Cyber Risk Quantification and Prioritization is the Future of GRC

2020 brought massive business disruptions, economic challenges and increasing consumer privacy and data legislation unlike we’ve seen before. And while governance, risk and compliance policies were previously a back-office function, stuck in spreadsheets and rarely revisited, the unprecedented hurdles we experienced this year have made many organizations reconsider their focus, or lack thereof, on GRC and cyber risk.

“Risk” is considered a four-letter word within the walls of many enterprise organizations. It’s a scary thing to be avoided, a cost to be reduced, an asset to be protected. That all changes in 2021. Forced into the light by the pandemic, GRC practices will become catalysts for top-line revenue creation. Risk leaders will have quicker clarity. More efficient controls and audit processes will help them land new business and make decisions more closely tied to revenue than ever before.

In order for this to be a reality, risk professionals must learn to speak in terms that the board will understand: dollars and cents. To achieve a reality in which ROI conversations become about revenue generation instead of risk reduction, risk leaders must focus on the prioritization and quantification of risk. This reality ultimately allows for the mitigation of key risks so that businesses can take on more strategic risk to drive growth and top-line outcomes.

Cyber Risk on the Rise

When we think about the risks an organization faces each day, information and cybersecurity risks are a top concern. In fact, cyber risk was ranked as a top-five priority by 79 percent of global organizations in the 2019 Global Risk Perception Survey. And, while cyber risk may have started out as a technology issue, it is now an organization-wide problem.

Organizations face both internal and external cyber risks from either malicious or unintentional attacks. The recent increase in cyber risk is tied to an ever-growing reliance on third-party vendors and lightning-fast digital transformation timelines resulting from a forced remote-work atmosphere thanks to the COVID-19 pandemic. Mitigating cyber risk calls for an integrated approach and cross-divisional collaboration.

Mitigating Cyber Risk

Many of the procedures we rely on to drive growth and improve efficiency — outsourcing, reliance on vendors, cloud storage and remote access, to name a few — also increase our cyber risk exposure. So, how do we mitigate it?

1. Complete a threat assessment. Identify the applications and databases subject to risk, understand the impact of a risk incident on the organization and quantify the financial, operational and reputational impact of the risk.
2. Build a framework for rating risks. Agree as an organization on what your risk appetite is. Consult reliable risk standards and communicate to the entire organization how you plan to prioritize risks.
3. Invest in tech. Make risk reporting, compliance and transparency simple by working with a GRC technology vendor to gain a single, company-wide view of risk.
4. Never stop learning. Technology evolves quickly. Regulations, requirements and legislation change daily, particularly if you enter highly regulated industries. Bad actors become smarter and more tech-enabled every single day. Invest in ongoing training for the front lines of your org — not just the GRC team.

Quantifying and prioritizing these types of risks allows an organization to resolve the risks that are mission critical — like overextended access to employees or customer data — and then resolve them. This will minimize an organization’s risk for a data breach and allow the company to take on additional, strategic risk, like opening a new branch or acquiring competitors in the space. In 2021, cyber risk will have a seat at the boardroom table with a significant focus on quantification, prioritization and, ultimately, mitigation.