Cyber Enterprise Risk Management-What are Key Factors to Success?

For several years Aon, in close collaboration with the Wharton School of the University of Pennsylvania have been researching the importance of advanced risk management practices with the proper tools and techniques to empower results. The observations and finding of this research resonate closely with the application of advanced risk management practices to managing an organization’s cyber risk.  The Aon Risk Maturity Index Insight Report has consistently observed direct correlations between enhanced risk management practices and improved performance in the financial markets. Working with annual financial results from over 300 publicly traded companies around the world; researchers found a correlation between higher levels of risk maturity and improved market performance, profitability, and organizational resiliency. Examined through the lens of cyber risk, these findings continue to emphasize the importance of a robust, integrated, and holistic risk management program.

By nature, organizations are incredibly complex; many operate with multiple subsidiaries around the world, across numerous business functions, with thousands of colleagues and processes. From a cyber risk standpoint such organizations have multiple risk owners spread across corporate functions and operating divisions. Cyber risk management also extends beyond the physical walls of an organization.  Increased corporate data aggregation will continue to drive engagement with cloud providers as organizations are forced to find more efficient ways to manage their data assets. The strive for efficiency in organizations’ data management platforms can potentially be at odds with the desire to increase cyber risk management controls. Some may argue that replacing data centers with cloud providers reduces the overall network security risk while others remain concerned about vendor engagements and the additional potential for breaches via an outsourced network.

With such complexities, it becomes difficult for an organization to understand and respond to its integrated cyber risk profile. Cyber risk is constantly evolving within organizations, whether across the entire organization or at the individual business function level.  Responding to the constantly evolving nature of cyber risk in a siloed manner can therefore potentially have significant consequences.

Recognizing that there is no ‘one size fits all’ solution to cyber risk, it is important to take a holistic view at the cyber risk that flows through an organization and build a cross-functional understanding of that risk.  Consideration should be given to the various stakeholders in senior management, information technology, legal, human resources and risk management. Aon and Wharton researchers have found three key factors that distinguish high and low risk management practices within organizations;

1.Communication of risk management strategies, objectives, and practices 2.Collaboration in executing risk based practices across risk-based functions 3.Consensus on strategy for cross-functional risks

Let’s consider this theme further.  What approaches can organizations take to differentiate their risk management practices and apply those practices to the management of cyber risk?

•Awareness of the complexity of cyber risk •Agreement on strategy and action •Alignment to execute

Increasing performance along these dimensions requires a robust process that focuses on:

•the identification of strengths and weaknesses •strong communication of cyber risk and its management across functions and at all levels of the organization •buildingconsensus regarding the steps to be taken Effective cyber risk management is the result of having the appropriate people, tools and processes in place. It consists of having a clear understanding of an organization’s key cyber risk vulnerabilities, knowing who is responsible for managing those vulnerabilities, having an effective communication process in place and integrating key cyber risk concepts into strategic decision making. If history has taught us nothing else, it is that even robust network security may contain vulnerabilities and that when thinking about a network security breach, it is advised not to consider ‘if’, but rather ‘when’.