Tag Archives: enterprise risk management

Claims and Effective Risk Management

The cost of claims has been at the heart of Total Cost of Risk (TCOR) since even before the inception of risk management as a separate function. The sheer magnitude of losses, insurable or not, defines so much of what risk managers focus on and tends to be what they report on most often, as well. The nature of mature and, by inference, effective risk management programs has claim management as a key focus. While risk maturity is directly correlated with risk effectiveness, this latter term encompasses a much broader perspective on things that matter. 

Not surprisingly, many components of risk management maturity have some connection to effective claim management. Accordingly, it is appropriate to understand what these components are and how they dovetail with a more comprehensive view into effective risk management. Admittedly, this perspective relates most to the traditional practice of risk management, focused on hazard risk, but failure in this realm will likely point to failure in other areas of risk management.

Components of Risk Discipline 

To instill risk discipline, and, by extension, maturity into claim management, one must set the tone for effectiveness across the spectrum of risk management activities and significantly feed overall risk management performance. This tone will influence the ability of risk leaders to act as “trusted advisers” to organizational decision makers. This should be a key goal for risk leaders, critical to long-term effectiveness and functional sustainability.

The starting point for this subject is two key things. First, how one defines “risk” and drives a consensus among key stakeholders about that definition. Claims are, of course, the outgrowth of risk and exposure. This direct relationship is the essence of why claims and effective claims management have a direct relationship to effective risk management. Whether this aspect of the discipline gets done by insurers (as part of the insurance contract), insureds (as a part of a self-administered claim operation) or through third parties (independent adjusters, third party administrators etc.) makes little difference. Effective claim management feeds effective risk management.

The second issue is both which risks are your focus and where on the loss curve they fall. This may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face; often only the insurable risks. If that’s the case, the need to focus on claim management is clear; one leads to the other.

The Basics of Effective Risk Management Maturity

If you are a risk leader with broad accountability for risks, then the first question of “what is a risk to your firm?” requires total clarity. For the purposes of this article, a good definition of risk is “uncertainty” as it relates to the accomplishment of objectives. This simple definition captures the most central element of concern — uncertainty. However, the real challenge is determining the amount of uncertainty (such as frequency/likelihood), as well as the level of impact or severity. Each risk leader must make this choice and get it validated by his or her organization.

While many leaders focused on hazard risk look at risks at actuarially “expected” levels of loss, the challenge is how far out on the tail one should manage. While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events becomes more destructive. Because the magnitude of loss in this realm can be catastrophic, the importance of both preventing and mitigating these events and their impact becomes critical. Central to after-loss mitigation is the claim management process. Related key questions that every risk leader must answer include:

  • What matters more to your organization: likelihood or impact, or are they equal?
  • What level of investigation should you apply to less likely risks?
  • How do we apply typically limited resources to remotely likely risks?
  • Do you have a consensus among key stakeholders as to what risks to focus on and how?
  • Do you have or need an emerging risk identification process?
  • Do you have a consensus on and clear understanding of how you define risk in your organization?
  • Have you educated your organization on the correlations between losses, claims and risk effectiveness?

These questions are the starting point for ensuring risk management maturity. From your answers to these questions, you can chart your course for what this will mean to your firm. The answers will define the process elements of maturity that will be needed to achieve your desired state. But we need to define what risk maturity is to track progress toward this state and to ensure that stakeholders are aligned around the chosen components necessary to get there. Understanding the attributes of claims and risk maturity includes:

  • Managing exposures to specifically defined appetite and tolerances;
  • Management support for the defined risk culture that ties directly to the organizational culture;
  • Ensuring disciplined risk and claim processes aligned with other functional areas;
  • Creating a process for uncovering the unknown or poorly understood (aka emerging) risks;
  • Effective analysis and measurement of risk and claims both quantitatively and qualitatively; and,
  • A collaborative focus on a resilient and sustainable enterprise, which must include a robust risk and claim strategy.

See also: Future Is Already Here in Claims

Examples of Risk Management Maturity Models

One thoroughly developed risk management maturity model (RMM) comes from the Risk Management Society (RIMS). While it was developed some 10 years ago, it remains a simple, yet comprehensive view of the seven most important factors that inform risk maturity. When well implemented, these components should drive an effective approach to managing all risk within your purview. 

