Home > Risk > People still don’t know how to assess cyber risk!

People still don’t know how to assess cyber risk!

December 1, 2018 Leave a comment Go to comments

Why do the consultants keep advising management and the boards to consider cyber risk as if it is separate from all other business risks? Managing any single source of risk in a silo is almost certainly going to lead you to make incorrect, uninformed decisions.

Cyber is only one of many sources of risk that can affect the achievement of an enterprise objective initiative, program, or project.

As I keep saying, it is not about managing risk – it’s about managing the organization and its success.

McKinsey published an article in November, Cyber risk measurement and the holistic cybersecurity approach. It’s an interesting piece, reflecting responses by some board members to a recent piece by them. For example, they quote people as saying:

  • “So far, we have not taken a big hit, but I can’t help feeling that we have been lucky. We really need to ramp up our defenses.”
  • “Digital resilience is one of our top priorities. But we haven’t agreed on what to do to achieve it.”

They also say, correctly:

  • Companies are rolling out a wide range of activities to counter cyber risk. They are investing in capability building, new roles, external advisers, and control systems. What they lack, however, is an effective, integrated approach to cyber risk management and reporting.
  • Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs). The reports are often poorly structured, however, with inconsistent and usually too-high levels of detail.
  • Most reporting fails to convey the implications of risk levels for business processes. Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.

I especially like this:

At a recent cybersecurity event, a top executive said: “I wish I had a handheld translator, the kind they use in Star Trek, to translate what CIOs [chief information officers] and CISOs [chief information security officers] tell me into understandable English.”

But then they go down the silo path.

  • Working with top management and drawing on internal and external resources, the chief risk and information security officers create a list of critical assets, known risks, and potential new risks.
  • The chief measure of cyber-resilience is the security of the organization’s most valuable assets.

I know that this approach is consistent with guidance from ISO 27005: 2018 and NIST. But it focuses attention on information assets and not the achievement of organizational objectives and success.

Why can’t they ask a simple question:

If we had a cyber incident, how could it affect the business?

There’s going to be a range of potential consequences, each with a different likelihood. They could identify the level of harm that would be unacceptable and its likelihood.

But cyber is just one source of business risk!

It needs to be measured and discussed in a way that enables it to be considered alongside other business risks, including such as legal, market, compliance, safety, culture, third party, and other sources of risk.

When management and the board are setting objectives and making strategic and tactical decisions, they need to see the big picture, all the things that might happen (risk). Looking at cyber and then looking separately at other sources of risk is simply wrong.

I fail to see why people think cyber is risk #1 when they are not assessing how it could affect the achievement of key business objectives. What is the likelihood that a cyber incident would cause the organization to fail to achieve its EPS, market share, and other targets?


A new piece from PwC is no better. How your board can better oversee cyber risk doesn’t have a single question about what would happen to the business if there were a breach! Instead, there is a focus on data and other information assets.


Until we consider cyber the same way we consider other sources of business risk, in terms of how an incident might affect enterprise performance, value creation, and the achievement of objectives, management and the board will continue to make uninformed decisions.


I welcome your comments.


  1. vincent tophoff
    December 1, 2018 at 3:02 PM

    Following your good advice, the simple question should not be “If we had a cyber incident, how could it affect the business?” but “What could affect the business?” and go from there.

  2. Risk Management Guru
    December 3, 2018 at 2:22 AM

    Thanks Norman.
    We still see people in denial in regards to Cyber threats materialising into real risks. It’s not a matter of “If”, it’s really a matter of “When”.


    • Norman Marks
      December 3, 2018 at 7:14 AM

      Yes, but how will those incidents affect the business? An inconvenience or a serious disruption?

  3. December 3, 2018 at 2:45 AM

    Mark, I agree with Vincent. On the assessment of the risk, one has to look at “what does it mean to business performance” which is not necessarily technical.

    Understanding how this or that cyber risk does affect performance can be technical, and is probably best defined leveraging collaboration between specialists from IT and Finance and whoever handles reputation responses (Corporate Communication ?).

    Understanding root causes and suggesting mitigating actions is likely to be IT technical, and note here, that IT becomes a part of the solution – NOT a part of the problem.

    By the way … given the digitalisation of the 4th industrial revolution – this will get a LOT worse in decades to come – until someone defined IT security at a lever exceeding the competencies of criminals.

  4. January 28, 2019 at 10:31 AM

    Very much enjoyed your article. At Riskonnect, we couldn’t agree more. All too often we see customers manage each risk in silos. Integrated risk management is the only way to truly understand how one risk event impacts the rest of the business. Even if you could see all your risk exposures into one nice dashboard, that wouldn’t be enough. You need to be able to see the relationship that risk has on the rest of the business.

  1. December 1, 2018 at 11:09 PM
  2. January 15, 2019 at 9:19 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: