If oversight of cyber risks was trivial, it wouldn’t be an issue anymore. But it is still an issue because cyber risks are a business concern, and making smart business decisions is a nontrivial issue.

In September 2017, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand and prioritize the risks their organizations face and measure how these risks impact business performance.

Inside the COSO ERM Framework

According to the framework’s FAQ, “Enterprise risk management is no longer focused principally on preventing the erosion of value and minimizing risk to an acceptable level. Rather, it is viewed as integral to strategy setting and the identification of opportunities to create and maintain value.”

The COSO ERM framework is a high-level tool to help board directors and top leadership ensure that:

  • Risks are considered and reviewed at the very top levels of the organization.

  • Risk management is part of the fabric of the organization and done as part of business as usual.

  • Risks are not just viewed as negative risks, but also at potential positive risks that are worth taking, given value and alignment to business objectives.

  • Risks are connected to decisions regarding strategy as well as the impact on performance.

The strong link between risks, strategy and performance is one of the key defining features of the 2017 update to the COSO ERM framework. The FAQ noted the emergence of new and significantly more complex risks as key reasons for the update, as well as the rise of risk reporting and oversight requirements. In addition, key stakeholders’ expectations of greater transparency are also putting pressure on top leadership to deliver expected value, even in the face of more volatile markets, supply chain disruptions and rapid technological changes.

Put succinctly, according to the FAQ, the updated framework “provides greater insight into strategy and the role of enterprise risk management in the setting and execution of strategy,” and the achievement of performance goals.

The Importance of Enterprise Risk Management

As Harvard Business Review put it, “We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.” The article outlined the myriad biases that humans harbor when making decisions: anchoring bias, confirmation bias, commitment escalation bias, groupthink and normalization of deviance.

The 2017 COSO ERM framework builds on the solid foundation of the previous document, which was released in 2004, and better integrates the relationship between risks, strategy and performance. Each element influences the other two, and trying to manage each separately is like trying to pick up a bar of soap with wet hands: Every time you think you have a handle on it, it slips away from you.

On a more serious note, the COSO ERM also underscores the relationship between risk and value. It elevates the discussion of strategy and risk, looking at the possibility that strategy and business objectives are not in strong alignment with the organizational mission, vision and values. It allows for deep insight into the implications of the various strategies that management is contemplating and the risks that stem from executing a chosen strategy.

The COSO ERM update was designed to help organizations deal with risks that have increased in volatility and complexity as they face increased regulatory pressures. The framework is designed to be usable by entities of all sizes, regardless of their industry or geographic location. As the COSO executive summary pointed out, adoption of the framework allows the board and management to gain “a better understanding of how the explicit consideration of risk may impact the choice of strategy.”

The Nuts and Bolts of the Framework

The COSO ERM framework consists of 20 principles that are grouped to support one of five components: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication and reporting.

The components and their underlying principles form a simple but effective lens with which the board and top leadership can evaluate their ability to clearly link strategy, performance and risks. As an added benefit of clear vision and strong engagement, organizations are also likely to improve their resilience capabilities and their ability to see issues and take the best course of action to navigate around them — or perhaps through them.

A Road Map to Improve Cyber Risk Management

According to the framework’s executive summary, “Enterprise risk management allows organizations to anticipate the risks that would affect performance and enable them to put in place the actions needed to minimize disruption and maximize opportunity.”

By strongly linking strategy, performance and risk management, the COSO ERM framework provides a road map for board directors and top leadership to improve their engagement in ensuring that the business delivers ongoing value in the face of new and rapidly evolving risks. The document is written for business leaders, not cybersecurity experts, but every utterance of the word “risk” can be replaced with “cyber risks” and make perfect sense to both the business leaders and chief information security officers (CISOs).

A quick glance at the 20 principles confirms the strong relevance of the COSO ERM in improving management and oversight of cybersecurity risks, including desired culture, finding and retaining talent, defining risk appetite, identifying and evaluating risks, determining risk mitigation options, and reporting on risk, culture and performance. The framework specifically calls out the need to ensure that the board has the appropriate expertise or access to outside expertise to provide effective oversight of cyber risks. One additional principle that stands out is a focus on continuous improvement as applied to the ERM process itself.

As the COSO Executive Summary warned, “Every choice we make in the pursuit of objectives has its risks.” If you choose to ignore the 2017 COSO ERM framework, you do so at your own peril.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…