Aligning cybersecurity management with enterprise risk management in the financial industry

Abstract

Recent years have opened debates amongst academics, practitioners and regulators on how the financial industry’s risk resiliency depends on its ability to handle risk holistically. The financial industry is found to be motivated not only by protection purposes or assurance but also by its interest in gaining more return on investment, compliance and effectiveness. It is noticeable that in recent years there has been considerable interest in organisational risk resiliency, but there are still unanswered questions as to why organisations are unsuccessful in applying effective security practice at all levels. Having a robust mechanism to deal with a variety of risks efficiently and in alignment with the organisational strategy has always been something that organisations struggle to accomplish. Changes in internal and external pressures have required organisations to turn their attention from silo operational and managerial risk controls to strategic approaches that can ensure the optimal achievement of the organisation’s mission, strategy and objectives. This research was intended to investigate possible approaches for enabling a more enhanced strategic approach to respond to the extended exposure to all types of risks: to move towards an approach that combines enterprise-wide risk governance with anticipation (proactive response). On the basis that the two types of organisational risk functions cannot be addressed in isolation, this research explored whether the realignment of risk control and risk oversight of the Cybersecurity Management (CsM) and Enterprise Risk Management (ERM) support the establishment of enterprise-wide risk governance. This research responds to the need for harmonised risk handling, reporting, analysis, mitigation and resiliency across an entire organisation. Alignment, in the form of interconnectivity and partnership, can place an entire organisation in a more enhanced state of security through a unified perspective of control, accountability and decision-making. While debates in this subject area have been centred on separate disciplines of ERM, this research posits that CsM and alignment together can further sustain an organisational risk strategy, as together they execute all capabilities in an integrative manner rather than using siloed controls. The nature of this research is mainly qualitative, as it seeks to explore and interpret the qualitative aspects of the problem. The research was undertaken by considering secondary (literature review, systematic literature evaluation) and primary qualitative data (semi-structured interviews). Weighing up the evidence, it was found that an enterprise-wide alignment of CsM with ERM can enhance risk reporting, analysis, mitigation and resiliency. However, incorporating both strategies in a unique mechanism appears to be an infrequent approach in the industry. To facilitate a more enhanced strategic approach, this research has examined the effectiveness and sustainability of an integrated CsM-ERM Strategic Alignment Framework to support financial organisations in managing their exposure to risks in a strategic manner that employs all efforts towards a single end: to protect and to sustain comprehensive capabilities for the achievement of organisational goals.