Enterprise risk management (ERM) is often viewed as a bureaucratic and unnecessary process, subtly or overtly motivated by regulation, accompanied by internal risk leadership kingdom building and suggesting an unclear value proposition. Occasionally, these perceptions are correct, and ERM fails. Yet, there is hope for a successful ERM approach with the right motivations and when designed and implemented with the real business goals and culture of the organization in mind. This is when ERM becomes an invaluable approach to learning about and managing truly destructive risks. A successful ERM approach also creates a clearer lens for seeing and responding to emerging risks, including potential impacts, and helping to prioritize the more valuable solutions. The resulting ERM processes are, however, often fraught with hurdles, preventing many organizations from achieving a level of risk astuteness and maturity beyond ad-hoc decision making.
Few risks affect organizations with the diversity, impact and pervasiveness of cyber. As we are now a truly internet-connected and -dependent world, few organizations escape material exposure to this ever-evolving risk and its wide range of impacts; fewer still seem to have effective plans for cyber risk mitigation or an ability to calculate the value “in play” gained, or not, from their cybersecurity strategies. This is not to say many organizations haven’t addressed or aren’t trying to address cyber risk. Beyond regulatory requirements, no effective governance structure today would allow management to ignore or not actively investigate this growingly complex enterprise-wide risk. Even so, why would cybersecurity become a clarion call for ERM? What role does ERM play in helping to solve the cyber dilemma, and to assess this critical cross enterprise risk? We are glad you asked.
Every organization should approach risk management in a way that is effective for itself and its key stakeholders, both internal and external. This sounds good but, as mentioned, is hard to accomplish. ERM often means something much less than a comprehensive, multi-step framework and numerous processes addressing a full gamut of ERM components. ERM should at least mean, however, that those elements that most meaningfully contribute to solving the problem (i.e. understanding and controlling the risk) are employed. Certainly, at a minimum, this means identifying and valuing the significance of the exposure, treating it appropriately and then monitoring its status until it is no longer a significant threat. However, is it necessary to first build a risk culture, create a risk appetite, implement a risk tolerance strategy, appoint risk liaisons across the business, establish ERM committees and invest in sophisticated risk modeling?
Likely not, unless your key stakeholders suggest or regulation requires otherwise. ERM processes can easily become overly complicated and burdensome, often working to slow or complicate risk identification and mitigating responses and unnecessarily constraining the business. Further, many ERM processes focus repetitively on risks with a potential for the most obvious and severe impacts (larger inherent risks), sacrificing an ability to otherwise tease out emerging risks and those subtle, often related, frequency risk impacts (lower-level risks), which may be slowly (or rapidly) correlating across the business. ERM frameworks primarily focused on a severity approach, unfortunately, result in a blurry ERM lens and may inadvertently expose the organization to emerging and systemic risk blind-spots. A good example of an emerging risk blind-spot is the various risks found today within a category of risks associated with information security (i.e. cyber risks).
See also: Why Risk Management Is a Leadership Issue
Cyber risks are a notably different type, when compared with the types of risks historically addressed within an enterprise-wide risk management framework. Why? Cyber risk management is analogous to identifying and responding to risk impacts from multiple, simultaneous “smart tornadoes" (e.g., advanced persistent threats).
For example, consider these two facts: 1) cyber risk can be high-frequency and low-severity, or high-frequency and high-severity, at the same time; and 2) cyber risk “impacts” vary widely depending on complexity of known and unknown harm administered, success rate of harm administered and internal acceleration of any such harm (dwell time, lateral movement, then organizational detection and response). These variables create an infinite number of impacts and costs, matrixed across a business.
This is an unusual risk behavior, to say the least, and today’s dynamic cyber risk ecosystem creates a delicate challenge for many in the information security profession. When a person proclaims (or attests, or suggests) “don’t worry, we have cyber risk covered” (e.g., managed or otherwise solved for), then she is suggesting an ability to see the future. In other words, she is implying that she generally knows how those smart cyber tornadoes are going to behave outside, inside and throughout the business, every day.
Admittedly, for most, it is difficult to acknowledge what we do not know and, especially, the vulnerability we may have in facing a first-of-its kind risk management challenge – with various risks we are unlikely to completely mitigate. However, as more and more businesses engage cloud service providers and increase use cases for Internet of Things (IoT) endpoints, organizational key stakeholders, such as boards of directors, regulators and rating agencies, are becoming increasingly concerned about how organizations are identifying gaps in cybersecurity efforts. There is movement by these stakeholders to test and confirm that risk management processes are in effect and that the enterprise is identifying and responding to risks associated with those smart cyber tornadoes.
