Integrating cyber and enterprise risk management for success
The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce. It has provided guidance on the assessment of cyber-related risk that is followed by many information security and cyber professionals.
In March, it published a draft, Integrating Cybersecurity and Enterprise Risk Management (ERM).
One of the problems, a serious constraint on NIST, is that it operates in an environment that has required the traditional practice of ERM, where the final product is a risk register (or a risk profile, which is simply a prioritized risk register). Federal (US) agencies[1] have published authoritative guidance that mandates this approach.
Most leading practitioners and thought leaders have recognized that risk registers and risk heat maps are without significant value. They might enable leaders of the organization to manage individual risks, but they neither help see the big picture nor run the organization for success.
As I have said before, such as in Time to Wake Up to Risk Reality, leaders of organizations around the world have consistently said that traditional risk management is not helping them set and then execute on enterprise objectives.
Traditional risk management is not helping leaders make the decisions necessary for success.
Avoiding failure is not the same as achieving success. In fact, if all you do is manage risk instead of the likelihood of success, then you will almost certainly fail to achieve your goals.
I believe it was the FAIR Institute in their adaptation of NIST guidance that recognized that a prioritized list of cyber-related risks did not provide leaders of the enterprise with the information they need. They recognized that fact but offered no suggestions.
In Making Business Sense of Technology Risk, which was written specifically to provide some ideas on this topic, I suggested that leaders need to know how to answer questions like these:
- Should I invest $1 million in cyber or in new product development? I can’t do both.
- If I open a new office in Belarus, I have significant upside possibilities but will also increase the possibilities of damage from regulatory compliance issues, currency volatility, cyber intrusions, and more. How can I know whether, on balance, I should open now, in six months, in a year, or not at all?
- How likely are we to achieve our targets for the year, given all the things that might happen over the next months, including the possibility of a data breach?
- Should we take our new product line to market now, given the revenue it might bring and the vulnerabilities we are aware of?
Neither a risk register, nor a prioritized list of information assets, helps answer these or pretty much any other business decision.
The most these lists of risks do, IMHO, is help prioritize investments between cyber vulnerabilities. They don’t help leaders of the enterprise – as evidenced by the views of those leaders in survey after survey.
Where we need to go, as explained in my book, is to provide leaders with the information they need.
- Information on how a breach would affect enterprise objectives, being specific about which ones
- Information that can be aggregated with other sources of risk (both positive and negative) so that all the possibilities can be weighed together and an informed and intelligent decision made
- Similarly, information that can be aggregated so that performance reporting can show the overall likelihood of success for each of the organization’s goals and objectives
- Information in the language of the business
I welcome your thoughts.
(This post is being shared with NIST as a comment on their draft.)
[1][1] Such as the OMB and GAO, in additional to previous NIST standards.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, I don’t share your dislike of risk registers. They have there place, for example (and I am simplifying):
Objective: Maintain the organisation’s profitability
Risk: Major systems failure due to a computer virus
Control: Anti-virus, and other control,software, constantly kept up-to-date
There have been plenty of examples where organisations have lost money due to major systems failures and boards should be recognising this if Risk Mangers and Internal Auditors are doing their jobs.
However, I recognise that a risk register is not sufficient and the greatest risk to any organisation is poor decision-making by its board. The best risk register in the world won’t stop poor decision making.
They can have a place, where a single source of risk needs to be monitored because even by itself it can be awful. But the point is that too many (including NIST) make that their single end product.
I like to think of ERM like a wall round a castle. If it’s well built and maintained, with a good garrison, it will keep the inhabitants safe… until their enemies invent a cannon. So the inhabitants need spies in enemy territory to anticipate what’s coming and to exploit any weaknesses. They also need to make decisions about when to expand their territory beyond the castle walls, otherwise the walls become a prison instead of a fortress.
They also need to know when it is wise to take the risk of going outside. If they don’t know the likelihood of success, how can they know what to do?