Our request was designed to align and prioritize RiskLens resources to the specific needs stated within each customer charter. For some customers, the task of writing a charter has been an easy exercise, and others… not so much.
Steve Tabacek is Cofounder & Managing Director, Customer Experience, for RiskLens
All our customers are enthusiastic about the idea of improving their risk management integrity by moving away from non-credible qualitative risk assessments to quantitative risk assessments. Many invested in RiskLens software and professional services to jumpstart their risk management program. However, without broad executive buy-in and alignment, companies might find it challenging to institutionalize them into their workflow and governance. This is where a charter can help.
The writing exercise we requested from the CISO or Executive Risk Manager included two basic components:
1. In qualitative terms, identify what you intend to achieve by implementing RiskLens
2. Identify specific milestones and timelines for achieving them
Harold Marcenaro, Non-Financial Risk Manager at Banco de Credito del Peru (BCP) wholeheartedly embraced the charter writing exercise and offered to share his work:
During 2020, we want to implement a systematic method for identifying cybersecurity risks, quantifying them, aggregating them, communicating them, and prioritizing mitigating actions in order to focus our cybersecurity program on the most cost-effective initiatives.
In particular, by the end of 2020 we want to…
1 Aggregate the bank's total exposure to cybersecurity risk, and how does that split between threats, vulnerabilities, assets, process, and products. Ex: The bank's total exposure to cybersecurity risks is of US$XXXMM, of which X% is concentrated in asset A, B, and C, and the top vulnerability is D because it represents Y% of total exposure.
2. Define and build a risk appetite metric and limits for the total exposure to cybersecurity risk.
3. Quantify specific risks and prioritize initiatives between possible mitigating strategies. Exs: To protect asset X from threat Y is it most effective to invest in preventive controls or detective controls? Is the exposure to threat Z higher in asset A or asset B?
4. Understand how an enterprise-wide initiative impacts several threats, vulnerabilities, and/or assets. Ex: Investing US$XMM in upgrading our firewalls would decrease our cybersecurity risk exposure in $YMM.
5. Introduce these tools into our decision-making processes.
A well-written charter with buy-in from senior executives has a profound effect on the success of your program. The charter becomes a guiding document aligning both internal and external resources to an expected outcome. Any time the internal and external teams drift off-track, the document can be used to realign efforts for a positive outcome.
If you need help drafting a charter, feel free to reach out to me.