Cyber risk has become an increasingly challenging risk to understand and manage due to the proliferation of technology. Organizations can simplify information security and reduce regulatory burden by adapting their risk management processes to take a more dynamic and holistic approach to cyber threats. Evaluating cyber risk in the context of other organizational risks is necessary to inform the overall risk profile. The process involves identifying specific cyber risks, assessing their likelihood and potential impacts, prioritizing them in relation to other risks, and determining appropriate investments to mitigate exposures.

1. Page 1 of 12
How Does Cyber Effectthe Risk Profile ofthe Organization?
Cyberriskhas become anincreasinglychallengingrisktounderstandandmanage. The proliferationof
technologycontinuestoforce organizations toadapttheirriskmanagementphilosophiestothiseverpresent,
everchangingrisk. Aslongas organizationscontinue toadoptnew technologies,theyautomaticallyincrease
newcyberand informationtechnologythreats.
Organizationscanthwartthese threats,simplify informationsecurity, andreduce the burdenof regulatory
compliance by adaptingthe riskmanagementprocess. A more dynamicand holisticapproachshouldbe
developedwhereestablishedcommunicationmechanismscanensure thatthreatsare addressedinreal time
and understoodbyabroad range of interestedstakeholders.Moreover, utilizingaGRC technology solution
that’sable to centralize dataandlinkcyberthreatswiththe otherrisks isimportantto provide evidence that
the program isin place,beingsustained,andproducinghighqualityoutput. Thisscalingof riskmanagement
won’tjustmake your organizationsafer,itwillalsohelpinformandenhance businessdecisions.
Studies1,2
continue toshowthatcybersecurity remainsatop concernfor organizations’informationsecurity
executives. Forexample,inone study,76%of the respondentssaidtheywere concernedaboutcybersecurity
threats,upnearly30% fromthe year prior.3
The occurrence of cyberincidents isup,where nearly 80%4
had
detectedasecurityincidentinthe lasttwelvemonths.
Employeesare alsocontributingtothis. Inanothersurveyexample,more thanhalf5
saythat theylackthe
skilledresourcestosubstantiateinformationsecurity’scontributionandvalue. Organizationsare struggling
withhowto integrate thissubjectwiththe broaderorganizational riskmanagementprocessesandgovernance
standards.
Perhapsthisisa result of the use and proliferationof technologybyusall. The businessandinformation
securityhave continuallyusedtechnologyasameansto create efficiencies,buildincontrols,share
information,etc. Customerstooare constantlysearchingforandadoptingtechnologytomake theirlives
easier,more efficient,andfaster. This isonlyexpectedtoincrease (see Figure 1).
Figure 1
Year 2003 2015 2020
WorldPopulation6
6.3 Billion 7.3 Billion 7.8 Billion
ConnectedDevices7
500,000,0008
4,900,000,000 20,800,000,000
ConnectedDevicesPer
Person
0.08 0.67 2.7
1 EY’s 2015 Global Information Security Survey: 1,755 CIOs,CISOs,c-level,and information security executives from 67
countries
2 PwC’s 2015 US State of Cybercrime Survey
3 Ibid
4 Ibid
5 EY’s 2015 Global Information Security Survey
6 Data.worldbank.org
7 Gartner Research; http://www.gartner.com/newsroom/id/3165317
8 Cisco Internet Business Solutions Group (IBSG), “The Internet of Things,How the Next Evolution of the Internet is
ChangingEverything,” DaleEvans, April 2011,
http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf

2. Page 2 of 12
The cyber threatisreal. There have beennumerousexampleswhere cybersecurityhascome intoquestion.
Breachesat companieslike Target,Sony,andAshleyMadison,toname a few,have caughtnational headlines.
Resultsinclude reparationsinthe millionsof dollars,thousandsof identitiesbeingstolen,shareholdervalue
lostinthe billions,andcorporate reputationstarnished. Questionsare startingtoarise fromregulatory
agencies,advocacygroups, counsel,andcustomersof whatorganizationsare doingtomanage these risks. In
response,organizationsare lookingmore closely atcyberriskand itsfitwithintheirGovernance,Risk,and
Compliance (GRC) frameworkandtools.
Top Downv. BottomUp
There are twoapproacheswhenmanagingriskinthe context of exposures(e.g.,cyberrisk) –(1) top down,
and (2) bottomup. Althoughthese twoshouldnaturallymarryandprovide clearlinkages,theyoftenrunin
parallel andcreate philosophical argumentsonwhichisbetter. Forexample,below isabrief list of the pros
and consof tacklingthe subjectfroma top downpointof view:
Pros
 Executive led
 Clearsupportfromthe top
 Internal/External sharingof informationacross
the organization
 Consistentcommunication
 Commontaxonomyandprocess
 Alignmentacrossthe lines-of-defense
 Alignmentwiththe cadence of the business
(e.g.,planning,budgeting)
Cons
 Unique businessactivitiesnotnecessarily
accountedfor
 Risksaddressedinisolation
 All risksseenascritical (lackof prioritization)
 No economiesof scope andscale in
management/action
 Lack of cleartie to organizational riskappetite
and tolerance levels
 Unclearlinkto processes
A similarsetcouldbe createdfromthe opposite perspective.
