Page 1 of 12

How Does Cyber Effect the Risk Profile of the Organization?

Cyber risk has become an increasingly challenging risk to understand and manage. The proliferation of

technology continues to force organizations to adapt their risk management philosophies to this ever present,

ever changing risk. As long as organizations continue to adopt new technologies, they automatically increase

new cyber and information technology threats.

Organizations can thwart these threats, simplify information security, and reduce the burden of regulatory

compliance by adapting the risk management process. A more dynamic and holistic approach should be

developed where established communication mechanisms can ensure that threats are addressed in real time

and understood by a broad range of interested stakeholders. Moreover, utilizing a GRC technology solution

that’s able to centralize data and link cyber threats with the other risks is important to provide evidence that

the program is in place, being sustained, and producing high quality output. This scaling of risk management won’t just make your organization safer, it will also help inform and enhance business decisions.

Studies1,2 continue to show that cyber security remains a top concern for organizations’ information security executives. For example, in one study, 76% of the respondents said they were concerned about cybersecurity threats, up nearly 30% from the year prior.3 The occurrence of cyber incidents is up, where nearly 80%4 had detected a security incident in the last twelve months. Employees are also contributing to this. In another survey example, more than half5 say that they lack the skilled resources to substantiate information security’s contribution and value . Organizations are struggling with how to integrate this subject with the broader organizational risk management processes and governance standards. Perhaps this is a result of the use and proliferation of technology by us all. The business and information security have continually used technology as a means to create efficiencies, build in controls, share information, etc. Customers too are constantly searching for and adopting technology to make their lives easier, more efficient, and faster. This is only expected to increase (see Figure 1). Figure 1

Year 2003 2015 2020 World Population6 6.3 Billion 7.3 Billion 7.8 Billion

Connected Devices7 500,000,0008 4,900,000,000 20,800,000,000 Connected Devices Per Person

0.08 0.67 2.7

1 EY’s 2015 Global Information Security Survey: 1,755 CIOs, CISOs, c -level, and information security executives from 67 countries 2 PwC’s 2015 US State of Cybercrime Survey 3 Ibid 4 Ibid 5 EY’s 2015 Global Information Security Survey 6 Data.worldbank.org 7 Gartner Research; http://www.gartner.com/newsroom/id/3165317 8 Cisco Internet Business Solutions Group (IBSG), “The Internet of Things, How the Next Evolution of the Internet is Changing Everything,” Dale Evans, April 2011,

http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf

Page 2 of 12

The cyber threat is real. There have been numerous examples where cyber security has come into question. Breaches at companies like Target, Sony, and Ashley Madison, to name a few, have caught national headlines. Results include reparations in the millions of dol lars, thousands of identities being stolen, shareholder value lost in the billions, and corporate reputations tarnished. Questions are starting to arise from regulatory agencies, advocacy groups, counsel, and customers of what organizations are doing to manage these risks. In response, organizations are looking more closely at cyber risk and its fit within their Governance, Risk, and Compliance (GRC) framework and tools. Top Down v. Bottom Up There are two approaches when managing risk in the context of exposures (e.g., cyber risk) – (1) top down, and (2) bottom up. Although these two should naturally marry and provide clear linkages, they often run in parallel and create philosophical arguments on which is better. For example, below is a brief list of the pros and cons of tackling the subject from a top down point of view: Pros

Executive led

Clear support from the top

Internal/External sharing of information across the organization

Consistent communication

Common taxonomy and process

Alignment across the lines-of-defense Alignment with the cadence of the business

(e.g., planning, budgeting)

Cons

Unique business activities not necessarily accounted for

Risks addressed in isolation

All risks seen as critical (lack of prioritization) No economies of scope and scale in

management/action

Lack of clear tie to organizational risk appetite and tolerance levels

Unclear link to processes

A similar set could be created from the opposite perspective. Cyber risk is a bit unique and should be evaluated9 slightly differently in the context of the risk management processes used to understand and manage it. On the one hand, experience has shown that it can have both a significant financial and non-financial impact on the organization, making it potentially one of the top risks to the organization. However, cyber-attacks happen with such frequency10 that it’s typically depicted in the top right corner of a traditional heat map (see illustrative heat map below), with the only variability being the assessment in the impact (for example, a typical risk assessment process will be the likelihood of occurrence over a year period – which is set to align with strategic planning and budgeting processes):

