In my first post on integrated cyber risk management, we looked at financial firms bringing together leadership and capabilities across fraud, IT, cyber security and operational risk, both to improve enterprise risk management and to build cyber resilience. I’d like to unpack the concept of cyber resilience a bit further. What is cyber resilience? In short, resilience is the ability to quickly and confidently respond, reducing damage or loss, and continuing to execute business in the face of an attack.
Cyber resilience results, in part, from the coming together of two key business functions. But what does it really mean to integrate cyber security and operational risk?
Our paper with Chartis Research digs into this topic. It begins with a review of the Basel Committee’s definition of operational risk: “The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events.”1 The definition sums up the problem neatly.
It’s important to note that many organizations focus on external threats, yet cyber threats can come from both internal and external sources. Our Accenture video series outlines a variety of threats that might “slip through the cracks” without an integrated view of the multiple sources of threats.
A cyber attack from an external criminal can fit within the Basel Committee’s definition—as can a cyber attack from an internal, disgruntled employee. It’s often the internal scenario that gets missed—as state-of-the-art firewalls to prevent incursions do not help if the attacker is already inside!
But with a more holistic approach to addressing the sources of threats and with a joint vision among the chief risk officer and chief information security officer, these threats shouldn’t slip so easily through the cracks.
But top level alignment is only one of the challenges which needs to be solved. There are many layers below which also need to be addressed and better connected.
In most organizations today, cyber security typically is managed through its own set of internal controls within IT. Likewise, the duties and processes required for operational risk tend to reside in the risk and compliance function. The siloes can be plentiful within a financial services firm.
But one cyber attack can involve multiple functions that sit within these siloes. When a cyber criminal targets an employee and manages to infect the person’s email—thus opening cyber doors within a financial enterprise—the crime can touch on fraud, IT risk, legal risk, conduct risk and other functions that often are housed within separate departments.
We believe it is essential to bring cyber security into a common framework, which builds a wider umbrella of security and resilience for a financial firm. See our thought leadership on cyber risk for more information on how to create this integrated approach to cyber security.
- “Consultative Document on Operational Risk,” Basel Committee on Banking Supervision, January 2001. Access at: https://www.bis.org/publ/bcbsca07.pdf