Cyberriskis a bitunique andshouldbe evaluated9
slightlydifferentlyinthe contextof the riskmanagement
processesusedtounderstandandmanage it. On the one hand,experience hasshownthatitcan have both a
significantfinancial andnon-financial impactonthe organization,makingit potentially one of the toprisksto
the organization. However, cyber-attackshappenwithsuchfrequency10
thatit’stypicallydepictedinthe top
rightcorner of a traditional heatmap (see illustrative heatmapbelow),withthe onlyvariabilitybeingthe
assessmentinthe impact(forexample,atypical riskassessmentprocesswill be the likelihoodof occurrence
overa year period – whichissetto alignwithstrategicplanningandbudgetingprocesses):
9 The evaluation of risk typically occursfroman inherent (or absent controls) and a residual (with controls and
management activities in place) basis
10 Norse Corporation Map; map.norsecorp.com; example showingevidence over an hour on a non-descriptday when over
10,000 attacks hitthe US from all over the world,4,000 from China alone

3. Page 3 of 12
InherentRiskAssessment Residual RiskAssessment
Dependingonthe tolerance level(denotedbythe line (lookslike steps) inthe heatmapgraphsabove) of the
risk,actionwill be requiredtomitigate and/ormanage the riskwithsome diligence.
Evaluatingthe Efficacyof the RiskManagementProcess
Evaluatingcyberriskinthe contextof otherrisksis one of necessitytoinformthe riskprofile,orthe
aggregatedexposure level of the company’sportfolioof risks.Asthe above example shows,cyberrisk
managementshould,ataminimum,justifyaformal review forcreatingabespoke processtoevaluate its
effectsonthe organization.
The process starts withthe identificationof cyberrisks. Thisrequiresnotonlyanunderstandingof the risks
facingthe organizationitselfbutalsoitscustomers,vendors,andotherthirdparties. One onlyhastolookto
recentpublications forexamples. Inone,hackershadbreachedacompany’scomputersystemsand
compromisedthe personal dataof 1.5 millioncustomersresultinginthe exposure of 1.1millionsocial security
numbers. Thisstolendatawasusedto create fake debitcards that were usedto withdrawal more than$9
millionfromautomatedtellermachinesworldwide. Otherexamplesinclude phishingtechniques,Telephone
Denial of Service (TDoS) andDistributedDenial of Service (DDoS) attacks,ATMskimmingandPoint-of-Sales
(PoS) schemes,malwareon mobile devices,and the infiltrationandexploitationof organizational supply
chains. Regardlessof the medium,the identificationof cyberriskrequiresexpertise andthe involvementof
informationtechnology. However,understandingthe impactrequires investigationand collaboration.
The identificationof cyberriskisnotany differentthanwhatwouldbe usedtoidentifyotherrisksthatmay
impactthe organization. Cyberriskisprimarilyfocusedonthe informationalandtechnological operational
risks,butincludespeopleandfacilitiesshouldtheysupportinformationandtechnologyassets. Inorderto be
effective,risksmustbe definedinsuchawaythat it allowsforthe aggregationanddisaggregationof the topic.
As we sawfrom the previous paragraph,cyber(the mostbroadlydefined) riskmightbe brokendownintotwo
or three sub-categories. A sub-categorymightbe malware withfurtherdefinitionsunderthatsuchas Trojan
horses,worms,viruses,etc. Definingthe libraryof riskinthisfashioncreatesgreatertransparencyintothe
causesof the riskand can assistindefiningwherethe riskmayreside withinbusinessprocesses. Italsoacts as
a meansto clearlydefine coursesof action,investmentsincontrols,andmetricstodetermine theirefficacyon
reducingthe risk’sexposure.
Nowthat the cyberrisk categorycan be brokendownto itsmore specificparts,the assessmentbegins.
Executionof the assessmentrequiresthe informationtechnologyexpertstoworkcollaborativelywiththe
business. Thisnecessitatesthe informationtechnologyandsecurityguysandgirlshavingabetter
understandingof the keybusinessprocessesdrivingthe growthandprofitabilityof the organization. Itis
Likelihood
Impact
Likelihood
Impact

4. Page 4 of 12
unreasonable toexpectthe business,those doingthe day-to-dayactivities, tohave the knowledge of how
frequentlycyber-attacksoccurnorhave an indicationof the extentof damage theycouldinflict. Viewingitin
thiscontexthelpswiththe prioritizationof cyberriskinrelationtootherrisks facingthe organization.
Moreover,thisprioritizationhelpswithdeterminingthe investmentsrequiredtothwartanyexposure through
the allocationof capital andemployees’time.
Anotherimportantfacetinhelpingtoevaluatethe assessmentof cyber riskisthe linktothe company’s
BusinessImpactAssessment(BIA). The BIA providesthe insightinto the consequencesof adisruptiontothe
business’functionsandprocesses. The evaluationof the systemsandtechnologiesare alsoincludedaspart of
thisprocess – the impact,timing,anddurationof a disruption. The resultisaprioritizationof the company’s
assetsbytheircriticalitytothe business’operationsandthe needtohave themavailabletoexecute critical
processes. Cyber-attacksonthe organizationmayfocusonthe vulnerabilitiesof these assets. The information
securityprofessionalscanuse the GRC technologytotake the BIA,compare that tothe cyberthreats,anduse
that as anotherbasisforconcludingthe overall assessmentof the risk.
