The recent 2021 FAIR Conference (FAIRCON21) brought together three experts in corporate governance and risk management to debate how organizations should structure lines of responsibility for cyber risk and security before a cyber loss event exposes the weak links in the chain of command.
“In many executive suites, there’s too much confusion about who is responsible,” said panelist Elizabeth Sheedy, author of Risk Governance Biases, Blind Spots and Bonuses. That’s compounded by a frequent lack of consequences for senior management, she added; the CISO may have to take a walk after a cyber incident, but the C-suite often skates away, bonuses intact.
Elizabeth Sheedy, Professor of Applied Finance, Macquarie University Business School
James Lam, Independent Director, Chair of Risk Oversight Committee, E*TRADE, NACD 100 Honoree
Deb Dunie, NACD Board Leadership Fellow
Some key points from the session:
Don’t create tech silos and blur cyber risk responsibility
The NACD’s principles of good cybersecurity governance (see the blog post NACD Cyber Risk Oversight Handbook Endorses Quantification, Cites FAIR) apply to both information and operational technology, Deb Dunie points out, but the two may be siloed. “We often see a split of who’s managing within an enterprise what piece of the cyber risk. Because of that, there tends to be some confusion as things happen as to who is on point and responsible for ensuring that the cyber accountability and the things you are trying to achieve are directly tied up to the strategic objectives of the organization.”
Try the 3 lines of accountability
Risk management thinks in terms of the three lines of defense – James Lam suggest organizations think in terms of the “three lines of accountability…The first line being responsible for the business and operational results, the second line responsible for policy and oversight and the third line responsible for providing assurance in terms of the internal audit function, and the board is responsible for overseeing the management team and the overall organization.”
A risk-based culture needs to hear bad news
As Deb Dunie said, “For cyber risk, it’s critical that we set a culture up that rewards people for raising bad news stories if there is bad news to tell because the sooner you get it out there, the sooner you can work to try to remediate it.”
Legal requirements may be needed to enforce responsibility
Prof. Sheedy presented research she conducted on reporting regimes enforced on financial institutions in the UK and Australia and found they succeeded remarkably well. “Members of the senior executive team have a clear, individual accountability. Each has a distinct list of issues they are responsible for. When something goes wrong, it’s very clear whose fault it was.”
FAIR™ can help build a culture of responsibility based on solid analysis
The panel discussed applying to risk management the notion of System 1 vs. System 2 thinking, the idea from behavioral economics that describes, roughly speaking, gut reaction vs. rational consideration. James Lam said “When you think about the FAIR™ model, and the RiskLens platform, it’s really about System 2 thinking…objective variables that are data driven…Over time, if you have better data analytics, you will have better intuition and better judgement. And that interaction Is going to help with risk management on an ongoing basis.”