9 The evaluation of risk typically occurs from an inherent (or absent controls) and a residual (with controls and management activities in place) basis 10 Norse Corporation Map; map.norsecorp.com; example showi ng evidence over an hour on a non-descript day when over

10,000 attacks hit the US from all over the world, 4,000 from China alone

Page 3 of 12

Inherent Risk Assessment Residual Risk Assessment

Depending on the tolerance level (denoted by the line (looks like steps) in the heat map graphs above) of the risk, action will be required to mitigate and/or manage the risk with some diligence. Evaluating the Efficacy of the Risk Management Process Evaluating cyber risk in the context of other risks is one of necessity to inform the risk profile, or the aggregated exposure level of the company’s portfolio of risks. As the above example shows, cyber risk management should, at a minimum, justify a formal review for creating a bespoke process to evaluate its effects on the organization. The process starts with the identification of cyber risks. This requires not only an understanding of the risks facing the organization itself but also its customers, vendors, and other third parties. One only has to look to recent publications for examples. In one, hackers had breached a company’s computer systems and compromised the personal data of 1.5 million customers resulting in the exposure of 1.1 million social security numbers. This stolen data was used to create fake debit cards that were used to withdrawal more than $9 million from automated teller machines worldwide. Other examples include phishing techniques, Telephone Denial of Service (TDoS) and Distributed Denial of Service (DDoS) attacks, ATM skimming and Point-of-Sales (PoS) schemes, malware on mobile devices, and the infiltration and exploitation of organizational supply chains. Regardless of the medium, the identification of cyber risk requires expertise and the involvement of information technology. However, understanding the impact requires investigation and collaboration. The identification of cyber risk is not any different than what would be used to identify other risks that may impact the organization. Cyber risk is primarily focused on the informational and technological operational risks, but includes people and facilities should they support information and technology assets. In order to be effective, risks must be defined in such a way that it allows for the aggregation and disaggregation of the topic. As we saw from the previous paragraph, cyber (the most broadly defined) risk might be broken down into two or three sub-categories. A sub-category might be malware with further definitions under that such as Trojan horses, worms, viruses, etc. Defining the library of risk in this fashion creates greater transparency into the causes of the risk and can assist in defining where the risk may reside within business processes. It also acts as a means to clearly define courses of action, investments in controls, and metrics to determine their efficacy on reducing the risk’s exposure. Now that the cyber risk category can be broken down to its more specific parts, the assessment begins. Execution of the assessment requires the information technology experts to work collaboratively with th e business. This necessitates the information technology and security guys and girls having a better understanding of the key business processes driving the growth and profitability of the organization. It is

