Integrating Cybersecurity and Enterprise Risk Management (ERM)

Enterprise risk management (ERM) calls for understanding all of the negative risks (from threats) and positive risks (from opportunities) facing an enterprise, determining how best to address those risks, and ensuring the necessary actions are taken. Cybersecurity risk is only one portion of an enterprise’s risks. Other commonly identified risk types include, but are not limited to, financial, legal, legislative, operational, privacy, reputational, and strategic risks. As part of an ERM program, enterprises manage the combined set of risks holistically.

The individual organizations comprising every enterprise are experiencing an increasing frequency, creativity, and variety of cybersecurity attacks. All organizations and enterprises, regardless of size or type, should ensure that cybersecurity risk gets the appropriate attention as they carry out their ERM functions. This document offers NIST’s cybersecurity risk management expertise to help organizations improve the cybersecurity risk information they provide as inputs to their enterprise’s ERM processes.

Many resources document ERM frameworks and processes. They generally include similar approaches: identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. The critical risk document used to track and communicate risk information for all these steps throughout the enterprise is called a risk register. For example, cybersecurity risk registers are a key aspect of managing and communicating about those particular risks. Each register is updated, evolves, and matures as other risk activities take place.

At higher levels in the enterprise structure, those cybersecurity and other risk registers ideally are aggregated, normalized, and prioritized into risk profiles. A risk profile is defined by Office of Management and Budget (OMB) Circular A-123 as “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks.”  Enterprise-level decision makers use those risk profiles to choose which enterprise risks to address and then to delegate responsibilities to appropriate risk owners.

Cybersecurity risk inputs to ERM processes should be documented and tracked in written cybersecurity risk registers. However, most enterprises do not communicate their cybersecurity risk in consistent, repeatable ways. Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are not performed with the same rigor as other types of risk within the enterprise. Improving the risk measurements and risk analysis methods used in cybersecurity risk management, along with widely adopting the use of cybersecurity risk registers, would improve the quality of the risk information communicated to ERM. In turn, this practice would promote better management of cybersecurity risk—and risks in general—at the enterprise level.