A major European risk management association calls for the creation of cyber risk governance groups, chaired by the risk manager.
The Federation of European Risk Management Associations (FERMA) is advocating for cyber risk governance groups led by risk managers to increase organisations’ resilience to developing threats.
In a new report, At the junction of corporate governance and cybersecurity, European risk experts have called for organisations to create dedicated internal cyber risk governance groups to address digital risks across the whole enterprise as the threats evolve.
The report, which is co-authored with the European Confederation of Institutes of Internal Auditing (ECIIA), states that recent cyber attacks have increased concerns on what the risk experts see as a wider lack of focus on risk governance in cyber security.
“Cyber risk is an enterprise issue that affects strategic aspects of the board’s mandate including valuation, reputation and trust,” said Jo Willaert, president of FERMA.
“The management of cyber risk has, therefore, become a corporate issue that should be reflected in the governance of the company.”
The report calls for the creation of cyber risk governance groups, chaired by the risk manager, to operate across functions within the enterprise.
The role of this group is to determine the potential cost of cyber risks across the whole organisation, including catastrophic risk scenarios, and propose mitigation measures to the risk committee and the board.
In addition to the risk managers, the group is to be composed of representatives of all key functions at an enterprise level involved in digital risk, notably IT, human resources, communications, finance, legal and the data protection officer (DPO) and chief information security officer (CISO).
Internal audit will provide the necessary assurance to the board that the cyber risk controls are operating effectively.
“Our recommended cyber risk governance model constitutes an innovative way for organisations to approach cyber security,” added Willaert.
“It will allow the board of directors to demonstrate that cyber risks are managed on a rational and documented analysis of the risks across the organisation.”