VIEW: Principles of resilience in a digital world
Written by Julia Graham, technical director and deputy chief executive, Airmic
As reported by CIR, Airmic recently published the main findings of an in-depth report by Cass Business School into the implications of the fourth industrial revolution for business models and risk management. ‘Roads to Revolution’ found that existing principles of resilience need to be extended for opportunities to be realised and resulting risks managed. One important aspect is that of governance. In most large organisations, cyber governance has failed to reflect technology-driven changes in the way that companies are run.
Airmic recently hosted a discussion on the topic, bringing together some 20 experts from the worlds of risk management, digital risk, information security, governance, business, insurance, law and HR. All agreed that the consequences for boards of the pace of change in the networked world on which business models are now based means we must continuously revisit our cyber risk governance procedures, especially in the face of increasing regulatory and shareholder focus.
The lack of a common language was considered the main barrier to good cyber risk governance. It holds the board back in building knowledge and oversight of the risks and opportunities and in sharing its vision and risk appetite.
Cyber risk is an enterprise-wide, business-driven subject. It belongs within an ERM framework, with a line of communication to the board – probably through a risk committee or audit committee. Although technology information and security expertise are an essential part of the mix, cyber governance goes well beyond the IT department.
Before we can develop robust cyber governance, we also need to address a lack of education about the risks and opportunities of the digital world. We have to become digitally fit and comfortable with the subject. Just as people need financial literacy, the new literacy for the future is digital. There is a critical role for the risk manager here in developing a common language for cyber risks and insurance, facilitating communication and increasing awareness – maximising the chances of conveying their message by placing the discussion
in a business model and value-creation context.