Like

lih

ood

Impact

Like

lih

ood

Impact

Page 4 of 12

unreasonable to expect the business, those doing the day-to-day activities, to have the knowledge of how frequently cyber-attacks occur nor have an indication of the extent of damage they could inflict. Viewing it in this context helps with the prioritization of cyber risk in relation to other risks facing the organization. Moreover, this prioritization helps with determining the investments required to thwart any exposure through the allocation of capital and employees’ time. Another important facet in helping to evaluate the assessment of cyber risk is the link to the company’s Business Impact Assessment (BIA). The BIA provides the insight into the consequences of a disruption to the business’ functions and processes. The evaluation of the systems and technologies are also included as part of this process – the impact, timing, and duration of a disruption. The result is a prioritization of the company’s assets by their criticality to the business’ operations and the need to have them available to execute critical processes. Cyber-attacks on the organization may focus on the vulnerabilities of these assets. The information security professionals can use the GRC technology to take the BIA, compare that to the cyber threats, and u se that as another basis for concluding the overall assessment of the risk. It is also essential to clearly articulate what the cyber profile will look like. This may result in a completely different looking heat map, where the company’s conservatism of addressing cyber risk showing more harmful (e.g., red and orange squares) areas. Additionally, the tolerance level may vary as well, moving down, for example, to address the reduced tolerance for the risk’s occurrence and severity. Another modification may be in clearly articulating likelihood and impact parameters. In the event of cyber risk, the likelihood of occurrence may need to be defined as the likelihood of occurrence over a week’s period (or at least something less than a year!). Risks like cyber, and fraud for financial services companies, occur with such frequency that risk management functions are exploring how to modify their assessment methodology to be more relevant to a particular risk’s occurrence. In contrast, risks such as natural disasters, class action lawsuits, and mis-selling occur with much less frequency. As a result, having a process that reflects these variables can greatly improve the understanding of the risk profile, allocation of resources, and capital expenditures for controls. Moreover, the definition of impact also needs exploring. Is it defined as the impact should the risk occur? Or the expected impact (independent of the likelihood)? The nature of cyber events also should dictate assessing the impact on both a quantitative (financial) and qualitative (reputation) perspective. These simple questions and reflection on the process may result in a more meaningful and valuable information security assessment. Most organizations with mature risk management practices offer impact assessment scales on both a quantitative and qualitative scale. Although the qualitative scale lacks the rigor and measurement needed to help substantiate how the risk profile is changing, it enables those with less knowledge to evaluate criticality in areas like reputation or when the risk is something that hasn’t been experienced by the organization in the past. Scenarios are a good example, where stress testing or hypotheses are born to understand the effects of adverse conditions on the organization’s products/services, assets, and operations. These factors are discussed further in reporting. Another consideration to give is to have a technique that’s reflective of the rate that which cyber events may occur. It may be worthwhile to analyze the risk from an actuarial approach where modeling is used to define frequency (e.g., a Poisson distribution) and severity (LogNormal, Weibull, Gamma, Pareto, etc.). This can produce a VaR (Value at Risk) at varying confidence intervals. The evaluation of cyber exposures has been made easier through the incorporation of technology. Leading practice dictates utilizing external feeds to assist in the indication of a cyber threat and utilizing history,

Page 5 of 12

knowledge, and algorithms to predict the potential severity. However, the data coming in from internal sources and external, disparate vendors can be overwhelming. Utilizing a GRC solution that incorporates all internal and external data feeds into a single platform makes deciphering the data that much simpler. It also enables the business to synchronize its control environment with the impact of cyber risk events. Only then can information security weigh the myriad of alerts, translate them into the organization’s processes and profile, and develop the means to address the most salient exposures. Moreover, being able to tie the results of these process into business requirements is tantamount to driving relevancy and value. The simplest example of this is linking the risks to the business continuity and resiliency plans, as well as the business impact assessments that are being performed. Through this process, critical activities and supporting systems are enumerated. Once again, having a GRC technology that is able to use that information and pull it into the analysis of cyber threats help to marry critical applications/technology used by the business with the risks. Only then can the business, in collaboration with information security, make informed decisions of whether, and how, to treat the threats impacting the most critical operations of the organization. This, once again, helps with determining how to spend precious capital and optimally allocate resources. Another facet of managing cyber risk is in the security assessment. This is akin to the typical monitor phase in a typical risk management process. In this case, we want to explicitly review whether the implementation of controls and/or management activities have occurred and gain evidence that they are in place and working as intended. A GRC solution can enable the capture, storage, and mining of this data as evidence. Moreover, the information and conclusions can link with other GRC solutions (e.g., operational risk, compliance, audit) , as an integrated GRC platform, to provide a more holistic picture of the risk profile. Cyber, although requiring some evaluation of how to customize it to the organization’s risk framework, still relies on the principles established through other risk disciplines like operational risk. In fact, Basel , which acts as central bank within the financial services sector, considers systems part of the operational risk definition.11 This should necessitate having cyber be an explicit part of the operational risk profile discussion. In fact, leading practice dictates having a single subject discussion be part of the quarterly update to the Board of Directors and the executive committee (including the risk committee) for risks carrying a potentially significant impact on the organization. Cyber should be part of the cadence in this process. This is challenging to do efficiently given the brevity of certain risk topics on the agenda (see the reporting section below). Moreover, cyber, depending on the organization and its control structure, may not even rise as one of the most significant risks. Also, as an executive, my knowledge of the pervasiveness of attacks nor the potential damage they may incur will not be widely known. This is because there is a cognitive bias by those presenting and managing information security to portray a better than average management and control environment. It is these individuals whose job, performance, and incentive structure is to protect the organization from cyber threats. What incentive is there to present a “doom and gloom” picture? This is where the robustness of the risk management process comes into play. Not only should there have been an effective challenge by the second line and the CRO, but substantiated through audit. The Board and executives are looking for an understanding of how risk is affecting profitability, so explaining the severity of the risk in as quantitative terms as possible is a plus. Remember too that cyber risk does not have independent effects. It’s not just the technology that must take focus, but the precipitation of implications on the underlying processes and human intervention activities.