It isalso essentialtoclearlyarticulate whatthe cyberprofilewilllooklike. Thismayresultina completely
differentlookingheat map,where the company’sconservatismof addressingcyberriskshowingmore harmful
(e.g., redandorange squares) areas. Additionally,the tolerance level mayvaryaswell,movingdown,for
example,toaddress the reducedtolerance forthe risk’soccurrence andseverity.
Anothermodificationmaybe inclearlyarticulatinglikelihoodandimpactparameters. Inthe eventof cyber
risk,the likelihoodof occurrence mayneedtobe definedasthe likelihoodof occurrence overaweek’speriod
(or at leastsomethinglessthanayear!). Riskslike cyber,andfraudfor financial servicescompanies,occur
withsuchfrequencythatriskmanagementfunctionsare exploringhow tomodifytheirassessment
methodologytobe more relevanttoaparticularrisk’soccurrence. Incontrast, riskssuchas natural disasters,
classaction lawsuits,andmis-sellingoccurwithmuchlessfrequency. Asa result,havingaprocessthat reflects
these variablescangreatlyimprove the understandingof the riskprofile,allocationof resources,andcapital
expendituresforcontrols.
Moreover,the definitionof impactalsoneedsexploring. Isitdefinedasthe impactshouldthe riskoccur?Or
the expectedimpact(independentof the likelihood)? The nature of cybereventsalsoshoulddictate assessing
the impact onboth a quantitative (financial)andqualitative (reputation) perspective. These simplequestions
and reflectiononthe processmayresultin amore meaningful andvaluableinformationsecurityassessment.
Most organizationswithmature riskmanagementpracticesofferimpactassessmentscalesonbotha
quantitative andqualitativescale. Althoughthe qualitative scale lacksthe rigorandmeasurementneededto
helpsubstantiate howthe riskprofile ischanging,itenablesthose withlessknowledgetoevaluate criticalityin
areas like reputationorwhenthe riskissomethingthathasn’tbeenexperiencedbythe organizationinthe
past. Scenariosare a good example, where stresstestingorhypothesesare bornto understandthe effectsof
adverse conditionsonthe organization’sproducts/services,assets,andoperations. These factorsare
discussedfurtherinreporting.
Anotherconsiderationtogive istohave a technique that’sreflectiveof the rate that whichcybereventsmay
occur. It may be worthwhile to analyze the risk fromanactuarial approachwhere modelingisusedtodefine
frequency(e.g.,aPoisson distribution) andseverity (LogNormal,Weibull, Gamma,Pareto,etc.). Thiscan
produce a VaR (Value atRisk) atvaryingconfidence intervals.
The evaluationof cyberexposureshasbeenmade easierthroughthe incorporationof technology. Leading
practice dictatesutilizingexternal feedstoassistinthe indicationof acyberthreatand utilizinghistory,

5. Page 5 of 12
knowledge,andalgorithmstopredictthe potential severity. However,the data comingin frominternal
sources and external, disparate vendorscanbe overwhelming. UtilizingaGRC solutionthatincorporatesall
internal andexternal datafeedsintoasingle platformmakesdecipheringthe datathatmuch simpler. Italso
enablesthe business tosynchronizeitscontrol environmentwiththe impactof cyberrisk events. Onlythen
can informationsecurityweighthe myriadof alerts,translatethemintothe organization’sprocessesand
profile,anddevelopthe meanstoaddressthe mostsalientexposures.
Moreover,beingable totie the resultsof these processintobusinessrequirementsistantamounttodriving
relevancyandvalue. The simplestexample of thisislinkingthe risks tothe businesscontinuityandresiliency
plans,as well asthe businessimpactassessmentsthatare beingperformed. Throughthisprocess,critical
activitiesandsupportingsystemsare enumerated. Once again,havingaGRC technologythatisable touse
that informationandpull itintothe analysisof cyberthreatshelptomarrycritical applications/technology
usedbythe businesswiththe risks. Onlythencanthe business,incollaborationwithinformationsecurity,
make informeddecisionsof whether,andhow,totreatthe threatsimpactingthe mostcritical operationsof
the organization. This,once again,helpswithdetermininghow tospendpreciouscapital andoptimally
allocate resources.
Anotherfacetof managingcyberriskis inthe securityassessment. Thisisakinto the typical monitorphase in
a typical risk managementprocess. Inthiscase,we wantto explicitlyreview whetherthe implementationof
controlsand/ormanagementactivitieshave occurred andgainevidence thattheyare inplace and workingas
intended. A GRC solutioncanenable the capture,storage,andminingof thisdataas evidence. Moreover,the
informationandconclusionscanlinkwithotherGRCsolutions(e.g.,operational risk,compliance,audit), asan
integratedGRCplatform, toprovide amore holisticpicture of the riskprofile.
Cyber,althoughrequiringsome evaluationof how tocustomize itto the organization’sriskframework,still
reliesonthe principlesestablishedthroughotherriskdisciplineslike operationalrisk. Infact,Basel,whichacts
as central bankwithinthe financial servicessector, considerssystemspartof the operational riskdefinition.11
Thisshouldnecessitatehavingcyberbe anexplicitpartof the operational riskprofilediscussion.
In fact,leadingpractice dictateshavingasingle subject discussionbe partof the quarterlyupdate tothe Board
of Directorsandthe executive committee(includingthe riskcommittee) forriskscarryingapotentially
significantimpactonthe organization. Cyber shouldbe partof the cadence inthisprocess. Thisischallenging
to do efficientlygiventhe brevityof certainrisktopicsonthe agenda (see the reportingsectionbelow).