The components of the RIMS RMM model include:

  • Adopting an enterprise-wide approach that is supported by executive management and that is aligned well with other relevant functions;
  • The degree to which repeatable and scalable process is integrated in the business and culture;
  • The degree of accountability for managing risk to a detailed appetite and tolerance strategy;
  • The degree of discipline applied to using the elements of good root cause analysis;
  • The degree to which a robust emerging risk process is used to uncover uncertainties to goal achievement;
  • The degree to which the vision and strategy are executed considering risk and risk management; and,
  • The degree to which resiliency and sustainability are integrated between operational planning and risk process.

Like all risk management strategies, no two are exactly the same, and there is no one way to accomplish maturity. Importantly, every risk leader needs to do for his or her organization what the organization needs and will support. 

Of course, RIMS is not the only source of risk maturity measurement. Others, including Aon, offer other criteria. Aon’s model includes these components:

  • Ensuring the board understands and is committed to the risk strategy;
  • Effective risk communications;
  • Emphasis on the ties among culture, engagement and accountability;
  • Stakeholder participation in risk management activities;
  • The use of risk in/formation for decision making; and,
  • Demonstration of value.

This is not to say that the RIMS model ignores these issues, they simply take a different emphasis between the models. 

Another model worth considering is from Protiviti’s perspective on risk maturity as it relates to the board of director’s accountability for risk oversight. A few highlights of the perspective include:

  • An emphasis on the risks that matter most;
  • Alignment between policies and processes;
  • Effective education and use of people and their place in the organization;
  • Ensuring assumptions are supportable and understood;
  • The board’s knowledge of asking the right questions; and,
  • Understanding the relationship to capability maturity frameworks.

Certainly, good governance is critical to ultimate success, and the board’s role in that is the apex of that consideration. If the board is engaged and accountable for ensuring their risk oversight responsibility is effectively executed, the successful execution of the strategy is likely and, by inference, risk and related claims will have been effectively managed, as well.

Another critical aspect of the impact of risk and claims that should not be overlooked is their impact on productivity. If productivity is directly related to people’s availability to work, then we can quickly agree that risks produce losses that affect both people and property, oftentimes together. We can readily agree that impacts to productivity are a frequent result of losses and the claims they generate. Further, productivity impacts are not just limited to on-the-job injury. Every car accident, property loss or general liability loss that includes personal injury has implications for productivity, in either the workplace or outside of the workplace. As a result, it behooves all risk and claim leaders to execute their roles by aligning their interests and driving their focus.

Finally, a few fundamentals that are important to understand in execution of these goals include understanding that:

  • how you handle claims will directly affect not just your TCOR but your overall risk management capability and effectiveness; 
  • there is no one right approach to managing claims or risks; each organization must chart its own course aligned with its culture and priorities;
  • risk and the claims they can generate must be treated as an integral aspect of organizational strategy;
  • risk and claim management should be a focus on additive value; and,
  • risk and claim maturity have shown that better results are achieved as a result.

See also: How Risk Managers Must Adapt to COVID

In its simplest form, risk management is about preventing (or, on the upside, leveraging), financing and controlling risk and loss. Effective risk management is dependent on many elements, not least of which is effective claims management. And while claims are naturally focused on negative events that have already occurred, this activity is centrally critical to comprehensive, effective risk management.

How you prioritize claims and related activities will have significant effects on how you can contribute to organizational success. Doing both well will enable both risk and claim management effectiveness, demonstrated by measurable maturity.

Key Indicators of Weak ERM Programs

Almost every insurer has an official list of risks, often referred to as a risk register. Maintaining a risk register is a basic step in managing risks, following risk identification, prioritization, assignment of risk owners and creation of mitigation plans. 

One problem with many risk registers is that they are filled with generic risks. Although these risks may be real ones for the company, their lack of specificity does not contribute to a true understanding of them in the necessary detail or to planning targeted mitigations for them. 

For example, a risk register might show a risk such as “premium receivables may be late, resulting in ‘over 90s’ or uncollectable premiums,” a risk that every insurer has to some degree. However, for the company in question the real risk is “underwriters may have too much discretion to change premium collection terms and conditions leading to ‘over 90s’ or uncollectable premium.” The generic version does not indicate the root cause of the risk and can lead to ineffective mitigation strategies.

Or, a risk register may show a risk as “difficulty in attracting talent for open positions” when the real risk is “social media and internet sites may not present the company in a good light, making it hard to attract talent.” By stating a generic risk, management does not have to admit what it may not want to acknowledge.

Yet another example is a risk register that has stated an IT risk as “too many legacy systems still exist, creating data and service issues,” when the actual risk is “the XYZ underwriting system is not adequately integrated with other systems to create accurate data and seamless processing or a competitive customer experiences.” Not naming the culprit system(s) omits the source and scope of the risk and not adding some modifiers to the effects of the risk omits the true nature of what is at stake if the risk is not addressed.

The more nebulously a risk is characterized, the less clear who should be the risk owner. Without a clear and appropriate risk owner, the greater the chance that the risk will not be adequately addressed.

Regardless of the category of risk, without specifics the entries in many risk registers seem more for external consumption than internal action. If the same list of risks could be adopted by any other insurer of the same size, age and business mix, then it is not fit for purpose for the insurer whose risks it is supposed to represent. It may be fine for an externally published list of risks to lack detail that could be considered proprietary, so long as it meets certain thresholds, but it is not fine for a list intended for internal use.

See also: Risks, Opportunities in the Next Wave  

Another big problem with risk registers is that many do not include the strategic risks the company needs to be concerned about. Strategic risks tend to stem from the vision, mission and goals of the company. A strategic risk might concern the lines of business written or the customer segments targeted or the geographic footprint. For example, a risk for a WC monoline insurer might be “premium volume may shrink significantly in the next five years due to robotics and AI reducing the size of the workforce.” A risk for an “internet only” insurer might be “there may be difficulty reaching sufficient scale because of the lack of barriers to entry by identical competitors and because some buyers will never buy over the internet. Such an insurer will also have a talent risk because of competition for IT talent across all insurers and industries.

Or, a risk for an insurer that has high concentrations in Cat-prone states might be: “Without further geographic expansion, the lack of diversification may hurt profitability significantly.”  

It is simply not common to see these types of strategic risks listed in the risk register. Yet, strategic risks tend to be the most existential of all risks. In the past, some large insurer failures stemmed from strategic risks not being addressed appropriately or at all. For example, risks associated with undisciplined growth or delayed reaction to underperforming books of business, which are strategic risks, have not been recognized by insurers, and such insurers have paid a steep price for that lack of recognition. 

An additional problem with risk registers is the mediocrity of the planned mitigations. A good risk register should minimally show: 1) the risk, 2) its ranking as to impact and likelihood, 3) the risk owner, 4) the planned mitigation and 5) the status of the mitigation efforts at each update of the register.

Undoubtedly, it is key to identify the risks, but identification and recording of the these does nothing to help to the organization unless there is adequate mitigation. Mitigation can take many forms: avoiding, transferring, minimizing or accepting the risk, albeit with a contingency. A planned mitigation that is too weak, too expensive versus the risk or too impossible to implement will not benefit the organization. Worse yet, an inadequate mitigation may allow the risk to grow while the board or senior management thinks it is being reduced.

The mitigations in the register should not be just a recounting of current controls or risk-reducing practices lessening; they should be innovative and robust tactics for attacking the risks.

Boards, senior management and chief risk officers should evaluate their risk registers based on these questions:

  • To what extent are risks stated clearly and specifically?
  • Are there risks included that are unique to the company?
  • Based on how the risk is stated, is it clear who the risk owner should be?
  • Based on how the risk is stated, does it help to pinpoint what type of mitigations are needed?
  • To what extent are strategic risks included?
  • Are there current or emerging strategic risks that are not included?
  • Are the planned mitigations equal to the seriousness of the risks; i.e. are they sufficiently robust? 
  • Is the cost of the planned mitigation in balance with the potential impact of the risk?   
  • Are the planned mitigations attainable, implementable?
  • Is the mitigation plan implementation on track?

Bottom line, a poorly constructed risk register points to a failure of the entire ERM process and practice. As an essential tool for managing risk across the enterprise, it reveals a lot about how well risk is being managed. Thus, the register can be a good indicator of the overall state of ERM in the organization.

A Renewed Focus on EERM Practices

With third-party risks on the rise, there is renewed focus on maturing extended enterprise risk management (EERM) practices within most organizations. This focus appears to be driven by a recognition of underinvestment in EERM, coupled with mistrust of the wider uncertain economic environment.

