Tips on Integrating Cyber Risk into ERM

“Cyber risk is business risk” – it’s easy to say but in practicality, how should we align cyber among the many business risks, risk owners and approaches to risk management that coexist in the modern large enterprise?

That was the issue that a panel of experts who have worked across risk management silos debated at the recent 2024 FAIR Conference.

Watch this video for insights on

>>How cyber risk owners and managers can start the conversation with their enterprise risk management (ERM) team.
>>How to handle the problem of different maturity levels between ERM vs cyber programs
>>How FAIR brings different risk teams together around a common language.

WATCH NOW: Integrating Cyber Into ERM

Panel

Opportunities for Aligning Risk Management Programs

“Ultimately, now everything is evolving into resilience,” Aneesh said, “which means connections are important. What is a critical business service? What are the people facilities that will help deliver the critical service. Cyber is an essential part of it because cyber could disrupt any of these.”

COSO’s elements of ERM - Learn how the FAIR Framework complements COSO ERM and other standards. 

Maturity of ERM vs Cyber Risk Management 

“In banking, financial services where risk management has always been a key part of their business model they would have a more mature ERM program with governance, policies and metrics,” James said. “Then the key is how do we integrate cyber into that framework?

“For non-financial companies, you might find the cyber risk management program more mature than the enterprise risk management program. The ERM program might be relying on risk control self-assessments and heat maps. That presents more of a challenge.”

Registration is open for the 2025 FAIR Conference, November 4-5 in New York. Register for FAIRCON25 now!

What Works to Foster Alignment in Risk Management?

Organizational alignment is an important factor, James said. Should the CISO report to the CIO, CRO, or CEO and what’s the relationship to the Board? On the E*TRADE Bank board where he chaired the risk committee, and the CISO reported to the CIO, reporting was very technical and not related to the business concerns. “The presentations were so boring – none of the directors could remember what was said.”

The bank changed the reporting structure, the CISO reported to the CRO – “and when the CISO came back, cyber was presented more as a business issue and a risk management issue,” using FAIR. The Board could compare loss exposure to risk appetite and risk mitigation strategies, and that became the format for our annual report. “These meetings and how you present are critical. One meeting could make or break your career.”

“Today, CISOs have to be risk managers,” John added. “CISOs are starting to move out from under the CIO because cyber is being treated too much as a technology issue not a business issue. At the end of the day, a cyber attack or a technology outage affects the entirety of the business…

“When you talk about alignment, the question is who owns what risk? Somebody is the risk decision maker for some category of risk. When you make that structure, that is your alignment…At our organization, we have representatives from each category of risk in our ERM meetings.”

Finding a Common Language of Risk

Panelists agreed that FAIR, with its taxonomy that applies across all risk types, was a valuable tool to bring cyber and enterprise risk management into alignment. “If it all goes through the same enterprise risk framework, with the same taxonomy so you can look at which risk needs to be prioritized – cyber, AI, privacy, credit, market are all equal,” Aneesh said. “With FAIR it becomes easier to communicate to the board so that they can give guidance on investment…The Board wants risk teams to come together around a recommendation.”

WATCH NOW: Integrating Cyber Into ERM Panel Discussion