11 Bank for International Settlements, Consultative Document on Operational Risk, January 2001, p.2

Page 6 of 12

Cyber is designed to identify and take advantage of weaknesses in the technology infrastructure and overarching business activities. In each case, the underlying organizational process is called into question – is it designed appropriately? Can it be structured differently? Can a better set of controls be developed and implemented? Technology obviously plays a huge role here as the controls are predominately system focused. Moreover, it should require engaging the business as well for a broader view of looking at the process from end-to-end. In this example, this may include third and fourth party vendors/subcontractors and verification procedures for customer access to organizational systems. GRC technology can help in this effort as well. Leading GRC solutions have the ability to tie the risk and control information back to key value chain processes. This makes causal analysis much simpler by creating workflows that identify the processes pieces where risks are likely to occur or where controls are deficient leading to indicators of potential exposures (e.g., the creation and monitoring of Key Risk Indicators (KRIs)). This enables both the business and second line of defense to understand where breakdowns are occurring and create a tactical plan forward to address the exposure. The linkage of cyber threats to other risks and operations calls into question the efficacy of the organization’s business continuity and resilience plans. This is because a cyber event(s) can suspend or disrupt normal business operations. Given the varying nature of cyber risks, are employees aware of how they may unsettle their activities, systems, and customers? Moreover, cyber risks are always evolving, so detecting their occurrence and understanding the magnitude of potential disruption requires ongoing education and partnership between the business, external constituents (like vendors), and with information security. Correlation and Diversification Risks are rarely independent; they correlate with one another. It’s therefore critical to understand the up and downstream effects of how a risk’s occurrence affects the value chain. This not only includes how other risks may occur, but how the snowballing effects of severity can mount. One organization suffered a distributed denial of service attack on its website disabling its customers from traditional services it had become accustomed to – in this example bill pay. The organization’s systems and infrastructure was not prepared for the attack. Duplicate payments were made, resulting in overdraft fees, and some payments weren’t made at all. Dissatisfied customers used social media to voice their frustrations with the company almost instantly. Moreover, because call centers weren’t prepared with a script or knowledge of how to respond to customer concerns, customers’ inquiries were left unanswered. The organization had to do some repair; reimbursing payments and erroneous charges, letters (stamp costs) to customers, increased control and security put on their firewalls and servers, and a public apology. The immediate financial impact wasn’t that significant. However, the reputation impact and lost revenue from existing and potential future customers was calculated in the hundreds of thousands.

The aggregating linkage of risk also produces similar effects on the management of risk. Controls taken by one part of the organization may benefit other areas as well. This is particularly true with cyber risk where a single control investment will benefit multiple businesses. For example, there are a plethora of vendors offering scanning capabilities for cyber threats. These vary depending on the threat, where an organization may have multiple subscriptions. GRC technologies offer a way to synthesize these feeds into a single source,

apply algorithms to assess their impact, and provide a mechanism for prioritization and action. Viewing risk across the value chain also brings economies of scope and scale. The one -to-many relationship of risks to corresponding controls yields insight where there may be inefficiencies in management action and/or controls. The prevailing mindset in most organizations, is that risk is bad and needs to be controlled. This is