Moreover,cyber,dependingonthe organizationanditscontrol structure,maynotevenrise asone of the
mostsignificantrisks. Also,asanexecutive,myknowledgeof the pervasivenessof attacksnorthe potential
damage theymay incurwill notbe widelyknown. Thisisbecause there isacognitive biasbythose presenting
and managinginformationsecurityto portraya betterthanaverage managementandcontrol environment. It
isthese individualswhose job,performance,andincentive structure istoprotectthe organizationfromcyber
threats. What incentive isthere topresenta“doomand gloom”picture?
Thisis where the robustnessof the riskmanagementprocesscomesintoplay. Notonlyshouldthere have
beenaneffective challenge bythe secondline andthe CRO,butsubstantiatedthroughaudit. The Boardand
executivesare lookingforanunderstandingof how riskisaffectingprofitability,soexplainingthe severityof
the riskin as quantitative termsaspossible isaplus.
Remembertoothatcyberrisk doesnothave independenteffects. It’snotjustthe technologythatmusttake
focus,butthe precipitationof implicationsonthe underlyingprocessesandhumaninterventionactivities.
11 Bank for International Settlements, ConsultativeDocument on Operational Risk,January 2001,p.2

6. Page 6 of 12
Cyberisdesignedtoidentifyandtake advantage of weaknessesinthe technology infrastructure and
overarchingbusinessactivities. Ineachcase,the underlyingorganizationalprocessiscalledintoquestion –is
it designedappropriately?Canitbe structureddifferently?Cana bettersetof controls be developedand
implemented? Technologyobviouslyplaysahuge role here asthe controlsare predominatelysystemfocused.
Moreover,itshould require engagingthe businessaswell for abroaderview of lookingatthe processfrom
end-to-end. Inthisexample,thismayincludethirdandfourthpartyvendors/subcontractorsandverification
proceduresforcustomeraccessto organizational systems.
GRC technologycanhelpinthiseffortaswell. LeadingGRCsolutionshave the abilitytotie the riskand control
informationbacktokeyvalue chainprocesses. Thismakescausal analysismuchsimplerbycreatingworkflows
that identify the processespieceswhere risksare likelytooccuror where controlsare deficientleadingto
indicatorsof potential exposures(e.g.,the creationandmonitoringof KeyRiskIndicators(KRIs)). Thisenables
boththe businessandsecondline of defense tounderstandwhere breakdownsare occurringandcreate a
tactical planforwardto addressthe exposure.
The linkage of cyberthreatsto otherrisksand operationscallsintoquestionthe efficacyof the organization’s
businesscontinuityandresilience plans. Thisisbecause acyberevent(s) cansuspendordisruptnormal
businessoperations. Giventhe varyingnature of cyberrisks,are employeesaware of how theymayunsettle
theiractivities,systems,andcustomers? Moreover,cyberrisksare always evolving,sodetectingtheir
occurrence and understandingthe magnitude of potentialdisruptionrequiresongoingeducationand
partnership betweenthe business,externalconstituents(likevendors),and withinformationsecurity.
CorrelationandDiversification
Risksare rarelyindependent;theycorrelatewithone another. It’stherefore critical tounderstand the upand
downstreameffectsof howa risk’soccurrence affectsthe value chain. Thisnotonlyincludeshow otherrisks
may occur, buthow the snowballingeffectsof severitycanmount. One organizationsufferedadistributed
denial of service attackonitswebsite disablingitscustomersfromtraditional servicesithadbecome
accustomedto – in thisexample bill pay. The organization’ssystems andinfrastructure wasnotpreparedfor
the attack. Duplicate paymentswere made, resultinginoverdraftfees, andsome paymentsweren’tmade at
all. Dissatisfiedcustomersusedsocial mediatovoice theirfrustrationswiththe companyalmostinstantly.
Moreover,because call centersweren’tpreparedwithascriptorknowledge of how torespondtocustomer
concerns,customers’ inquirieswere leftunanswered. The organizationhadtodosome repair; reimbursing
paymentsanderroneouscharges,letters(stampcosts) tocustomers,increased control and securityputon
theirfirewallsandservers,andapublicapology. The immediatefinancial impactwasn’t thatsignificant.
However,the reputationimpactandlostrevenuefromexistingandpotential futurecustomerswascalculated
inthe hundredsof thousands.
The aggregatinglinkage of riskalsoproducessimilareffectson the managementof risk.
Controlstakenbyone part of the organizationmaybenefitotherareasaswell. Thisis
particularlytrue withcyberriskwhere asingle control investmentwillbenefitmultiple
businesses. Forexample,there are aplethoraof vendorsofferingscanningcapabilitiesfor
cyberthreats. These vary dependingonthe threat,where anorganizationmayhave multiple
subscriptions. GRCtechnologiesofferawayto synthesize these feedsintoasingle source,
applyalgorithmstoassesstheirimpact,andprovide amechanismforprioritizationandaction.
Viewingriskacrossthe value chainalsobringseconomiesof scope andscale. The one-to-manyrelationshipof
risksto correspondingcontrolsyieldsinsightwhere there maybe inefficienciesinmanagementactionand/or
controls. The prevailingmindsetinmostorganizations,isthatriskisbad andneedstobe controlled. Thisis

7. Page 7 of 12
exacerbatedbythe pervasiveriskmanagementstructure andgovernance where riskistackled insilos. This
produceslayeruponlayer of controlsto addressa risk,whichcan onlybe seenwhenthe riskisviewed
holistically,frombacktofrontoffice, systemstoprocesses, toanycustomers,andpotential implicationsto3rd
parties.
