By Daniel Dobrygowski
Business leaders today recognise that the profound reputational and existential nature of cyber risks means that responsibility for managing them sits with the board and top level executive teams. As the World Economic Forum stated in its 2017 Global Risk Report, we are facing a pressing governance challenge to construct the rules, norms, standards, incentives and institutions and other mechanisms needed to shape the development and deployment of the emerging technologies of the Fourth Industrial Revolution.
Even when it comes to just one aspect of this Fourth Industrial Revolution, many organisations do not feel that they have the tools to manage cyber risks at the same level of confidence as other risks. There are as yet no leading practices to form part of the standard board competencies.
While our virtual and visual worlds continue to merge, the stakes are increasing. Two responses are essential: 1) many more organisations should adopt, share and iterate current leading practices and 2) they must develop new practices through cross-sector collaboration as the risks evolve. The second will be difficult without common tools and language for an informed body of leaders to use.
The World Economic Forum has, therefore, this year, published Cyber Resilience Principles and Tools for Boards. There are 10 principles. Many of them relate specifically to risk management, and ultimately the role of the risk manager, including:
- A statement of board level responsibility for cyber resilience and a need for board members to receive information and advice on cyber threats and trends. The board may delegate primary oversight activity to a suitable committee, such as the risk committee.
- Incorporation of cyber resilience and cyber risk management into the overall business strategy and into enterprise risk management.
- The creation of an accountable officer responsible for reporting on the organisation’s capacity to manage cyber resilience. This person would have regular board access, sufficient resources and command of the subject and experience to fulfil these duties.
- The definition and quantification by the board of its business risk tolerance relative to cyber resilience at least once a year. The board is to be advised on current and future risk exposure as well as regulatory requirements and industry/social benchmarks for risk appetite.
- Management to be accountable for reporting a quantified and understandable assessment of cyber risks threats and events as a standing board agenda item. It will validate these assessments using its cyber risk framework.
The business opportunities of new technologies can present higher risk profiles since these technologies are mostly unproven. A rush to market to maximise competitive advantage adds to the risk profile incrementally as the business impact increases. As the World Economic Forum’s work on cyber resilience has made clear, it is no longer feasible to embark on business opportunities at the sub-committee or management level without educating the board on the cyber resilience impacts.
While it is unlikely that every risk can be avoided, a clear framework for managing risk will reduce the impact of any incident. Once organisations can effectively manage the risk associated with these technologies, they will have a greater degree of assurance that they can achieve their strategic objectives.
The World Economic Forum welcomes the work underway by FERMA and the European Confederation of Institutes of Internal Auditing that will contribute to the development of cyber governance principles especially in relation to the latest EU regulations.
Daniel Dobrygowski is the cyber resilience project leader with the World Economic Forum.
Advancing Cyber Resilience: Principles and Tools for Boards is available here: http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf
The World Economic Forum Global Risk Report 2017 is available here: https://www.weforum.org/reports/the-global-risks-report-2017