risks, quantifying them, aggregating them, communicating them, and prioritizing mitigating actions in order to focus our cybersecurity program on the most cost-effective initiatives.  

In particular, by the end of 2020 we want to…  

1 Aggregate the bank's total exposure to cybersecurity risk, and how does that split between threats, vulnerabilities, assets, process, and products. Ex: The bank's total exposure to cybersecurity risks is of US$XXXMM, of which X% is concentrated in asset A, B, and C, and the top vulnerability is D because it represents Y% of total exposure.

2. Define and build a risk appetite metric and limits for the total exposure to cybersecurity risk. 

3. Quantify specific risks and prioritize initiatives between possible mitigating strategies. Exs: To protect asset X from threat Y is it most effective to invest in preventive controls or detective controls? Is the exposure to threat Z higher in asset A or asset B? 

4. Understand how an enterprise-wide initiative impacts several threats, vulnerabilities, and/or assets. Ex: Investing US$XMM in upgrading our firewalls would decrease our cybersecurity risk exposure in $YMM. 

5. Introduce these tools into our decision-making processes. 

A well-written charter with buy-in from senior executives has a profound effect on the success of your program. The charter becomes a guiding document aligning both internal and external resources to an expected outcome. Any time the internal and external teams drift off-track, the document can be used to realign efforts for a positive outcome.

If you need help drafting a charter, feel free to reach out to me.