Sustainable execution toriskmanagementischallenging,resource,andcapital intensive if the analysisisdone
for every riskthe organizationfaces. Leadingpractice dictatesperformingthe analysisonthe critical aspects
drivingthe growthof the organization. We’ve all heardthe mantraof “tying risksto objectives.” Thisstill
applies,butmustbe done inthe contextof the organization’smostsalientrisks. Derivingthe mostpertinent
riskscan be accomplishedbyevaluatingrisksagainstthe organization’s keystrategiesandinitiatives. Thisisan
essential partof the assessmentprocess.
Cyberhowever,isnotalwaysgivenitsdue creditinthisprocess,probablybecause the potential significant
financial andreputationimpactisnotalwaystransparent norhow itcan be tied to the organization’sgoals.
Some risks,like cyber,cangetintothe mire of the universe of risksthatinfluence objective settingand
execution. Vague,broadobjectivessuchas“grow the customerbase by x%”or “diversifyproductofferings”
may notnecessarilytake intoaccountrisktopicslike cyberwhere,inourexamples,adatabreachthat siphons
customerdata. Customerdistrustandbranderosionmaydisturbanywell laidcorporate plan.
It isonlywhenthese objectivesare codifiedthatthe riskdiscussioncanbegin. Detailinghow the objectives
will be metshouldforce adiscussionaboutrisk. Forexample,one manufacturingorganizationexplicitly
includesthe identification,assessment,andtreatmentof riskaspart of its strategicplanning. Thishelpsto
raise awareness,spurdiscussion,andbringconsensusabouthow the organizationwantstotreata particular
objective threateningrisksothatcapital and resourcescanbe properlyallocatedduringbudgeting.
Digital Literacy
The common threadthroughthe successof an effective cyberriskmanagementframeworkisdigitalliteracy.
Educationisa staple forunderstandingand addressingcyberrisk. Thisispredominatelyaresultof the rapid
developmentanduse of technologyto make thingsmore efficient,effective,andfaster. Cybercriminalsare
constantlylookingforwaystoexploitthisproliferationof software andtechnologyforcinginformation
technologistsandconsumerstobe consciousof how theiractionsmaybe lendingthemselves tocyberrisks.
We have already touchedon the needforinformationsecuritytointegrate andbecome astrongerpartner
withthe business. Educatingandtrainingthe informationsecurityandtechnologyfunctiononbusiness
processesenables amore fluiddiscussiononcyberexposuresandthe implicationsonbusinessprocesses.
Plus,educatingthe businessonthe typesof cyberrisksmayhelpinthe identificationof events. Although
there are feedscomingintothe organizationaboutexposures,butaswe’ve seen,thereare ancillarysignsof
concernsuch as TDoS, segregationof dutiesforcustomerverification,etc. Spottingthese signsanddeveloping
appropriate andtimelyescalationprocedurescanresultinearlymitigationstrategieseitherstoppingor
reducingthe likelihoodof financial,data,orreputationloss.
Employeesaren’tthe onlyoneswhowouldbenefitfromtrainingandeducation. Customerswilltoo. The
presshas done a goodjob of publicizing,forexample, topicslike identitytheft,butthere isanimplicit
assumptionthatconsumers have thatorganizationsare well controlledandfinancial andpersonalinformation
ishighlysecure. Organizationscanbe more proactive byeducatingtheircustomersonthe controlsnecessary
to circumventcyberrisk. One commonexample of thisistwostepverificationwhere customersprovide two
piecesof informationthatsecurestheiridentity. Thismayinclude requirementsforstrongpasswordsaswell
as textmessagingof codesforfinal authentication. These controlsnotonlybenefitthe organization,butthe

8. Page 8 of 12
customeras well. Itaddsextrastepsinthe control structure andcustomersneedanunderstandingtowhy
there isa heightenedlevel of control necessary. Thisisfrequentlymissing.
Educationalsoextendstoescalation. Customers,aswell asthe business,needaclearchannel andmeansfor
communicatingconcernsaboutcyberthreats. Whatare the protocolsif a potential cyberriskisidentified?
Giventhe pervasivenessof cyber risk,itwouldn’tmake sense towaitforthe riskmanagementgroupto
performitsriskand control assessmentprocess. The riskmayhave occurred and damage inflictedbythat
time. Witha nimble riskmanagementprocess,the businesscanengage risktoevaluate cyberexposuresin
real time. A GRC solution canassistthroughthe monitoringof metricsandtolerance levels. Questionsand
actionscan be self-generatedthroughthe solutiontoevaluatethe needandspecificityrequiredtoaddressthe
risk.
Customersalsoneedameansof communicatingpossible eventssuchasphishing. Creatingamediumfor
customerstocontact the organizationaboutconcernsshouldbe made simpleandeasytodo. Once
informationisshared,the organizationneedsameanstofeedthe data back intothe GRC and information
securitysystemsinordertoproperlyevaluate and,if appropriate,take actionagainst it.
RegulatoryAttestations
Complyingwithlawsandregulationshastakencenterstage inthe riskmanagementspace inrecentyears. The
expectationsfromregulatorshasgrowntobe able toarticulate thatorganizationsare incontrol,that risk
managementpracticesare inplace,andare sustainable. The volume of legislation seemstohave twofocuses,
one on cybereffects(suchasdata protection) andthe otheron cyber itself.
