Chapter 6. Risk Escalation and Disclosure

In the preceding chapters, we’ve been laying out the foundational building blocks of a cyber risk management program (CRMP) with the capabilities needed to protect the enterprise and its stakeholders against the broad array of known and unknown risks that digitalization introduces. We established the necessity of Agile governance, with the right people making and being held accountable for risk decisions. We showed the importance of having a risk-informed system in place to ensure that appropriate, actionable risk information is delivered to the appropriate parties, including risk owners and the governance body. And we laid out the basis for risk strategy and execution: the process of making risk decisions and acting on them. Now it’s time to look at the last core component of a CRMP—risk escalation and disclosure—and the reasons it’s so critical to the program’s success.

Risk escalation and disclosure—ensuring that the right people and entities are informed of risk issues at the right time and in the right way—can help to prevent a problem from becoming a disaster, and can retain or restore the trust of the public and regulators.

The need for cyber risk escalation and disclosure is driven by the reality that an enterprise’s risk environment will inevitably be especially rapid and unpredictable. Those changes, if not addressed formally and proactively, can cause serious, sometimes even irreparable, harm to the enterprise and its most ...