The Basics of Cyber Risk Management

New technologies, increasing digitization and globalization are transforming customer behaviors, operations and business models, presenting huge opportunities for business success, at the same time driving up cyber incidents .As organizations embark on their digital transformation journeys, it is imperative that they also assess possible threats presented by these new technologies.

Traditionally, the focus for risk management has exclusively been on protecting value. However, in today’s digital economy, there has to be a shift from value protection to value creation. How best can you leverage risk management to benefit from new technologies and digital innovation?

Companies that are placing a higher emphasis on value protection and risk avoidance are most likely to find themselves behind the packing order. On the contrary, those organizations that are approaching risk management the appropriate way and establishing better ways to address cyber risk are in a unique position to achieve greater competitive advantage and superior business performance.

Cyber Risk Should Become a Strategic Imperative

As the number of reported cyber incidents continue to escalate, it shows that cyber risk is now a top tier business risk. This means cyber risk management must become a strategic priority. The challenge for many C-suite executives and boards is that they lack a deeper understanding of cyber risk and its implications on the business.

This lack of deeper knowledge and an understanding of the cyber threat landscape is making it difficult for many executives to make meaning conversations around the topic.

Although cyber risk is everyone’s responsibility within the organization, boards and C-suite executives play the ultimate oversight role. They have to make sure the organization has a functioning cyber program that is aligned with risk appetite and threshold.

As one of the members of the C-suite, in partnership with the CEO, the CFO can play a critical role in ensuring that there are frequent discussions around the strategy table concerning cyber risk.

Risk and performance are interrelated, and since the CFO is mainly responsible for organizational performance improvement, s/he possesses the business acumen and analytical capabilities to create awareness of cyber risks and provide regular reporting to the CEO and the board.

The business environment is increasingly complex and so is the enterprise risk landscape. Successfully driving performance in this environment therefore, demands the board and C-suite level to have a deeper understanding of risks capable of derailing strategic execution.

In other words, these senior personnel must develop a positive risk mindset and as well as the ability to ask the key performance questions. This is necessary to gauge the organization’s cyber risk exposure and build cyber resilience.

It is therefore, critical that boards and C-suite executives stay informed about cyber threats and their potential impact on the organization’s strategy execution, reputation, financial and operational performance.

Understand the Nature of Cyber Threats and Attacks

In order to effectively manage cyber risk, it is important for senior executives and their teams to have thorough knowledge and full awareness of the different types of cyber incidents. Over the past few years, cyber crime has grown from simple cases of theft and fraud. Cyber threat has grown to include digital terrorism, government sponsored hacks, disruption of services, corruption of data, Man in the Middle (MITM) attacks, malvertising, rogue software, ransomware and advanced persistent threats.

The above cyber incidents can all result in the organization incurring huge tangible and intangible costs. Organizations that have fallen victim to cyber criminals can attest that the aftermath cost are detrimental to the long-term survival of the business. Costs incurred by these organizations include regulatory penalties, legal damages, financial compensation to affected parties, loss of competitive advantage, loss of customer and business partner trust and ultimate damage to the organization’s reputation and brand image.

How is your organization’s track record in terms of documented cyber attacks and data breaches?

Having an experienced and knowledgeable leader surrounded by a capable team is key to ensuring that the organization has the traits to detect, monitor and proactively respond to cyber threats and attacks.

Today, stakeholders are placing higher confidence in leaders who are exhibiting greater risk awareness and have sound strategies in place to protect business assets against unknown threats.

Important to note though is that cyber risk management goes beyond technical. Not everyone needs to be an IT Security specialist.

Having business acumen and enough appropriate knowledge to engage in intelligent conversations concerning cyber security and risk is key to grasping the fundamentals of cyber risk.

Embed Cyber Risk into the ERM Framework

Having an enterprise-wide cyber risk policy that is approved by the by the board and embedded into businesses’ ERM framework. The cyber risk program must take into account all the aspects of the business that are susceptible to attacks and data breaches. Are there adequate security controls in place? Does the organization have capabilities to detect and monitor vulnerabilities?

Moreover, KRIs and KPIs must be developed and monitored regularly. This will help immediately identify any threshold and performance breaches, and in turn, escalate such breaches to senior management.

When cyber risk is part of the ERM framework a cyber-aware culture is promoted, which means cyber risk management becomes an everyday part of the business. People will take own responsibility for the management of risk and proactively involve others when needed.

The board and C-suite should set the right tone at the top in order to ensure there is a buy-in at the lower levels. If the top level is not concerned and ignorant of cyber risk, it is extremely difficult for the lower levels to prioritize cyber risk management.

Thus, it is important that when executives talk about cyber risk, they do so openly and honestly using common language that promotes shared understanding throughout the organization.

I welcome your views and thoughts.

Peter Chisambara is a Finance/EPM Specialist. He helps business teams implement strategy more effectively, make informed risk decisions and improve business performance. If you are interested in conversation and discussion, please feel free to get in touch at ERPM Insights.

_________________________________________________________________________

Editorial Comment:

Below we listed your options for studying cyber exposures in Global Risk Academy:


Option 1. Understanding Cyber Exposures - For Beginners

Option 2. Advanced Cyber Exposure Management

– Part 1 - Identifying Cyber Exposures 
– Part 2 – Cyber Exposure Program Management

Option 3. A Bundle of all 3 courses - 35% off the original price

(most cost effective option)

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Comments

  • Hi Adebiyi,
    Thanks for your humble comments. In organizations that have the CISO, I agree the individual can play that role of creating awareness to the board. However, not all organisations have a designated CISO. In these organisations, the CFO is responsible for IT Risk and Security. In the event that the organisation has both CFO and CISO designations, the two can collaborate together with the former helping the later understand the business and strategic impact of cyber breaches and the later helping the former understand the technicalities of cyber breaches.
  • Very apt!
    This article is very educative and I think every C-Level guys should read and act accordingly.

    But, I have a reservation on the point that "CFO is mainly responsible for organizational performance improvement, s/he possesses the business acumen and analytical capabilities to create awareness of cyber risks and provide regular reporting to the CEO and the board".

    From the above statement, I think the role of creating awareness of cyber risks and report to the CEO and board is better managed by Chief Information Security Officer-CISO.

    A sound CISO can also attribute cost to each cyber risks in terms of money and time.
    For instance, to calculate contingency reserve, this simple method can be adopted:

    *EMV = Probability x Impact
    Net EMV = sum of all EMVs
    Contingency reserve = positive value of net EMV


    *EMV means Expected Monetary Value.

    My humble opinion!

    Regards,
    Adebiyi
    value.my
This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead