James Lam, world authority on enterprise risk management and former chair of the risk oversight committee for the board of E*TRADE, has been setting a goal in FAIR Conference sessions since 2018 that cyber risk management must pull itself up to the level of enterprise risk management to truly be ready for a seat at the table with executive leadership and the board – starting with quantifying risk in financial terms.
Earlier this year, he was joined by the influential COSO Enterprise Risk Management Framework, in a guidance document that referenced FAIR™ as a tool for “management to align the cybersecurity program to the business objectives and set targets.”
Then just this month, NIST released a new standard, Integrating Cybersecurity and Enterprise Risk Management (ERM) (NISTIR 8286), that recommends quantification and FAIR specifically, for organizations to “better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives,” as the document’s mission statement says.
At this year’s FAIRCON, James moderated a panel discussion on how to hit that integration goal, hearing from
- Paul Sobel, Chairman, COSO
- Greg Montana, Chief Risk Officer (CRO), FIS Global
- Christopher Porter, CISO, Fannie Mae
- Keith Weinbaum, Enterprise Risk Management Architect, Quicken Loans
Watch the video: Panel: How FAIR Can Help Better Integrate Cyber Risk with ERM on the FAIR Institute LINK member’s site (a free membership is required – register now).
Some highlights of what you’ll learn in the video:
A conceptual framework for integrating cyber risk management with ERM
James presented a chart showing the inter-relationships among these building blocks:
Governance structure and policies – who makes what decisions, how policies like set risk appetite get set
Risk assessment and quantification program – how to make more informed decisions
Risk management – how to optimize the shape of the risk profile through risk acceptance, risk pricing, capital allocation and risk transfer
Dashboard reporting and monitoring – how we know we are accomplishing what we need, risk exposures are within risk appetite and we are giving transparency to management and the board
A look at how to organize governance according to risk
Greg Montana shared the org chart from FIS Global, showing ownership of the top risks among senior management:
Strategic risk - CEO- Financial loss and fraud risk - CFO
- Process and execution risk – CIO
- Regulatory and compliance risk - Chief Compliance Officer
- Information security risk (“our uber risk”) – CISO
“As a result of this governance structure and having risk appetite statements, I feel there is ownership across the company, Greg said.
What a full FAIR for enterprise risk management implementation looks like
Quicken Loans is the pioneer here, using FAIR, with its focus on frequency and impact of loss events, across all risk disciplines except strategic risk. Keith Weinbaum walked through the example of the confidentiality risk model: Analysts started at where a loss might occur, then created 200 scenarios modeled with FAIR for every vector that a malicious actor could take to hit that point of loss. All the scenarios are “chained together” mathematically, and ultimately connect with scenarios for non-cyber risks. “Because we are leveraging the same methodology across the organization, we can compare apples to apples so we can prioritize our company’s limited resources to be truly focused on addressing the right risks at the right time.”
How to work through the quantitative to qualitative gap
Christopher Porter gave a candid discussion of a situation that probably sounded familiar to many FAIR practitioners in the audience: At Fannie Mae, the first line of defense (under Chris) runs on FAIR analyses but the second line uses the COSO framework qualitatively. “Right now, it’s a conversion job we are doing”, made more complicated by differing nomenclature. The organization bridges the gap with quantitative risk appetite statements so “it’s not as much fuzzy math for calculating cyber risk for the board.”
How to know when your risk management program is working
As Paul Sobel of COSO said, “The answer is, when business people are making better decisions more of the time.”
Watch the video: Panel: How FAIR Can Help Better Integrate Cyber Risk with ERM on the FAIR Institute LINK member’s site (a free membership is required – register now).
Related:
What CISOs Should Tell Boards about Cyber Risk – 5 Insights from FAIRCON2020 (Video)
NIST Maps FAIR to the CSF - Big Step Forward in Acceptance of Cyber Risk Quantification