Page 7 of 12

exacerbated by the pervasive risk management structure and governance where risk is tackled in silos. This produces layer upon layer of controls to address a risk, which can only be seen when the risk is viewed holistically, from back to front office, systems to processes, to any customers, and potential implications to 3rd parties. Sustainable execution to risk management is challenging, resource, and capital intensive if the analysis is done for every risk the organization faces. Leading practice dictates performing the analysis on the critical aspects driving the growth of the organization. We’ve all heard the mantra of “tying risks to objectives.” This still applies, but must be done in the context of the organization’s most salient risks. Deriving the most pertinent risks can be accomplished by evaluating risks against the organization’s key strategies and initiatives. This is an essential part of the assessment process. Cyber however, is not always given its due credit in this process, probably because the potential significant financial and reputation impact is not always transparent nor how it can be tied to the organization’s goals. Some risks, like cyber, can get into the mire of the universe of risks that influence objective setting and execution. Vague, broad objectives such as “grow the customer base by x%” or “diversify product offerings” may not necessarily take into account risk topics like cyber where, in our examples, a data breach that siphons customer data. Customer distrust and brand erosion may disturb any well laid corporate plan. It is only when these objectives are codified that the risk discussion can begin. Detailing how the objectives will be met should force a discussion about risk. For example, one manufacturing organization explicitly includes the identification, assessment, and treatment of risk as part of its strategic planning. This hel ps to raise awareness, spur discussion, and bring consensus about how the organization wants to treat a particular objective threatening risk so that capital and resources can be properly allocated during budgeting. Digital Literacy The common thread through the success of an effective cyber risk management framework is digital literacy. Education is a staple for understanding and addressing cyber risk. This is predominately a result of the rapid development and use of technology to make things more efficient, effective, and faster. Cyber criminals are constantly looking for ways to exploit this proliferation of software and technology forcing information technologists and consumers to be conscious of how their actions may be lending themselves to cyber risks. We have already touched on the need for information security to integrate and become a stronger partner with the business. Educating and training the information security and technology function on business processes enables a more fluid discussion on cyber exposures and the implications on business processes. Plus, educating the business on the types of cyber risks may help in the identification of events. Although there are feeds coming into the organization about exposures, but as we’ve seen, there are ancillary signs of concern such as TDoS, segregation of duties for customer verification, etc. Spotting these signs and developing appropriate and timely escalation procedures can result in early mitigation strategies eithe r stopping or reducing the likelihood of financial, data, or reputation loss. Employees aren’t the only ones who would benefit from training and education. Customers will too. The press has done a good job of publicizing, for example, topics like identity theft, but there is an implicit assumption that consumers have that organizations are well controlled and financial and personal information is highly secure. Organizations can be more proactive by educating their customers on the controls necessary to circumvent cyber risk. One common example of this is two step verification where customers provide two pieces of information that secures their identity. This may include requirements for strong passwords as well as text messaging of codes for final authentication. These controls not only benefit the organization, but the

Page 8 of 12

customer as well. It adds extra steps in the control structure and customers need an understanding to why there is a heightened level of control necessary. This is frequently missing. Education also extends to escalation. Customers, as well as the business, need a clear channel and means for communicating concerns about cyber threats. What are the protocols if a potential cyber risk is identified? Given the pervasiveness of cyber risk, it wouldn’t make sense to wait for the risk management group to perform its risk and control assessment process. The risk may have occurred and damage inflicted by that time. With a nimble risk management process, the business can engage risk to evaluate cyber exposures in real time. A GRC solution can assist through the monitoring of metrics and tolerance levels. Questions and actions can be self-generated through the solution to evaluate the need and specificity required to address the risk. Customers also need a means of communicating possible events such as phishing. Creating a medium for customers to contact the organization about concerns should be made simple and easy to do. Once information is shared, the organization needs a means to feed the data back into the GRC and information security systems in order to properly evaluate and, if appropriate, take action against it. Regulatory Attestations Complying with laws and regulations has taken center stage in the risk management space in recent years. The expectations from regulators has grown to be able to articulate that organizations are in control, that risk management practices are in place, and are sustainable. The volume of legislation seems to have two focuses, one on cyber effects (such as data protection) and the other on cyber itself. For example, the Cybersecurity Act of 2015 in the US promotes and encourages the private sector and the government to rapidly and responsibly exchange cyber threat information.12 Companies though struggle with the best intentions of the government and this bill. Internal general counsel question the process and its outcomes: “what’s going to happen with the information once it’s been shared?” What if it leaks?” “What if we are accused of lying to someone?” “What will our Board think of our situation?” These are all good and appropriate questions to ask. A cyber event intensifies these questions when it affects customers. The widespread adoption of social media necessitates organizations risk management practices be highly nimble and flexible to respond to concerns, questions, and complaints. Conversely, the compulsory side is more pressing. There are a litany of regulations that focus on the integrity of information systems and the protection of company assets. Cyber risk is at the crux of the actions necessary to demonstrate compliance. For example, regulation Systems, Compliance, and Integrity (SCI) states that affected entities must establish, maintain, and enforce written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capabilities.13 Similarly, the PCI DSS (Payment Card Industry Data Security Standard) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.14 Cyber-attacks can be at the center of disrupting organizational objectives of meeting these aforementioned regulatory examples and many others.