To understand the broader risk environment and provide organizations with the insights needed to effectively assess their risk and adapt processes accordingly, Deloitte recently conducted the EERM Risk Management Survey 2019, obtaining perspectives from more than 1,000 respondents across 19 countries covering all the major industry segments. Results shed light on crucial considerations surrounding economic and operating environments; investment; leadership; operating models; technology; and affiliate and subcontractor risk. More specifically:

Economic and operating environment: Economic uncertainty continues to drive a focus on cost reduction and talent investment in EERM. The main drivers for investing in third-party risk management are: cost reduction, at 62%, reduction of third-party-related incidents, at 50%, regulatory scrutiny, at 49%, and internal compliance, at 45%. Organizations urgently want to be more coordinated and consistent in extended enterprise risk management across their organization, as well to improve their processes, technologies and real-time management information across all significant risks.

Investment: Piecemeal investment has impaired EERM maturity, left certain risks neglected and hurt core basic tasks. Only 1% of organizations say they address all important EERM issues, and only a further 20% say they address most EERM issues. One of the main reasons for this maturity stall is that organizations are taking a piecemeal approach to investment – they are mostly making tactical improvements rather than investing in strategic, long-term solutions. This piecemeal approach has led to certain areas – such as exit planning and geopolitical and concentration risk – being neglected, and some organizations not doing core basic tasks well, such as understanding the nature of third-party relationships and related contractual terms.

See also: The Globalization of Risk Management  

Leadership: Boards and senior executives are championing an inside-out approach to EERM, which includes better engagement and coordination and smarter use of data. The survey reveals that boards and executive leadership continue to retain ultimate responsibility for EERM in the majority of organizations. Better engagement and coordination across internal EERM stakeholders is a top priority for boards and senior leaders. Boards are moving away from using periodically generated data to more succinct and real-time, actionable intelligence, generated online. But who has ultimate responsibility for third-party risk management? According to the survey results, 24% indicated the chief risk officer, 19% indicated other board members and 17% indicated the CEO.

Operating models: Federated structures are the most dominant operating model for EERM, underpinned by centers of excellence and shared services. More than two-thirds, 69%, of respondent organizations say they adopt a federated model, and only 11% of organizations are now highly centralized, which is down from 17% last year. Investments in shared assessments and utilities, and managed services models, are also increasing. Furthermore, co-ownership of EERM budgets is also emerging as a trend. Robust central oversight, policies, standards, services and technologies, combined with accountability by business unit and geographical leaders, is a pragmatic way to proceed.

Technology: Organizations are streamlining and standardizing EERM technology across diverse operating units. The survey confirms Deloitte’s prediction last year that a three-tiered approach for third-party risk management will continue. Smartly coordinated investments in third-party risk management technology across three tiers can drive efficiency, reduce costs, improve service levels, increase return on equity and create a more sustainable operating model. More specifically, 59% of the respondents adopted tier one, 75% adopted tier two and tier three continues to grow.

Affiliate and subcontractor risk: Organizations have poor oversight of the risks posed by their third parties’ subcontractors and affiliates. The lack of appropriate oversight of subcontractors is making it difficult for organizations to determine their strategy and approach to the management of subcontractor risk. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. And a further 8% only do so for their most critical relationships. Leading organizations are starting to address these blind spots through “illumination” initiatives to discover and understand these “networks within networks.” Less than 32% of organizations evaluate and monitor affiliate risks with the same rigor as they do other third parties. As affiliates are typically part of the same group, organizations are likely to have a higher level of risk intelligence on them than other third parties.

See also: Is There No Such Thing as a Bad Risk?  

For more information on Deloitte’s “2019 Extended Enterprise Risk Management Survey,” or to download a copy, please visit their website here. You can find the full report here.

Risk Culture Revisited: A Case In Point

True, a great deal has been written about the importance of inculcating a positive risk culture if an organization is serious about managing its enterprise risk. Yet, when it comes to discussions about organizational culture, many executives’ eyes glaze over because the topic is too nebulous or because they have no idea how to influence or develop a particular type of culture. Underwriters, considering an application from a commercial customer, generally do not look too deeply into the company’s risk culture. Given that risk is growing in magnitude and variety and with increasing speed of onset, it behooves leaders to take concrete actions to establish a sound risk culture or to maintain one if it already exists. And underwriters should also be interested in the risk culture of accounts they write for the same reasons.

