As the concept of cyber risk management continues to gain traction among regulators and financial institutions, the role of the CROs have transformed radically. Let’s take a look on the transforming role of CROs.
Common trends are emerging in the new and proposed cyber risk management regulatory standards calling for a broad range of financial institutions to address cyber risk across business process. Cyber risk management has become increasingly complex and interconnected, and is more of a global issue. Globally, every enterprise or financial institutions go on a hiring spree to recruit Chief Risk Officer following massive data breach and to help shore up its cyber defenses.
Nowadays, almost all the enterprises have an Chief Information Security Officer (CISO) and in spite of their highly technical knowledge and experience, they have achieved the position of leadership in an enterprise setup. They have been successful in managing and securing highly complex enterprise digital infrastructure which includes cloud, servers, storage, and other devices and network systems that are vulnerable to cyber attacks. There are new cyber security vulnerabilities ready of exploit any given enterprise system and regulators making it mandatory for compliance requirements. Ultimately, it’s the CISO who takes all these calls and resolves them on a continuous basis.
Traditionally, in a large scale enterprise due to the technology-focused role — the CISO reported to the Chief Information Officer (CIO). And now due to the evolved position, the CISOs are reporting to the Chief Risk Officer (CRO). However, technology remains as the decisive factor for shifting reporting lines of CISOs to CRO. One of the significant reason why CROs are several steps ahead is their approach to cyber security — they view the security aspect less from a technical perspective and more from a risk standpoint.
Cyber risks are highly volatile due to the heavy loss of data as they are relatively new and rapidly changing. Hence, assessing the financial loss estimate and framing a budget becomes a real challenge to the CROs. However, CROs make their best efforts and frame a budget even with the incomplete data by establishing a baseline risk appetite based on known quantities and consensus expectations.
CROs have significant responsibilities and access to the board and senior management that put them at the forefront of technological, operational and human resources challenges involved in implementing the security projects and cyber risk management. From a management and oversight perspective, a CRO has to guide the board toward a target risk appetite and budget.
Impact assessment is also one of the key role of the CRO. Preparing for the big attack which you cannot predict based on past experience is one the continuous role of an CRO. Even if the CRO is dealing with smaller security breaches on a reactive basis, there is a greater need to proactively mitigate the risks of large-scale cyberthreats.
There will be a constant focus towards strategic risk management and incorporating analytical insight. Rather than principally being an internal function, the CRO has an opportunity to use risk identification, risk management and, in some instances, risk transfer to inform strategic business decisions.
The CRO has a crucial role in fostering an enterprise involving employees, vendors and outsourcing partners to uncover potential vulnerabilities across silos and relationships.