12 P.L. 114-113; Division N, H.R. 2029, 114th Congress (2015-2015), www.congress.gov/bill/114th-congress/house-bill/2029/text 13 www.sec.gov/spotlight/regulation-sci.shtml 14 www.pcicomplianceguide.org/pci -faqs-2

Page 9 of 12

So how can an organization demonstrate compliance? Regulators want to have confidence that the risk management program is in place, understood by the organization, and shows evidence of use , and is something that is sustainable. A GRC technology solution is critical to this success. First and foremost, the GRC technology can provide a link into and help to disseminate the company’s policies and procedures. For example, if a new cyber law or regulation were to come into effect, the GRC solution can help to identify which policies and procedures would be effected and provide the workflow to update and disseminate them to the organization. The technology can provide a central source for the risk management methodology and supporting data. It helps to provide the evidence that the governance model is working and critical facets of organizational expectations are available and up to date. Enabling Technology The GRC solution also acts as a foundation for the risk management process. Each part can be supported by the solution, offering the enabling tools to execute the process, store and evaluate the data, and report on it. This not only applies to the risk management process itself, but provides the linkage to the underlying business processes as well by correlating the risk and control data to the value chain. This helps to operationalize the risk management process make it relevant to the business. The GRC’s workflow provides a systematic and repeatable way to execute the risk management process. So, for risks like cyber, it provides clear, and repeatable, steps to identify, assess, evaluate, manage, monitor, and to report on the risk. Moreover, as we’ve already discussed, the process can be made dynamic and malleable to respond at the speed at which cyber risk occurs. The technology also acts as a central repository for risk data. This makes it possible to mine the risk data at any given point in time. This is powerful as it provides a wealth of risk data to understand the risk, its past, and to provide the basis to extrapolate potential exposures. Additionally, the audit trail of risk data sets the basis for changes in the risk profile. Using legacy risk data can demonstrate how prior actions (or inactions) to treat a risk have actually benefited (or detracted from) the organization. Capital expenditures and resource allocations can be evaluated on whether they met their objectives. This puts clear accountability on the f irst and second line to collectively assure that risks are within tolerance. Metrics can also be created and monitored in real time through the GRC solution. The establishment of Key Risk Indicators (KRIs), as an example, can be used to monitor whether risk events are approaching or have breached tolerance levels. This can indicate the need for evaluation and analysis of whether to take action and improve the control environment. KRIs can be monitored through creating bespoke dashboards and reporting. Figure 2: Illustrative CISO Dashboard

Page 10 of 12

A highly configurable GRC solution is especially useful in the management of risks like cyber due to the frequency of their occurrence and the flexibility needed to evaluate the exposures. GRC solutions that require a high degree of coding aren’t able to provide the nimbleness of identifying, assessing, and responding to these risks in a timely fashion. Additionally, configurability assists with understanding the risk profile. Creating dashboards (see Figure 2) that are unique to the user’s responsibilities provides snapshots of the risk environment in real time. This enables the quick identification of issues and areas of concern resulting in prompt responses, mitigating unwanted exposures.