Often, I am inspired to write about something because of some news I hear or read about. In this case, something on the law360 website caught my attention: A woman slipped and fell near a collapsed “wet floor” sign at a casino. This person, Ms. Sadowski, suffered serious injuries and was awarded $3 million by an Ohio jury.

“The sign lay flat on the floor that day in September 2016, and a Jack Cincinnati Casino employee even walked around it but did not pick it up,” Sadowski’s attorney, Matt Nakajima, said, according to the Cincinnati Enquirer. He said that, moments later, Sadowski tripped over it and broke one of her knee caps. There were no safety measures in place for floor inspections or fall prevention, he said, and the employee who walked around the collapsed sign was not reprimanded. So, despite the use of “wet floor” signs, other aspects of risk management were purportedly absent.

It seems the jury believed Nakajima’s description. If the description is accurate, the part about an employee walking around a collapsed “wet floor” sign is very troubling, as is the fact that there were no consequences for the employee. These kinds of actions point to a lack of a risk aware culture at various levels.

See also: Building a Risk Culture Is Simple–Really  

So, how do leaders build a risk culture and how do underwriters probe to see what kind of risk culture exists in their prospective insureds’ organizations.

Three Basic Steps to Build Risk Culture

  • Articulate the organization’s position on managing risk at key communication junctures and through different media with employees: 1) hiring interview, 2) orientation, 3) staff meetings, 4) webcasts, newsletters, bulletin boards.
  • Include a risk culture criterion in all performance reviews; e.g., does the employee perform duties safely and address or report hazards/risks when they are identified? Evaluate positively or negatively, as warranted. Celebrate exemplary cases of risk awareness or risk mitigation.
  • Ensure that policies, procedures and work instructions all describe what is expected in terms of safety, precaution and risk reporting

Three Basic Data Points for Underwriters to Ascertain

  • Does the organization have any losses in the loss history that show an egregious lack of risk awareness?
  • Does the organization practice ERM or, at least, have policies around required safety measures, risk/hazard reporting, training on avoiding cyber and other risks, etc.?
  • Does the organization discuss or evaluate risk awareness as part of normal performance management?

At a time when every insurer is streamlining the information it requests from potential insureds, adding more requests for data seems antithetical. However, in light of the thousands of ways that employees can create, increase or decrease risk in an organization, the culture they embrace is very important. For example, an HR staffer who delays inputting an employee termination to the appropriate systems can create huge data and physical security risks. Likewise, a factory worker who leaves equipment running while going on break, when it should be turned off, can create safety and property risk. Or, consider a finance employee who thinks a spoofed email is actually from the CEO and sends a payroll check to the hacker’s account because there was no secondary control or it was not adhered to. The questions above will help underwriters to get a glimpse of the risk culture at the company they are evaluating.

See also: Thinking Differently: Building a Risk Culture  

A risk aware culture plays a role regardless of the category of risk: financial, operational, legal, cyber, human resource, strategic, etc. Everyone from the top to the bottom of the organization needs to have an automatic and quickfire gut check regarding their actions – am I creating a risk by taking this action; have I recognized the risks in the situation that is leading me to action; do I need to vet a recognized risk with others? When an organization reaches the point where this type of thinking is natural, and almost universal, then it can be said that a positive risk culture has been embedded.

Her latest book, “Enterprise Risk Management: Straight Talk for Nonprofits,” can be found here.

Integrating Cyber Risk in ERM Framework

Enterprise risk management (ERM) is often viewed as a bureaucratic and unnecessary process, subtly or overtly motivated by regulation, accompanied by internal risk leadership kingdom building and suggesting an unclear value proposition. Occasionally, these perceptions are correct, and ERM fails. Yet, there is hope for a successful ERM approach with the right motivations and when designed and implemented with the real business goals and culture of the organization in mind. This is when ERM becomes an invaluable approach to learning about and managing truly destructive risks. A successful ERM approach also creates a clearer lens for seeing and responding to emerging risks, including potential impacts, and helping to prioritize the more valuable solutions. The resulting ERM processes are, however, often fraught with hurdles, preventing many organizations from achieving a level of risk astuteness and maturity beyond ad-hoc decision making.

