Today’s business and IT leaders face unprecedented challenges in understanding and quantifying IT risk. Beyond the increasingly complex and interconnected nature of risk, the SEC’s new cybersecurity rules require public companies to (1) continuously monitor, assess, and disclose material cybersecurity events within four business days and (2) annually disclose cybersecurity risk management and governance activities, including how cybersecurity risk management is integrated into the overall risk management function. These rules (effective December 2023) underscore a crucial need: Now is the time to implement integrated risk management (IRM) technology to enable the ability to effectively comply with the SEC’s new rules and deliver greater value to the organization at large.
As AuditBoard’s 2023 Digital Risk Report assessed, most organizations still have fragmented approaches to risk and widely varying risk management maturity levels. How resilient is your organization’s IT risk management (ITRM) program? Are stakeholders across the business getting the information needed to identify, quantify, and respond to the risks that matter for their roles? Or are silos, piecemeal technologies, and a lack of reportable metrics preventing the visibility, control, and insight needed to manage risk effectively?
The answers to these questions aren’t simple — but fortunately, the three basic steps underpinning IRM aren’t hard to understand. October is Cybersecurity Awareness Month, celebrating its 20th year in 2023. In recognition, take time today to know how the proper framework, metrics, and technology can help you break down silos and enable more effective and resilient IT risk management.
Step 1: Framework
Before looking at your controls, external auditors and regulators will look at your risk assessments to gauge whether management and those being audited have similar understandings of risk and the strength and robustness of the risk management program. That’s why starting with a framework that provides alignment, consistency, and balance is critical.
Different parts of the business naturally have different views on risk. For example, traditional ITRM-driven risk assessments of IT assets focus on IT risk, reflecting a limited understanding of how the assets enable business processes or how the risks impact desired business outcomes. A framework helps bring functions into closer alignment so the biases of one don’t take precedence over all others. Your framework — which will be unique to your organization — should provide:
- A structure with clear roles and responsibilities for risk-related activities, eliminating redundancy (e.g., duplicative controls, multiple risk assessments with different focus areas).
- A taxonomy for understanding and communicating risk across the business creates a common language and connected view that ties risk into a broader business context.
- Balance across the risk objectives of performance, resilience, assurance, and compliance, harmonizing risk assessments so that the entire risk spectrum is assessed simultaneously, from IT assets to strategic business outcomes.
Step 2: Metrics
With a solid framework in place, bringing together different functions’ perspectives in a balanced way, you’re ready to focus on metrics. Reportable metrics help quantify IT risks in the context of your business, enabling more proactive risk management and strategic decision-making. Establish metrics by:
- Determining what’s most important through the lens of business outcomes and objectives. For example, what matters most relative to the performance and resilience objectives helping you stay in business or the assurance and compliance objectives helping to keep you out of trouble?
- Identifying reportable metrics in the form of key risk indicators (KRIs) tied to key performance indicators (KPIs), assessing the risks to the business in achieving desired business outcomes.
- Monitoring and evolving metrics to provide a more forward-looking view and ensure KRIs focus on the most relevant risks.
If your organization isn’t yet using reportable metrics, you’re not alone: The 2023 Digital Risk Report also found that approximately four out of five organizations (79%) lack reportable metrics. But it’s time for that to change. Beyond needing reportable metrics to comply with SEC cyber rules, monitoring based on reportable metrics is for IRM than periodic risk assessments.
Step 3: Technology
It’s critical that technology is the third step in the process. Technology’s job is to enable your framework and metrics; you can only understand what’s needed by having both in place.
Many companies leap to technology as the first step in remedying disconnected risk management, resulting in ill-fitting solutions that don’t connect risk areas in ways that make sense for the organization. However, implementing the right tech at the right time helps stakeholders across the business see risk from different angles and through the vital lenses of performance, resilience, assurance, and compliance.
Choose technology that draws people to the tool, providing value and support that help embed it in day-to-day operations — not just a periodic compliance exercise. The technology you select should simultaneously enable the “three Cs of IRM”:
- Communication: consistent and continuous information sharing across the organization.
- Context: common understanding of the risk relevance and impact to the business.
- Collaboration: coordinated actions to bridge the gaps between risk teams and the broader business.
Effective IRM demands connecting risk across the business and delivering insights to the right people at the right time. A step-by-step approach to establishing your framework, metrics, and technology can help you build the connected, adaptive, and responsive IT risk program your organization needs to manage the pervasive, fast-moving cyber threats.
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.