Modernizing Cyber Risk Management

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on Environmental, Health, Safety, Security, and Sustainability.

November 21, 2022 - As global markets evolve, organizations must adapt and modernize their approach to risk management. While increasing your business’s cyber presence can create a world of opportunities, leaders must exercise caution when weighing the risks and rewards those opportunities create.

What are the risks associated with digital expansion?

The principal risk to any business revolves around revenue disruption. The depletion of available capital and stress on liquidity can have an adverse effect that could lead to insolvency or worse, liquidation.

Why Risk Management?

Think of risk management as your organization’s navigation system; it keeps your business on course, particularly as your cyber presence expands.

Ask yourself these questions:

1. How much should my business invest in cybersecurity and why?
2. Does the current level of investment support existing and future business requirements?
   1. If yes, can my business optimize its investment-enabling capital deallocation?
   2. If no, what is the differential? How should my business then invest available capital to meet its requirements?

The solution to these and many other related challenges falls within risk management.

Traditional Risk Management

For many businesses worldwide, their risk management system is developed around a visual risk matrix model. This format highlights risk prioritization and resource allocation. The traditional model (used by most) is governed by two parameters: impact and probability. Each parameter is bound by a classification and categorization to enable a risk level attribution.

At a glance, this model may be viewed favorably due to its simplicity, flexibility, and visual appeal. Fundamentally, however, the traditional model has significant deficiencies that can hinder optimal capital allocation.

Data-Driven Risk Management

An effective risk management system delivers certainty. However, in utilizing a traditional risk management model, business leadership teams may not see the whole picture.

What can a business do to ensure their risk management efforts are in fact comprehensive?

The answer: explore more specialized and tailored risk-management solutions.

The difference between these two solutions is how much of the product is sold as ready-made and how much is developed.

For example: a specialized risk-management solution may be aimed at a particular business sector, industry, or domain. Most commonly, it is delivered as a software product that supports various sophisticated models, methods, and techniques, permits customization, and enables risk quantification.

Specialized risk management implies that 80% (for instance) of the product is ready, and you can adjust the other 20% to make it fit for your purposes.

While a bespoke or tailored risk-management solution is a business-specific formulation (often delivered as a consultancy service), these solutions require advanced cross-domain knowledge, skill, and expertise. It is quantitative in its formulation, best reserved for strategic risk exploration, and often yields the highest return on investment. This effort is tailored to accommodate a business’s unique characteristics, sector, industry, revenue, etc.

Bespoke or tailored risk management implies that you get to control the entire product-development process, resulting in a solution that is 100% fit for your purposes.

Systemic Risk

As businesses continue to rapidly adopt existing and emerging technologies in pursuit of opportunities, these emerging dependencies can lead to systemic risk realization, resulting in serious consequences. A technology disruption may trigger a chain-reaction activating crisis at a local, regional, national, or global scale (e.g., company X gets hit, which leads to company A, B, and C, who rely on company X for services, suffering a disruption).

This demands a modern approach to risk management—an approach that also relies on cross-domain skill, knowledge, and expertise enabling multi-dimensional analytics. (Read Global Managing Director, Digital Trust Consulting, Mark Brown’s Protecting Critical Industrial Systems from Cyberattacks).

Future Ready Risk Management

What kind of capabilities should a business seek to achieve a multi-dimensional analysis?

It starts with expertise in finance or economics with an emphasis on actuarial science. This focus will build a planning foundation, enabling risk to be translated into actual financial implications (meaning how much are these risks going to cost my organization should a disruption or breach occur?). Next, an expertise in cybersecurity, information technology, and/or software engineering will help form a technical foundation within risk planning.

Incorporating all these areas into your risk management function, even though these attributes may be difficult and require more effort to source, will ensure your organization establishes a proportional, sustainable, and viable business operation.

Read our Experts Corner for more Digital Trust and Environmental, Health, and Safety insights including tips on mitigating risk in other areas of your business: Risk Mitigation Adds Long-Term Value and Risk Mitigation: Re-evaluating Cash Reserves.