Enterprise risk management (ERM) is the process of assessing risks to identify both threats to a company’s financial well-being and opportunities in the market. The goal of an ERM program is to understand an organization’s tolerance for risk, categorize it, and quantify it.
When companies look at enterprise risk, the traditional approach is to look at financial risks, regulatory risks and operational risks. What happens if the exchange rate drops and the interest rate rises, if new drugs don’t get FDA approval, or if your main warehouse burns down?
To make the calculation, you take the potential impact of an event and multiply it by the odds of that event happening. For low-impact events, even a high probability of occurrence won’t affect the company’s total risk exposure by much, while for high-impact events, even a low probability of occurrence is potentially devastating.
Risks posed by the cybersecurity threat landscape are increasingly part of the ERM equation, and that poses a challenge for CISOs and other senior security professionals. Quantifying the business impact of a cybersecurity event is a very difficult, if not impossible task, and quantifying the…