Cyber’s link with processes and people makes it necessary to be included as part of the operational risk profile. Audit, in its independent third line responsibilities, also needs to have a clear understanding of how cyber is managed and controlled throughout the first and second line. Thus, although there is benefit from having a unique information security solution to manage cyber risk, the processes, findings, and data should link across other GRC solutions within the organization. It’s only then that there is clarity and clear linkages on what the organization’s risk profile looks like – there isn’t disparity in data or outcomes when information is presented into the risk committee, audit committee, and the Board. Reporting Reporting requires the organization to be able to disaggregate a risk to its parts. This is particularly true when reporting to executives, risk and audit committees, and the Board because risk is usually a pretty broad topic on the agenda of these discussions; e.g., operational risk, credit risk, etc. Obviously, the organization’s industry and business model dictates the length of risk topic discussions. For financial services, it’s typically credit risk; for technology companies, it’s information; for manufacturers, it’s operations. Regardless, risks tend to be defined in large tranches in order to separate the discussion and the conclusions from analyses – for example, cyber risk is generally categorized under “systems” risk within operational risk (e.g., using the Basel definition that defines operational risk as the risk of loss from inadequate or failed internal processes, people, systems, or from external events). However, as we’ve seen, cyber can also extend to other operational risk categories including the actions (or inactions) of people, failed internal processes, or from external events (such as vendor or 3rd party dependencies). As a result, it’s important to articulate and provide a pithy explanation of how cyber is interrelated with other risks in order to provide a true reflecti on of the actual severity. This requires making some judgment calls on the diversification effects of these risks and the benefits of common controls and their affects at reducing severity. Reports should also have a balance between risk metrics, data, analysis and interpretation, and qualitative interpretations. The balance of qualitative versus quantitative information will vary. More detail and firmer metrics will be born through lower definitions of the risk. For example, breaches over a period of time can be easily codified, but their overall effects will require some judgment to determine the overall impact.

Page 11 of 12

As a result, expert judgment may be need to be used to aid the aggregation process as well as interpreting results. Expert judgment can come from multiple sources. The term “expert” can also be loosely applied. Organizations with mature risk management practices have been known to query not only individuals within the organization, but also customers, vendors, external audit, and customers to help inform conclusions on a risk’s impact. It’s important to note that judgment should replace data, but should complement it. Risk functions need to ensure that when expert judgment is applied, the process be clearly documented and transparent to bring clarity and consistency to the process. Besides providing a perspective of the past, reports should also try and be predictive. Organizations need to develop forward looking assertions. This includes risk topics and measures that may signal early warnings of any potential breaches of risk limits that may exceed the bank’s risk tolerance/appetite. These subjects should both be within the organization’s experience as well as those it hasn’t experienced. Lessons from other industries, competitors, or from different geographies and markets can be powerful learning tools. Scenario development is a technique that may be used to extrapolate a risk’s effect on the organization. Scenarios are used to try and predict how certain future risk events may impact the organization including evaluating the existing management and control environment as well as evaluating capital expenditures to increase (or decrease) the company’s assets. These scenarios are increasingly challenging to develop within the context of cyber. Involving information technology is tantamount to developing a robust scenario because of the breadth of information technology both within and outside the company. Reporting should also provide results and conclusions on stress testing which provides support to forward-looking exposures. Stress testing applies to both existing and future risks taking into account assumptions on the risk’s variables. Examples include breaches in systems, increases in volume, basis point jumps in interest rates, shrinking or growing customer base, or temporary or permanent loss of a significant supplier. The variability of the risk’s severity should be a topic for discussion to determine the efficacy of the stress test and whether additional action or control may be necessary. The culmination of this information can be overwhelming as evidence for the conclusions typically results in a binder full of data. Executives and Boards alike expect a synopsis on the organization’ s top 3 – 5 risks, including impacts on the business and profitability. Actions to treat the exposure need to be clear with accountable owners and demonstrable benefits. Findings and conclusions on significant risks, such as cyber, should include specific time on the agenda from the individual most knowledgeable on the subje ct, like the CISO. Only then can credibility be lent to the specificity provided to answer any detailed queries. The importance of having a management information system (MIS) that is geared to risk data and management makes reporting less taxing. A challenge many organizations face is identifying sources of risk data across the organization. Data not only comes from systems and applications (such as SAP, PeopleSoft, Microsoft Excel, Access, and Word, SharePoint, etc.), but from disparate conversations from committees, regulator conversations, and audit. External data feeds (e.g., from third parties, social media, newsfeeds, etc.) also need to be accounted for. As we’ve discussed, cyber threats can be monitored through vendor solutions and provided to the organization. Other items such as regulatory changes can also be identified through external feeds as well. A GRC solution that is geared to handling the data from these mediums makes report production simpler, especially one that can be configured to the organization’s risk management methodology, taxonomy, and process. Producing periodic executive and board report is an important part of the process, but it also needs to be nimble. Cyber risks occur with great frequency, so having a tool that assists in the evaluation of a risks criticality assures that harmful events are actioned sooner rather than later.

