FAIR Institute Blog

Who Owns Cyber Risk? The Answer Isn’t Clear in Many Organizations

[fa icon="calendar"] Nov 23, 2021 3:21:34 PM / by Jeff B. Copeland

Fire Alarm - Who Owns Cyber RiskThe recent 2021 FAIR Conference (FAIRCON21) brought together three experts in corporate governance and risk management to debate how organizations should structure lines of responsibility for cyber risk and security before a cyber loss event exposes the weak links in the chain of command.

“In many executive suites, there’s too much confusion about who is responsible,” said panelist Elizabeth Sheedy, author of Risk Governance Biases, Blind Spots and Bonuses. That’s compounded by a frequent lack of consequences for senior management, she added; the CISO may have to take a walk after a cyber incident, but the C-suite often skates away, bonuses intact. 


Board Panel - Improving Risk Governance and Avoiding Blind Spots, Biases and Bad Incentives

Elizabeth Sheedy, Professor of Applied Finance, Macquarie University Business School

James Lam, Independent Director, Chair of Risk Oversight Committee, E*TRADE, NACD 100 Honoree

Deb Dunie, NACD Board Leadership Fellow 

FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK. 

Some key points from the session:

Don’t create tech silos and blur cyber risk responsibility

The NACD’s principles of good cybersecurity governance (see the blog post NACD Cyber Risk Oversight Handbook Endorses Quantification, Cites FAIR) apply to both information and operational technology, Deb Dunie points out, but the two may be siloed. “We often see a split of who’s managing within an enterprise what piece of the cyber risk. Because of that, there tends to be some confusion as things happen as to who is on point and responsible for ensuring that the cyber accountability and the things you are trying to achieve are directly tied up to the strategic objectives of the organization.”

Try the 3 lines of accountability 

Risk management thinks in terms of the three lines of defense – James Lam suggest organizations think in terms of the “three lines of accountability…The first line being responsible for the business and operational results, the second line responsible for policy and oversight and the third line responsible for providing assurance in terms of the internal audit function, and the board is responsible for overseeing the management team and the overall organization.” 

A risk-based culture needs to hear bad news

As Deb Dunie said, “For cyber risk, it’s critical that we set a culture up that rewards people for raising bad news stories if there is bad news to tell because the sooner you get it out there, the sooner you can work to try to remediate it.”

Legal requirements may be needed to enforce responsibility 

Prof. Sheedy presented research she conducted on reporting regimes enforced on financial institutions in the UK and Australia and found they succeeded remarkably well.  “Members of the senior executive team have a clear, individual accountability.  Each has a distinct list of issues they are responsible for. When something goes wrong, it’s very clear whose fault it was.”  

FAIR™ can help build a culture of responsibility based on solid analysis 

The panel discussed applying to risk management the notion of System 1 vs. System 2 thinking, the idea from behavioral economics that describes, roughly speaking, gut reaction vs. rational consideration. James Lam said “When you think about the FAIR™ model, and the RiskLens platform, it’s really about System 2 thinking…objective variables that are data driven…Over time, if you have better data analytics, you will have better intuition and better judgement.  And that interaction Is going to help with risk management on an ongoing basis.”

FAIR Institute members can watch all the 2021 FAIR Conference session videos.

Topics: FAIR Conference 2021

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts