European risk experts have called for organisations to create dedicated internal cyber risk governance groups to address digital risks across the whole enterprise as the threats evolve
The recommendation for a cyber risk governance model comes in a report published June 29 by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA).
FERMA and ECIIA presented their report at a high-level event at the European Parliament with representatives of the EU institutions, the World Economic Forum, risk and audit practitioners from European businesses, and other European stakeholders.
The report, At the junction of corporate governance and cybersecurity, aims primarily at supporting European organisations in meeting their obligations under the EU General Data Protection Regulation and Network Information Security Directive. Recent cyber attacks, however, increased concerns on what the risk experts see as a wider lack of focus on risk governance in cyber security.
The President of FERMA Jo Willaert states, “As recent attacks show, cyber risk is an enterprise issue that affects strategic aspects of the board’s mandate including valuation, reputation and trust. The management of cyber risk has, therefore, become a corporate issue that should be reflected in the governance of the company.”
He adds, “Our two professions are joining forces on cyber risk management by exchanging information on the ERM system and the cyber controls in place, ensuring that mitigation plans are auditable from their conception. This is crucial to evaluate their impact and review the alignment with the strategy.”
The report calls for the creation of cyber risk governance groups, chaired by the risk manager, to operate across functions within the enterprise. The role of the group is to determine the potential cost of cyber risks across the whole organisation, including catastrophic risk scenarios, and propose mitigation measures to the risk committee and the board. In addition to the risk managers, the group is to be composed of representatives of all key functions at an enterprise level involved in digital risk, notably IT, human resources, communications, finance, legal and the data protection officer (DPO) and chief information security officer (CISO). Internal audit will provide the necessary assurance to the board that the cyber risk controls are operating effectively.
Adds Jo Willaert, “Our recommended cyber risk governance model constitutes an innovative way for organisations to approach cyber security. It will allow the board of directors to demonstrate that cyber risks are managed on a rational and documented analysis of the risks across the organisation.”
The joint working group, represented risk managers and internal auditors from 8 EU countries and 6 different economic sectors (bank, transport, defense, IT, food services and telecom) has developed recommendations for organizations on innovative ways to internally organize the management of cyber risks.