For example,the CybersecurityActof 2015 in the US promotesand encouragesthe private sectorandthe
governmenttorapidlyandresponsiblyexchange cyberthreatinformation.12
Companiesthoughstrugglewith
the bestintentionsof the governmentandthisbill. Internal generalcounselquestionthe processandits
outcomes: “what’sgoingto happenwiththe informationonce it’sbeenshared?” Whatif it leaks?” “What if
we are accusedof lyingtosomeone?”“Whatwill ourBoardthinkof our situation?” These are all goodand
appropriate questionstoask. A cybereventintensifiesthese questionswhenitaffectscustomers. The
widespreadadoptionof social medianecessitates organizationsriskmanagementpracticesbe highlynimble
and flexibletorespondtoconcerns,questions,andcomplaints.
Conversely,the compulsoryside ismore pressing. There are a litanyof regulationsthatfocusonthe integrity
of informationsystemsandthe protectionof companyassets. Cyberriskisatthe crux of the actionsnecessary
to demonstrate compliance. Forexample,regulationSystems,Compliance,andIntegrity(SCI) statesthat
affectedentitiesmustestablish,maintain,andenforce writtenpoliciesandproceduresreasonablydesignedto
ensure thattheirsystemshave levelsof capacity,integrity,resiliency,availability,andsecurityadequate to
maintaintheiroperationalcapabilities.13
Similarly,the PCIDSS(PaymentCardIndustryDataSecurityStandard)
isa setof requirementsdesignedtoensure thatall companiesthatprocess,store,ortransmitcreditcard
informationmaintainasecure environment.14
Cyber-attackscanbe at the centerof disruptingorganizational
objectivesof meetingthese aforementionedregulatoryexamplesandmanyothers.
12 P.L. 114-113; Division N,H.R. 2029, 114th Congress (2015-2015),www.congress.gov/bill/114th-congress/house-
bill/2029/text
13 www.sec.gov/spotlight/regulation-sci.shtml
14 www.pcicomplianceguide.org/pci-faqs-2

9. Page 9 of 12
So howcan an organizationdemonstrate compliance? Regulatorswanttohave confidence thatthe risk
managementprogramisinplace,understoodbythe organization,andshowsevidence of use,andis
somethingthatissustainable. A GRC technology solution iscritical tothissuccess. Firstandforemost,the GRC
technology canprovide alinkintoandhelpto disseminate the company’spoliciesandprocedures. For
example,if anewcyberlaw or regulationwere tocome intoeffect,the GRCsolutioncanhelptoidentifywhich
policiesandprocedureswouldbe effectedandprovide the workflow toupdate anddisseminatethem tothe
organization. The technologycanprovide acentral source forthe riskmanagementmethodologyand
supportingdata. It helpstoprovide the evidence thatthe governance modelisworkingand critical facetsof
organizational expectationsare available anduptodate.
EnablingTechnology
The GRC solutionalsoactsas a foundationforthe riskmanagementprocess. Eachpart can be supportedby
the solution,offeringthe enablingtoolstoexecute the process,store andevaluate the data,andreporton it.
Thisnot onlyappliestothe riskmanagementprocessitself,butprovidesthe linkage tothe underlyingbusiness
processesaswell bycorrelatingthe riskandcontrol data to the value chain. Thishelpstooperationalize the
riskmanagementprocessmake itrelevanttothe business.
The GRC’s workflowprovidesa systematicandrepeatablewaytoexecute the riskmanagementprocess. So,
for riskslike cyber,itprovidesclear,andrepeatable, stepstoidentify,assess,evaluate,manage,monitor,and
to reporton the risk. Moreover,as we’ve alreadydiscussed,the processcanbe made dynamicand malleable
to respondat the speedatwhichcyberriskoccurs.
The technologyalsoactsas a central repositoryforriskdata. This makesitpossible tomine the riskdataat
any givenpointintime. Thisis powerful asitprovidesawealthof riskdatato understandthe risk,itspast,and
to provide the basistoextrapolate potentialexposures. Additionally,the audittrail of riskdatasetsthe basis
for changesinthe riskprofile. Usinglegacyriskdatacan demonstrate how prioractions(orinactions) totreat
a risk have actuallybenefited(ordetractedfrom) the organization. Capital expendituresandresource
allocationscanbe evaluatedonwhethertheymettheirobjectives. Thisputsclearaccountabilityonthe first
and secondline tocollectivelyassure thatrisksare withintolerance.
Metrics can alsobe createdand monitoredinreal time throughthe GRCsolution. The establishmentof Key
RiskIndicators(KRIs),asan example,canbe usedto monitorwhetherriskeventsare approachingorhave
breachedtolerance levels. Thiscanindicate the needforevaluationandanalysisof whethertotake actionand
improve the control environment. KRIscanbe monitoredthroughcreatingbespoke dashboardsandreporting.
Figure 2: Illustrative CISODashboard

10. Page 10 of 12
A highlyconfigurable GRCsolutionis
especiallyuseful inthe managementof
riskslike cyberdue tothe frequencyof
theiroccurrence andthe flexibilityneeded
to evaluate the exposures. GRCsolutions
that require ahighdegree of codingaren’t
able to provide the nimblenessof
identifying,assessing,and respondingto
these risksina timelyfashion. Additionally,
configurabilityassistswithunderstanding
the riskprofile. Creatingdashboards(see
Figure 2) that are unique tothe user’s
responsibilitiesprovidessnapshotsof the
riskenvironmentinreal time. Thisenables
the quickidentificationof issuesandareas
of concernresultinginpromptresponses,
mitigatingunwantedexposures.
