| Popis: |
Data breaches and security incidents have become commonplace, with thousands occurring each year, and some costing hundreds of millions of dollars. Consequently, cyber risk has become one of the gravest risks facing organizations, and has attracted boardroom-level attention. On the other hand, companies -- and their enterprise risk functions -- already manage many kinds of difficult and growing risks, such as workforce, regulatory, and supply chain risks. Research has also shown that most firms lose less than 1% of annual revenues as a result of cyber incidents. And so, the problem becomes, how should firms appropriately address cyber risk? Is it indeed a materially different kind of risk area that requires entirely new management and oversight? Or is it simply just one more risk that while new, can seamlessly be integrated into existing enterprise risk management (ERM) practices? In this qualitative research, we seek to answer two main questions. First, how do firms manage enterprise risks, generally? And second, how are they integrating cyber risk into these existing processes? Our results show considerable variation in the approach and sophistication in ERM practices across firms, such as whether it is driven more like an auditing function, or as a risk champion. Further, we find that despite the novelty of cyber risk, it can be – and is being – managed like other forms of uncertain enterprise risks. Finally, we find that cyber risk is most often seen as an operational risk (similar to workplace accidents or fraud), rather than a strategic risk, emerging from, for example, technology innovation and R&D. |
