On 29 June 2019, OECD published a report about understanding and measuring the digital security risk management practices of businesses. which includes the results of a pilot survey conducted with FERMA at the end of 2018. The aim of OECD is the creation an internationally recognised framework and statistical indicators for cyber risk management.

FERMA has been collaborating with the OECD on the topic of cyber security since 2015. Thirteen FERMA member associations took part in the pilot survey conducted with the OECD, thus participating in the development of digital security risk management.

Measuring the maturity of an organisation’s management of digital security risks is challenging but has become essential for OECD countries. By reducing the frequency and negative impact of cyber incidents, effective cyber risk management is a condition for businesses to get the most from digitalisation. Such comparable international indicators will also put governments in a better position to design public policies to integrate risk management culture in digital security.

The measurement framework proposed in the report is composed of six modules (demographics; digital security risk governance; digital security risk assessment; digital security risk reduction practices; digital security risk transfer practices and digital security risk awareness and training). The FERMA/OECD pilot survey, which tested the framework among European risk managers, shows that the framework is robust, despite some issues as regards the length and repetitiveness of some questions.

The report proposes the creation of a maturity model where weights and ranks would be applied to certain practices in the field of digital security risk management. These maturity scores could be used in some types of benchmark which organisations could use to compare themselves to their peers.

Ultimately, the aim is to give OECD member states some tools to understand how well prepared their businesses are for cyber risks.