Cyber risk: we all know it’s there, and bigger and meaner than we could possibly imagine. At least, all we risk professionals do. But what about the rest of the organisation? Is managing cyber exposures at the top of their agendas as well? Probably not, which makes enterprise-wide management of this peculiarly insidious and severe risk that much more challenging. But help is at hand, in the form of cyber risk governance groups.
A report published by the Federation of European Risk Management Associations (FERMA) in conjunction with the European Confederation of Institutes of Internal Auditing (ECIIA) outlines a model for cyber risk governance groups chaired by a risk manager overseeing a fleet of involved senior representatives from across the organisation. With the intention to increase cyber resilience, the groups are mandated to determine exposures in financial terms and develop mitigation plans and processes across departments.
The governance groups should be composed of representatives from IT, HR, data management, finance, compliance, and others who have a general view of the cyber risks facing the company. The cross-functional composition of the groups ensures that all governance decisions are viewed through a “cyber” lens. And with a strong framework in place, risk managers can integrate cyber safety measures throughout the organisation from the highest level.
FERMA and ECIIA’s iteration of cyber risk governance groups facilitate communication and risk-based decision-making through an inclusive framework that integrates cyber security into the company culture. Through these groups, risk managers can confidently engage disparate stakeholders and bolster the support structure within companies to protect themselves from attacks and build greater resilience.
“Cyber [security] is not only an IT issue,” says FERMA president Jo Willaert, “so it’s important that risk managers are involved and that they have direct relationships with different people.”
Many organisations need no further persuasion on the fact that this new reality must permeate cyber management governance organisation-wide. “As long as companies consider cybersecurity as a mere responsibility of the IT department, they will not succeed in creating an overall secure environment,” says Dirk Lybaert, chief corporate affairs officer at Belgian telecoms provider, Proximus. His company already uses governance groups for cross-sector communication on cyber risk – and implementation of the necessary integrated prevention measures.
The ominous threat presented by cybersecurity can also serve as opportunities for risk professionals to demonstrate their value and expand their influence in the boardroom through leadership in governance groups. Risk managers are in a unique position to connect company leaders in strategic dialogue across a breadth of departments. By bringing coalitions of leaders together within the organization in a common cause, risk managers are provided with an opportunity to break out of the silos in which they sometimes operate. “Cyber [security] is now a top management issue,” says Willaert. “It’s certainly an opportunity for risk managers to show the importance of their function.”
Many at the top will of course welcome their risk managers stepping up to the plate – Renault-Nissan chairman and CEO Carlos Ghosn for one. “Cyber risks are like unpredictable storms of ever-growing severity” he says, adding that cyber governance requires a proactive alliance between anticipative risk management and internal stakeholders and auditors.