Cyber Risks Move up the Corporate Agenda

A newly-published risk management report reveals an increasing focus on cyber threats as well as detailing where risk managers report within their companies.

The 12th annual
‘Excellence in Risk Management Report
‘ was jointly prepared by insurance broking and risk management group Marsh and the Risk Management Society (RIMS).

The report shows that 50% of respondents said the risk management function reports to the chief financial officer (CFO) or treasurer.

The remaining 50% report to other company executives, such as general counsel at 12%, other C-suite members at 8%, chief risk officer (CRO) at 7%, internal audit and operations at 5% each, and human resources at 2%.

“The fact that risk management is reporting into some of the other functional areas I think is really a positive,” said Carol Fox, the director of strategic and enterprise risk practice for RIMS in New York.

“We’re seeing more investment in those areas, we’ve seen more integration with operations, we’ve seen more visibility for risk management functions when they don’t report to treasurers and CFOs.”

To the question “Over the next 12 months, which of the following areas of risk management will be a priority(ies) for your organisation,” 43% answered cyber security, putting it at the top of the list. However, fewer than half had quantified the risk, and even fewer had prepared for an event.

“We looked at cyber security and asked, ‘Are you actually quantifying the risk?’ and found that 40% had actually quantified the (cyber) risk within the organisation,” said Fox. “Where we found a difference is that while they were identifying and quantifying the risk in some ways, the actual planning for an event of that kind seemed to be lacking.”

Marsh has also launched two cyber risk assessment services to help understand, measure and manage cyber risk.

Marsh Cyber Monitor enables companies to understand their cyber risk by examining a comprehensive set of threat indicators that are continuously updated using a variety of data collection methods. Individual companies can proactively understand their cyber security posture, gain insight into how their cyber risk is changing, and benchmark themselves against their peer group on an ongoing basis.

Marsh Cyber View combines an ‘outside-in’ analytics-driven view of cyber security vulnerability with customised cyber risk advisory services. Companies can gain insight into the factors that underpin their cyber risk, how they compare with peers on the underlying risk factors, and how to remediate risks that are trending outside the norms. A variety of risk factors are analyzed and combined with business and technology insights on how to reduce or transfer the associated risk.


Related reading