Few risks affect organizations with the diversity, impact and pervasiveness of cyber. As we are now a truly internet-connected and -dependent world, few organizations escape material exposure to this ever-evolving risk and its wide range of impacts; fewer still seem to have effective plans for cyber risk mitigation or an ability to calculate the value “in play” gained, or not, from their cybersecurity strategies. This is not to say many organizations haven’t addressed or aren’t trying to address cyber risk. Beyond regulatory requirements, no effective governance structure today would allow management to ignore or not actively investigate this growingly complex enterprise-wide risk. Even so, why would cybersecurity become a clarion call for ERM? What role does ERM play in helping to solve the cyber dilemma, and to assess this critical cross enterprise risk? We are glad you asked.

Every organization should approach risk management in a way that is effective for itself and its key stakeholders, both internal and external. This sounds good but, as mentioned, is hard to accomplish. ERM often means something much less than a comprehensive, multi-step framework and numerous processes addressing a full gamut of ERM components. ERM should at least mean, however, that those elements that most meaningfully contribute to solving the problem (i.e. understanding and controlling the risk) are employed. Certainly, at a minimum, this means identifying and valuing the significance of the exposure, treating it appropriately and then monitoring its status until it is no longer a significant threat. However, is it necessary to first build a risk culture, create a risk appetite, implement a risk tolerance strategy, appoint risk liaisons across the business, establish ERM committees and invest in sophisticated risk modeling?

Likely not, unless your key stakeholders suggest or regulation requires otherwise. ERM processes can easily become overly complicated and burdensome, often working to slow or complicate risk identification and mitigating responses and unnecessarily constraining the business. Further, many ERM processes focus repetitively on risks with a potential for the most obvious and severe impacts (larger inherent risks), sacrificing an ability to otherwise tease out emerging risks and those subtle, often related, frequency risk impacts (lower-level risks), which may be slowly (or rapidly) correlating across the business. ERM frameworks primarily focused on a severity approach, unfortunately, result in a blurry ERM lens and may inadvertently expose the organization to emerging and systemic risk blind-spots. A good example of an emerging risk blind-spot is the various risks found today within a category of risks associated with information security (i.e. cyber risks).

See also: Why Risk Management Is a Leadership Issue

Cyber risks are a notably different type, when compared with the types of risks historically addressed within an enterprise-wide risk management framework. Why? Cyber risk management is analogous to identifying and responding to risk impacts from multiple, simultaneous “smart tornadoes” (e.g., advanced persistent threats).

For example, consider these two facts: 1) cyber risk can be high-frequency and low-severity, or high-frequency and high-severity, at the same time; and 2) cyber risk “impacts” vary widely depending on complexity of known and unknown harm administered, success rate of harm administered and internal acceleration of any such harm (dwell time, lateral movement, then organizational detection and response). These variables create an infinite number of impacts and costs, matrixed across a business.

This is an unusual risk behavior, to say the least, and today’s dynamic cyber risk ecosystem creates a delicate challenge for many in the information security profession. When a person proclaims (or attests, or suggests) “don’t worry, we have cyber risk covered” (e.g., managed or otherwise solved for), then she is suggesting an ability to see the future. In other words, she is implying that she generally knows how those smart cyber tornadoes are going to behave outside, inside and throughout the business, every day.

Admittedly, for most, it is difficult to acknowledge what we do not know and, especially, the vulnerability we may have in facing a first-of-its kind risk management challenge – with various risks we are unlikely to completely mitigate. However, as more and more businesses engage cloud service providers and increase use cases for Internet of Things (IoT) endpoints, organizational key stakeholders, such as boards of directors, regulators and rating agencies, are becoming increasingly concerned about how organizations are identifying gaps in cybersecurity efforts. There is movement by these stakeholders to test and confirm that risk management processes are in effect and that the enterprise is identifying and responding to risks associated with those smart cyber tornadoes.

It is important to understand that even if an organization believes it “has cyber risk covered” by virtue of its current information security (‘InfoSec’) approach, there is still, for many, a critical regulatory requirement to assess the cybersecurity risk itself. Failure to adequately identify, test, monitor, trend and report on enterprise-wide cyber risks creates significant financial, regulatory, reputational and operational exposure for the organization. Static reports that capture log data but are not otherwise normalized or matched to enterprise risk profiles and controls are arguably not offering complete or robust information to the enterprise, for either historical or prospective time periods. And, when we say a risk is managed, it is important to note we are applying a risk management term of art – regulators often have definitions and tests to demonstrate assurance.

