Cybersecurity in Enterprise Risk Management

If you aren't familiar with Enterprise Risk Management, or ERM for short, you should take some time in the near future to do so.  Audits and Examinations are already requiring this approach at many financial institutions.  It's nothing new, but instead a method of looking at risk for the bank from a holistic perspective, rather than by department.

I had the opportunity to sit in on a presentation by Rebecca Towne at the Indiana Bankers Association MEGA Conference last week.  Rebecca is the Founder and President of Quadrant Risk Advisory, LLC.  Her company specializes in Enterprise Risk Management (ERM) for banks and credit unions.

Her talk focused on the importance of ERM in general, but she noted several times that cybersecurity is the highest risk for any bank right now.  The advantage of a good enterprise risk management program is that you can communicate cyber risk side by side with other risks that board members typically see.

Key Takeaways

Below are some tips that Rebecca noted as being important in ERM.  Whether you are in cybersecurity, risk management, or on the executive team, all are beneficial to managing risk:

• Get your whole team involved - get input from experts in each area to keep them involved and to get an accurate assessment of risk.
• Make the process valuable to team members - an exercise in futility will only lead to resistance to the process; make risk a part of regular processes with actionable outcomes.
• Use consistent measurements of risk - one of the main advantages of ERM is the ability to compare risk across departments.  This is not possible unless everyone is using the same metrics to measure risk.  Develop consistent descriptions of probability and impact so everyone is on the same page.
• Utilize Early Risk Indicators - Rebecca noted that we typically look at risk from lag indicators, meaning we only look at the outcomes.  She urges risk managers and executive teams to look 3-5 years earlier for some clues of root causes.  These root causes can then be monitored as an early warning of risk.
• Risk comes with change - Rebecca always starts with the question: "what has changed?".  This can be software, process, policy, key personnel, or threat landscape.
• Develop the process first, then buy the software - many organizations purchase the software, then try to develop processes to that software.  Rebecca urged the attendees to first develop the ERM in excel and then find software that works with the process.  This ensures that risk management is custom to the organization and gives the team a better understanding on the inner-workings of Enterprise Risk.
• Prioritize - without an actionable plan, ERM loses its value.  Make sure you have the ability to prioritize and focus on your areas of highest risk.