Chapter 8. The CRMP Applied to Operational Risk and Resilience

Throughout this book, we’ve stressed the fundamental changes—social, political, economic, cultural, and of course technological—that are reshaping the enterprise risk environment in fundamental ways. We’ve shown examples of the highly damaging, even catastrophic, impacts enterprises face when they fail to manage these emerging and accelerating risks in a formal, programmatic way. And we’ve detailed some of the many ways effective risk management, and especially cyber risk management, can help enterprises survive and thrive in this new and highly volatile environment, by balancing risk against reward in ways that drive better decision making.

In this chapter, we’re going to detail the mission-critical role of a cyber risk management program (CRMP) in operational resilience, and how it coordinates with other operational risk functions to focus on broader operational resilience efforts. Cyber risk management, like every other operational risk management function, has one ultimate objective: achieving operational resilience that balances risk and reward. Cyber risks are unquestionably critical, but they’re only one aspect of the risk environment that enterprises need to consider. Senior enterprise decision makers aren’t simply thinking about malware and identity theft and data breaches. They’re asking far broader questions, which essentially come down to “How resilient are we in the face of an ever-changing risk environment?” ...