With digital transformation accelerating, cyber risk becomes ever more an enterprise priority – more incentive for enterprise risk management (ERM) and cyber risk management (CRM) to work closely together. “ERM is the best friend you never knew you always had,” John Button, ERM expert for the leading tech consultancy Gartner, tells CRM teams. He’ll explain how to build a close, mutually beneficial relationship in a talk at the upcoming FAIR Conference 2022.
Presentation: Managing Cyber Risk as a Strategic Enterprise Risk
John Button, Principal Enterprise Risk Advisor, Gartner
Wednesday, September 28, 11:15 AM – 12:00 PM
Register for FAIRCON22 now - attend online or in person
John advises ERM teams on risk management process, risk governance, and program development and observes these points about ERM professionals:
- They’re experts in the risk management process not necessarily experts in cyber risk or cyber risk analysis
- They can take such a broad and high-level view of risk that they are left challenged to connect what they do with business units or other functional levels, such as infosecurity. This results in, what he coined, “risk stratification.” It leaves a lot of organizations he sees unable “to aggregate risk from the bottom up.”
- While they are often still using ordinal scales to express risk, many are eager to adopt true risk quantification in financial terms.
The infosec teams he sees often have the opposite problems: Experts in their domain but don’t have a wider view of the enterprise, especially how ERM is conducted…lacking a seat at the table with the board and senior management, where ERM already is positioned.
John’s advice to both sides: Look to a model like FAIR for a common language that translates risk into business terms across organizational silos. But he suggests that infosec takes the initiative, showing how quantification fits cyber risk management in with ERM processes. “Get as close as possible; integrate with them and don’t wait for them to come to you.”