Managing a risk means identifying, tracking, scoring and valuing, normalizing and trending risk performance, including the net impacts. These steps are performed in accordance with compliance standards and aligned with risk tolerance. Management also includes evaluating how the risk profile (e.g., an enterprise grouping of all defined cyber risks) is changing over time (and we know it is changing) and what key risk impacts the organization is facing from the portfolio of (cyber) risks. This is where the ERM framework and ERM processes can help.

The existence of an ERM framework does not provide a carte blanche solution for cyber risk management or mitigation of undesirable cyber risk outcomes. Instead, consider ERM a distinct, enterprise-wide enabler for addressing cyber risk management. In many cases, in-force ERM processes and protocols provide the “plumbing” that InfoSec leaders can immediately access and rely on to deploy quick(er) cyber risk identification, monitor the effects of specific risk mitigation strategies and capture and analyze overall enterprise-wide cybersecurity results.

The interplay between ERM and InfoSec serves a critical function for the business. It helps to optimize risk management resources to ensure the InfoSec team is able to focus on the cybersecurity battle at hand. Hacker-driven intrusions and internal actors, along with many other threat vectors and attack surfaces, keep the InfoSec community scrambling for the best depth of defense and tactical offenses required to maintain uptime productivity, lower dwell times, accelerate responses and ensure overall data governance. Meanwhile, together with ERM, InfoSec faces global regulation of personal data actively shifting underfoot, resulting in increasing complexities and wider adoption of cybersecurity regulatory standards.

These newly enacted regulatory standards are providing regulators with an ability to dig deep and assess enterprise-wide cybersecurity risk management. For instance, the National Association of Insurance Commissioners recently said:

“State insurance regulators have undertaken a number of steps to enhance data security expectations to ensure these entities are adequately protecting this information. As part of these efforts, the NAIC developed Principles for Effective Cybersecurity that set forth the framework through which insurance regulators will evaluate efforts by insurers, producers, and other regulated entities to protect consumer information entrusted…(sic)”

Additionally, the New York Department of Financial Services recently said:

“Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.”

It important to note both regulatory agencies are concerned with evaluating enterprise-wide cybersecurity risk – which, in turn, leads us back to the enterprise-wide risk management “plumbing” and risk governance processes and how the ERM-InfoSec interplay can be helpful in achieving organizational risk management objectives.

As an example, we can consider how to use the NIST-CSF (National Institutes of Standard and Technology – Cybersecurity Framework) as a starting point for an enterprise-wide cyber risk identification exercise. The NIST framework offers a diagnostic approach for assessing an organization’s technical cyber risk profile (the current state) versus desired risk tolerance and outcomes (the target state).

Separately, using a similar approach, ERM can be assessed through commonly adopted risk maturity evaluative frameworks. One such framework is the RIMS Risk Management Maturity model (RIMS-RMM). This model shares several diagnostic themes with the NIST CSF, including evaluations of risk identification, risk culture, risk resiliency and risk governance. (National Association of Insurance Commissioners, 2014)

See also: How Insurtech Boosts Cyber Risk  

The common themes between several functional topics within the two frameworks create an opportunity to explore the corollaries between the two frameworks. Scores can be mapped and linked, effectively creating an integrated overall score, by applying relativity factors that capture the directional relationships between the two frameworks. For instance, how might low technical cyber risk scores, such as weak DLP oversight, inform and potentially change the ERM score addressing risk (data) governance? When properly integrated, the NIST CSF and RIMS RMM provide a synchronized view on data governance, privacy and enterprise-wide cybersecurity performance.

An integrated analysis, such as a combined NIST CSF plus RIMS RMM approach, helps an organization accelerate their ERM and InfoSec risk management performance and increases risk awareness. In turn, increasing risk awareness leads to becoming more risk astute. When an organization is more risk astute, it is maturing in its risk management thinking, as evidenced by positive return on risk investments and system-wide risk mitigation solutions prioritized and finely attuned to best support organizational growth and profitability. Most importantly, they are increasing their cyber resiliency while deploying strategic cyber risk management.

The company that successfully integrates a robust cyber risk management approach and its ERM framework is at a distinct competitive advantage. Not only is such an organization effectively managing its resources and expenses; it is linking cyber security to its business goals, enterprise risk profile and strategic vision.