An IT Risk Director for major American logistics organisation had a personal objective from the business to deliver and integrated ERM framework with a focus on cyber security.
They wanted to be able to move at speed to build a robust ERM framework that can support the business units achieve their objectives. It needed to be integrated with the organisations overall consideration of risk profile, appetite and business impact.

How ? Cyber = Opportunity

The aim was to demystify technical ‘IT speak’ to empower the business units to understand the risks and business impact so as we can develop and promote a positive risk aware culture. By facilitating proactive discussions between our IT colleagues and Business Units through the learning programme to ensure good Governance, Risk and Control is understood.

This was done by creating a consistent Security ERM framework…

By creating a Plan Do Check Act framework based on International standards, that developed a coherent and business wide risk assessment programme to identify, analyse, evaluate and treat the risks to understand and minimise the risks before a breach occurs.

Also we ensured that clear policies, processes and systems are there to ensure compliance to protect critical assets (physical and non physical).

A usable integrated Risk & Resilience management framework, capable of providing a platform to incorporate all the key requirements of international standards expectations.

Developing an effective enterprise Risk & Resilience Management framework and process that allows integration of cyber risks. The framework and tools developed for this project will be able to be used for other Enterprise risks like Health and Safety, Quality, Environment and Business Continuity and can be extended to all risks when proved successful.

The framework will provide a platform for you to define appetite to cyber risks and ensuring that this is communicated to all functions to enable risk mitigations to enable growth and exploit market opportunities:

Understanding how many critical business are outsourced to ensure you understand risks across our extended enterprise and supply chain.

Improving the layers of security.

Knowing how to use social media to understand what employees, customers and public are saying and having a strategy for a social media crisis.

Having a greater collective awareness if we are being attacked through targeted communication campaigns.

Testing newly developed incident response plans through tabletops and live exercises to ensure employees actually know what to do.

Ensuring clear responsibilities are defined throughout our management system so that clear factual information can be presented to the board to enable decisions.

Working with insurers to articulate and transfer security risks where appropriate.