Page 12 of 12

The business and risk functions are challenged with centralizing, automating, and making sense with the aggregated view of the structured and unstructured data that is produced by the organization’s systems. Leading organizations have adopted their GRC tools to automatically aggregate this data and put it in both a risk and business context. Limited resources, increased competition, and goals to create turnover have put the impetus on having a technology solution that can produce dashboards and reports in real time that enable the business to understand a risk’s effects on operations, its people, systems, and customers. This assists business management to make informed decisions to prevent unwanted threats, but allow for the capture of opportunities. In an environment where technology is diffusing the risk management practices of the organization, having a fluid risk management process supported by a strong GRC technology solution is critical. Risks, such as cyber, are ever evolving and more pervasive than ever. The ability for the organization to identify cyber risk in real time, evaluate its criticality, and to take timely action will go a long way to assure that unwanted exposures are dealt with a timely manner. This will not only provide confidence to executives and the Board, but demonstrate to stakeholders, such as regulators, that there is a robust process in place; one that is respon sive, in compliance, and is sustainable. GRC technology enables this process by integrating into the organization’s governance model, acting as a central repository for storing and mining risk data, and linking to third party data sources to provide users with an easy way to see and understand the risk and control environment. This powerful enabler provides confidence that cyber exposures are quickly identified, acted upon, and mitigated before manifesting themselves into financial and reputational losses.

About the author: Ladd Muzzy is a principal at Nasdaq BWise. He has over twenty years’ experience in developing, implementing, and coordinating risk management programs. He has held senior corporate (Bank of Montreal, Barclays, Capital One) and consult ing leadership risk management positions. Many of his experiences involve evaluating an organization’s risk management philosophies and current practices to move them to leading practice. Ladd can be reached at Ladd.Muzzy@nasdaq.com. To read more from Ladd Muzzy and our other GRC experts, follow us on LinkedIn: https://www.linkedin.com/company/bwise

About Nasdaq BWise: Nasdaq BWise is a global leader in Enterprise Governance, Risk Management and Compliance (GRC) software. Based on a strong heritage in business process management, the BWise® GRC Platform provides companies with highly-rated, proven software solutions for Risk Management, Internal Control, Internal Audit, Compliance & Policy Management, Information Security and Sustainability Performance Management. BWise’s end-to-end solutions support an organization’s ability to understand, track, measure, and manage key organizational risks. Nasdaq BWise helps companies truly be in control by balancing performance with their financial and reputational risks, improving corporate accountability, increasing financial, strategic and operating efficiencies. Using BWise, organizations are able to efficiently comply with anti-corruption regulations like FCPA and the UK Bribery Act, the Sarbanes-Oxley Act, European Corporate Governance Codes, ISAE3402/SAS-70, PCI-DSS, Solvency II, Basel II and III, Dodd-Frank, ISO-standards, and many more. Nasdaq BWise has sales, service and support offices around the globe provide for the GRC needs of hundreds of leading companies worldwide. For more information, visit www.bwise.com.