Cyber’slinkwithprocessesandpeople makesitnecessarytobe includedaspartof the operational riskprofile.
Audit,initsindependentthirdline responsibilities,alsoneedstohave aclearunderstandingof how cyberis
managedand controlledthroughoutthe firstand secondline. Thus,althoughthere isbenefitfromhavinga
unique informationsecuritysolutiontomanage cyberrisk,the processes,findings,anddatashouldlinkacross
otherGRC solutionswithinthe organization. It’sonlythenthatthere isclarityandclear linkagesonwhatthe
organization’sriskprofile lookslike–there isn’tdisparityindataor outcomeswheninformationispresented
intothe risk committee,auditcommittee,andthe Board.
Reporting
Reportingrequiresthe organizationtobe able todisaggregate ariskto itsparts. Thisis particularlytrue when
reportingtoexecutives,riskandauditcommittees,andthe Boardbecause riskisusuallyaprettybroad topic
on the agendaof these discussions;e.g.,operational risk,creditrisk, etc. Obviously,the organization’s
industryandbusinessmodeldictatesthe lengthof risktopicdiscussions. Forfinancial services,it’stypically
creditrisk;for technologycompanies,it’s information;formanufacturers,it’soperations.
Regardless,riskstendtobe definedinlarge tranchesinordertoseparate the discussionandthe conclusions
fromanalyses – for example,cyberriskis generally categorizedunder“systems”riskwithinoperational risk
(e.g.,usingthe Basel definitionthatdefinesoperational riskasthe riskof lossfrominadequate orfailed
internal processes,people,systems,orfromexternal events). However,aswe’ve seen,cyber canalsoextend
to otheroperational riskcategoriesincludingthe actions(orinactions)of people,failedinternalprocesses,or
fromexternal events(suchasvendoror3rd
partydependencies). Asa result,it’simportanttoarticulate and
provide apithyexplanationof howcyberisinterrelatedwithotherrisksinordertoprovide atrue reflecti onof
the actual severity. Thisrequiresmakingsome judgmentcallsonthe diversificationeffectsof these risksand
the benefitsof commoncontrolsandtheiraffectsat reducingseverity.
Reportsshould alsohave a balance betweenrisk metrics, data,analysisandinterpretation,andqualitative
interpretations.The balance of qualitativeversusquantitative informationwill vary. More detail andfirmer
metricswill be bornthroughlowerdefinitionsof the risk. Forexample,breachesoveraperiod of time can be
easilycodified,buttheiroverall effectswill requiresome judgmenttodetermine the overall impact.

11. Page 11 of 12
As a result,expertjudgmentmaybe needtobe usedtoaid the aggregationprocess aswell as interpreting
results. Expertjudgmentcancome from multiplesources. The term“expert”canalsobe looselyapplied.
Organizationswithmature riskmanagementpracticeshave beenknowntoquerynotonlyindividualswithin
the organization,butalsocustomers,vendors,external audit,andcustomersto helpinformconclusionsona
risk’simpact. It’simportantto note that judgmentshouldreplace data,butshouldcomplementit. Risk
functionsneedtoensure thatwhenexpertjudgmentisapplied,the processbe clearlydocumentedand
transparentto bringclarityandconsistencytothe process.
Besidesprovidingaperspective of the past,reportsshouldalsotryandbe predictive. Organizationsneedto
developforwardlookingassertions. Thisincludesrisktopicsandmeasuresthatmaysignal earlywarningsof
any potential breachesof risklimitsthatmayexceedthe bank’srisktolerance/appetite.These subjectsshould
bothbe withinthe organization’sexperience aswell asthose ithasn’texperienced. Lessonsfromother
industries,competitors,orfromdifferentgeographiesandmarketscanbe powerful learningtools.
Scenariodevelopmentisatechnique thatmaybe usedto extrapolate arisk’s effectonthe organization.
Scenariosare usedto try and predicthowcertainfuture riskeventsmayimpactthe organizationincluding
evaluatingthe existingmanagementandcontrol environmentaswell asevaluatingcapital expendituresto
increase (ordecrease) the company’sassets. These scenariosare increasinglychallengingtodevelopwithin
the contextof cyber. Involvinginformationtechnology istantamounttodevelopingarobustscenariobecause
of the breadthof informationtechnologybothwithinandoutside the company.
Reportingshouldalsoprovideresultsandconclusionson stresstestingwhich providessupportto forward-
lookingexposures. Stresstestingappliestobothexistingandfuture riskstakingintoaccountassumptionson
the risk’svariables. Examplesinclude breachesinsystems, increasesinvolume,basispointjumpsininterest
rates,shrinkingorgrowingcustomerbase,ortemporaryor permanent lossof asignificantsupplier. The
variabilityof the risk’sseverityshouldbe atopicfordiscussiontodetermine the efficacyof the stresstestand
whetheradditional actionorcontrol maybe necessary.
