As the rate of technology change exposes financial institutions to greater risk and regulatory compliance, it also opens new pathways to value creation and opportunity investment.
As the rate of technology change exposes financial institutions to greater risk and regulatory compliance, it also opens new pathways to value creation and opportunity investment. This has led to a movement to elevate cyber risk from a technology leadership problem to a business problem that is a key component to manage operational risk.
Historically, addressing cyber security has been the role of the CISO, who owned every aspect, from policy setting, protecting the enterprise, and implementing the tools and technology to control the environment. To be effective a single person with enough authority to holistically manage technology risk was needed.
Now, however, most of the other functions across a typical financial enterprise have been split up into three lines of defense — the front end business function that own the controls; an independent risk management function that provides checks and balances; and then an internal auditor that cross-checks everything even before an external audit. Cyber security, however, has not sat in that space — because companies felt an individual tech authority was required to keep the enterprise safe.
That individual tech authority — often the CISO, charged with protecting the environment — is portrayed as a business inhibitor. That, however, frustrates the business, which is trying to find new revenue streams and compete with startups. As a result, a natural evolution is now happening — that the business makes decision based on a thorough understanding of the company’s appropriate risk appetite.
A More Holistic Outlook Is Needed for Cyber Risk
For the business to evolve rapidly, it needs to understand its risk posture, which should include cyber security in all due diligence exercises — to help make sure cyber is incorporated holistically, throughout the business.
The typical CISO and CIO report is programmatic in nature and doesn’t identify key cyber or technology risks. For example, when the IT organization is installing some tools, there isn’t an understanding if all of these metrics are actually reducing risks.
Now, cyber risk exposure should be shared in a quantifiable dollar amount on core assets they care about, and based on their risk appetite and KRIs, funding can be allocated to reduce risk.
Cyber as a Foundational Component of Operational Risk
KPMG believes a holistic operational risk framework, which includes cyber security risk as a foundational component, can help financial institutions achieve competitive advantage while securing the enterprise’s most valued assets.
Ideally, this means separating the first and second lines of defense – with the CISO reporting to the CIO. The primary role of the technology risk function should focus on maintaining the business processes and asset inventories, rather than focusing solely on business risk. That function must understand what the core platforms are, the core servers they sit on, the type of data that sits on them — as well as why from a risk classification standpoint they are important.
Conversely, the cyber security policy, should be owned by the second line of defense, under a cyber risk management lead role. That person should sit at the top of the operational risk management functions, and report to the risk committee or the CRO. That function needs to develop an independent risk management framework for the business to sign off on, as well as KRIs against those risk appetites that ultimately feed into a cyber policy encompassing of the business’s desire for risk appetite.
The cyber risk management leader needs to be independently challenging the first-line role of the CISO to make sure they are putting appropriate controls in place to meet those objectives. The CISO needs to be closely involved, but the business should be able to make educated, risk-based decisions and ultimately own the risk.
Enabling the appropriate cyber risk posture starts with the foundation component of updating your organizational model. That is, clearly putting the CISO in the first line, reporting to the CIO. Then, if it doesn’t already exist, creating a cyber risk management lead function in the second line, reporting directly to the operational risk management lead. The cyber risk management function needs to establish risk appetite, KRIs, and an overall risk management framework that will feed into that high level policy.
Once the organizational model is established and thriving, the model can evolve to leverage intelligent automation and data analytics to report on quantifiable risk.