It is important to understand that even if an organization believes it “has cyber risk covered” by virtue of its current information security (‘InfoSec’) approach, there is still, for many, a critical regulatory requirement to assess the cybersecurity risk itself. Failure to adequately identify, test, monitor, trend and report on enterprise-wide cyber risks creates significant financial, regulatory, reputational and operational exposure for the organization. Static reports that capture log data but are not otherwise normalized or matched to enterprise risk profiles and controls are arguably not offering complete or robust information to the enterprise, for either historical or prospective time periods. And, when we say a risk is managed, it is important to note we are applying a risk management term of art – regulators often have definitions and tests to demonstrate assurance.
Managing a risk means identifying, tracking, scoring and valuing, normalizing and trending risk performance, including the net impacts. These steps are performed in accordance with compliance standards and aligned with risk tolerance. Management also includes evaluating how the risk profile (e.g., an enterprise grouping of all defined cyber risks) is changing over time (and we know it is changing) and what key risk impacts the organization is facing from the portfolio of (cyber) risks. This is where the ERM framework and ERM processes can help.
The existence of an ERM framework does not provide a
carte blanche solution for cyber risk management or mitigation of undesirable cyber risk outcomes. Instead, consider ERM a distinct, enterprise-wide enabler for addressing cyber risk management. In many cases, in-force ERM processes and protocols provide the “plumbing” that InfoSec leaders can immediately access and rely on to deploy quick(er) cyber risk identification, monitor the effects of specific risk mitigation strategies and capture and analyze overall enterprise-wide cybersecurity results.
The interplay between ERM and InfoSec serves a critical function for the business. It helps to optimize risk management resources to ensure the InfoSec team is able to focus on the cybersecurity battle at hand. Hacker-driven intrusions and internal actors, along with many other threat vectors and attack surfaces, keep the InfoSec community scrambling for the best depth of defense and tactical offenses required to maintain uptime productivity, lower dwell times, accelerate responses and ensure overall data governance. Meanwhile, together with ERM, InfoSec faces global regulation of personal data actively shifting underfoot, resulting in increasing complexities and wider adoption of cybersecurity regulatory standards.
These newly enacted regulatory standards are providing regulators with an ability to dig deep and assess enterprise-wide cybersecurity risk management. For instance, the National Association of Insurance Commissioners recently said:
"State insurance regulators have undertaken a number of steps to enhance data security expectations to ensure these entities are adequately protecting this information. As part of these efforts, the NAIC developed Principles for Effective Cybersecurity that set forth the framework through which insurance regulators will evaluate efforts by insurers, producers, and other regulated entities to protect consumer information entrusted…(sic)"
Additionally, the New York Department of Financial Services recently said:
"Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers."
It important to note both regulatory agencies are concerned with evaluating enterprise-wide cybersecurity risk – which, in turn, leads us back to the enterprise-wide risk management “plumbing” and risk governance processes and how the ERM-InfoSec interplay can be helpful in achieving organizational risk management objectives.
As an example, we can consider how to use the NIST-CSF (National Institutes of Standard and Technology - Cybersecurity Framework) as a starting point for an enterprise-wide cyber risk identification exercise. The NIST framework offers a diagnostic approach for assessing an organization’s technical cyber risk profile (the current state) versus desired risk tolerance and outcomes (the target state).
Separately, using a similar approach, ERM can be assessed through commonly adopted risk maturity evaluative frameworks. One such framework is the RIMS Risk Management Maturity model (RIMS-RMM). This model shares several diagnostic themes with the NIST CSF, including evaluations of risk identification, risk culture, risk resiliency and risk governance. (National Association of Insurance Commissioners, 2014)
See also: How Insurtech Boosts Cyber Risk
The common themes between several functional topics within the two frameworks create an opportunity to explore the corollaries between the two frameworks. Scores can be mapped and linked, effectively creating an integrated overall score, by applying relativity factors that capture the directional relationships between the two frameworks. For instance, how might low technical cyber risk scores, such as weak DLP oversight, inform and potentially change the ERM score addressing risk (data) governance? When properly integrated, the NIST CSF and RIMS RMM provide a synchronized view on data governance, privacy and enterprise-wide cybersecurity performance.
An integrated analysis, such as a combined NIST CSF plus RIMS RMM approach, helps an organization accelerate their ERM and InfoSec risk management performance and increases risk awareness. In turn, increasing risk awareness leads to becoming more risk astute. When an organization is more risk astute, it is maturing in its risk management thinking, as evidenced by positive return on risk investments and system-wide risk mitigation solutions prioritized and finely attuned to best support organizational growth and profitability. Most importantly, they are increasing their cyber resiliency while deploying strategic cyber risk management.
The company that successfully integrates a robust cyber risk management approach and its ERM framework is at a distinct competitive advantage. Not only is such an organization effectively managing its resources and expenses; it is linking cyber security to its business goals, enterprise risk profile and strategic vision.