The culmination of thisinformationcanbe overwhelmingasevidence forthe conclusionstypicallyresultsina
binderfull of data. ExecutivesandBoardsalike expectasynopsisonthe organization’stop3– 5 risks,
includingimpactsonthe businessandprofitability. Actionstotreatthe exposure needtobe clearwith
accountable ownersanddemonstrable benefits. Findingsandconclusions onsignificantrisks,suchascyber,
shouldinclude specifictime onthe agendafromthe individual mostknowledgeable onthe subject,like the
CISO. Onlythencan credibilitybe lenttothe specificityprovidedto answerany detailedqueries.
The importance of havinga managementinformationsystem(MIS) thatisgearedto riskdata and
managementmakesreportinglesstaxing. A challenge manyorganizationsface isidentifyingsourcesof risk
data across the organization. Datanot onlycomesfromsystemsandapplications(suchasSAP,PeopleSoft,
MicrosoftExcel,Access,andWord, SharePoint,etc.),butfromdisparate conversations fromcommittees,
regulatorconversations,andaudit. External datafeeds (e.g.,fromthirdparties,social media,newsfeeds,etc.)
alsoneed to be accountedfor. As we’ve discussed,cyberthreats canbe monitoredthroughvendorsolutions
and providedto the organization. Otheritemssuchasregulatorychangescanalsobe identifiedthrough
external feedsaswell. A GRCsolutionthatisgearedto handlingthe datafromthese mediumsmakesreport
productionsimpler,especiallyone thatcanbe configured tothe organization’sriskmanagementmethodology,
taxonomy,andprocess. Producingperiodicexecutive andboardreportisan importantpart of the process,
but italsoneedstobe nimble. Cyberrisksoccurwithgreatfrequency,sohavingatool that assistsinthe
evaluationof ariskscriticalityassuresthatharmful eventsare actionedsoonerratherthanlater.

12. Page 12 of 12
The businessandriskfunctionsare challengedwithcentralizing,automating,andmakingsense withthe
aggregatedviewof the structuredand unstructureddatathat isproducedby the organization’ssystems.
Leadingorganizationshave adoptedtheirGRCtoolstoautomaticallyaggregate thisdataandput itin botha
riskand businesscontext. Limitedresources,increasedcompetition,andgoals tocreate turnoverhave putthe
impetusonhavinga technologysolutionthatcanproduce dashboardsandreportsinreal time that enable the
businesstounderstandarisk’seffectsonoperations,itspeople,systems,andcustomers. Thisassistsbusiness
managementtomake informeddecisionstopreventunwantedthreats,butallow forthe capture of
opportunities.
In an environmentwhere technologyisdiffusingthe riskmanagementpracticesof the organization,havinga
fluidriskmanagementprocesssupportedbyastrongGRC technologysolutioniscritical. Risks,suchascyber,
are everevolvingandmore pervasivethanever. The abilityforthe organizationtoidentifycyberriskinreal
time,evaluate itscriticality,andtotake timelyactionwillgoa longwayto assure that unwantedexposuresare
dealtwitha timelymanner. Thiswill notonlyprovide confidence toexecutivesandthe Board,but
demonstrate tostakeholders,suchasregulators,thatthere isa robustprocessinplace;one that is responsive,
incompliance,andissustainable. GRCtechnologyenablesthisprocessbyintegratingintothe organization’s
governance model,actingasa central repositoryforstoringandminingriskdata,andlinkingtothirdparty
data sourcesto provide users withaneasywayto see andunderstandthe riskand control environment. This
powerful enablerprovidesconfidence thatcyberexposuresare quicklyidentified,actedupon,andmitigated
before manifestingthemselvesintofinancial andreputational losses.
Abouttheauthor:Ladd Muzzy is a principal at Nasdaq BWise.He hasover twentyyears’
experiencein developing,implementing,and coordinating riskmanagementprograms.He
hasheld seniorcorporate(Bankof Montreal,Barclays,CapitalOne) and consulting
leadership risk managementpositions.Many of hisexperiencesinvolveevaluating an
organization’sriskmanagementphilosophiesand currentpracticesto movethem to
leading practice. Ladd can bereached at Ladd.Muzzy@nasdaq.com.To read morefrom
Ladd Muzzy and ourotherGRC experts,follow uson LinkedIn:
https://www.linkedin.com/company/bwise
AboutNasdaq BWise:Nasdaq BWiseis a globalleader in Enterprise Governance,RiskManagementand
Compliance(GRC) software.Based on a strong heritagein businessprocessmanagement,theBWise® GRC
Platformprovidescompanieswithhighly-rated,proven softwaresolutionsforRiskManagement,Internal
Control,InternalAudit,Compliance&Policy Management,Information Security and Sustainability Performance
Management.
BWise’s end-to-end solutionssupportan organization’sability to understand,track,measure,and managekey
organizationalrisks.Nasdaq BWisehelpscompaniestruly bein controlby balancing performancewiththeir
financialand reputationalrisks,improving corporateaccountability,increasing financial,strategicand
operating efficiencies.Using BWise, organizationsareableto efficiently comply with anti-corruption
regulationslike FCPA and the UKBribery Act,the Sarbanes-Oxley Act,European CorporateGovernanceCodes,
ISAE3402/SAS-70, PCI-DSS,Solvency II,BaselIIand III,Dodd-Frank,ISO-standards,and many more.
Nasdaq BWisehassales, service and supportofficesaround theglobeprovidefortheGRC needsof hundredsof
leading companiesworldwide.Formoreinformation,visit www.bwise.com.