3

The Role of the CRO in Cyber Resilience

The Chief Risk Officer (CRO) is a senior executive responsible for the identification and assessment of business risks that may adversely impact your organization’s profitability and productivity. They champion Enterprise Risk Management (ERM) efforts by leading risk management strategies and are responsible for the risk identification and mitigation procedures. In some organizations, the CRO heads a risk committee consisting of executives from different departments, such as finance, operations, IT, sales, and HR.

The CRO’s approach to risk management has evolved with how we do business in the age of cyber threats. Risk management techniques in business have had to adapt to the fact that most companies are now technology-dependent or rely on Information Technology (IT) to run their business operations. The risk management role evolves as a business’s scope, size, and value shifts, and each category of risk (operational, cyber, and financial, among others) necessitates its own risk frameworks and applicability.

This has resulted in a significant transformation in the understanding of the risk management process by various stakeholders, especially for cyber risk where many risk professionals appear to have a particular knowledge gap. This is illustrated by how most risk professionals still refer to the ISO 31000 standard when discussing cyber risks, despite the fact that ISO 27005 is more focused on cyber risk.

• ISO 31000 is the international standard for risk management. It provides a framework and guidance for managing risk throughout an organization. ISO 31000 is designed to help organizations identify and manage risk in a more systematic and proactive way. The standard can be used by any organization, regardless of size or sector.
• ISO27005 is the international standard for information security management. It provides a framework and guidance for managing information security throughout an organization. It complements ISO 27001 and ISO 27002 by providing the best practices for managing the risks related to information security.

With widespread digital transformation and technology adoption accelerated by the COVID-19 pandemic, today’s CROs need to ensure digital risks are included in their organization’s risk registers, and update risk matrices to better reflect risk events specific to technology impacts.

In this chapter, we will look into the world of the CRO, bearing in mind that cyber risk is a new focus for many of them. The sections covered in this chapter explore the key areas CROs need to focus on, their main challenges, and ways to connect the dots and stay ahead in the management of cyber risk. CISOs will also find this chapter helpful in understanding what CROs require and expect of CISOs. The end of the chapter provides practical takeaways and questions C-level executives can discuss with their CROs, serving as a checklist for CROs to weigh their priorities and understand their position in addressing cyber risks.

This chapter covers the following key topics:

• Understanding the role of the CRO and its key focus area
• Analyzing the CRO’s key priorities
• Identifying the CRO’s challenges
• Developing the right mindset as a CRO
• Understanding the collaboration potential between the CRO and CISO
• Questions to ask your CRO

Understanding the role of the CRO and its key focus areas

Risk management has grown in importance in an increasingly complicated, dynamic, and interconnected business world. Technological improvements have transformed corporate operations, but they have also created new risk management and mitigation challenges. More businesses are realizing the value and need to have a comprehensive risk management framework that enables them to better predict and identify risks, so that they can be turned into sustainable competitive advantages.

As a CEO, it is important to understand and value risk management within your organization. ERM is a plan-based business strategy that aims to identify, assess, and prepare the organization for any hazards and potential disasters that could interfere with its operations and objectives.

In many organizations, risk management is still at a crossroads. The best risk managers are those who look for opportunities to broaden their knowledge base, refine their skill sets, and get access to best practices, tools, and technologies, even while a culture of risk aversion or evasion still pervades large parts of their organizations. It is essential that the core leadership team fully understands the importance of risk management and develops risk-taking decisions capabilities that factor in risk.

With increasing levels of senior management buy-in, the risk function can move closer to the boardroom. Risk management teams must aim to play a more prominent role in risk governance and compliance. They should influence strategic growth choices actively by identifying and mitigating new and emerging risks.

The key to a successful risk management strategy is to foster a risk-taking culture rather than one that is risk averse. Decision makers must be empowered to focus on objectives that support this. After all, there are always risks in business, as in life.

The CRO is the business risk custodian across an ever-increasing array of risks, a reflection of the increasingly connected and complex world we live in. These risks include but are not limited to:

• Financial risks (including market, interest, and credit risks).
• Operational and technological risks (including cyber risks).
• Supply chain, third-party, and vendor risks.
• Compliance, conduct, people, and cultural risks.
• More recently, risks relating to environmental, social, and corporate governance (ESG)

An effective CRO should work with the board of directors to set an organization’s risk appetite and tolerance while achieving business strategy and goals. It would be a catastrophic error for a CRO to assess risk out of context and without a clear understanding of commercial and business objectives.

Analyzing the CRO’s key priorities

In 2022, the CRO’s priorities are moving toward innovative technologies that have seen significant shifts and changes. It is, therefore, essential to ensure that all your executives understand the business strategy and vision set by the CEO, toward which the board guides the company.

A key priority for the CRO is the need to recognize the importance of people in shaping a robust risk culture to complement all necessary mitigation activities, in alignment with an organization’s risk appetite. An organization’s risk culture drives and motivates the right behavioral outcomes from critical stakeholders. The right risk culture will also influence the right behaviors during decision-making and the ability to design and deploy effective controls. However, the aftermath of COVID-19 has also surfaced talent-related risks; large numbers of workers are choosing to leave their positions or take a step back from being “always on,” and replacing employees with the knowledge set has been a challenge. This directly impacts an organization’s ability to maintain a healthy risk culture. CROs consistently rank talent-related risks as their most critical challenge for 2022—and the one in which they have the least confidence in their current HR strategy.

Another key priority of a CRO is in ensuring that risk-informed decisions remain a foundational cornerstone for their organization. Incorporating risk appetite into decision-making and analyzing difficult-to-quantify risks has always been a challenge, especially if not supported by the CEO and others on the leadership team. This is just as true and relevant when discussing cyber risk. While other concerns may be more pressing, CROs often lack the necessary confidence needed to speed up risk management and governance, risk, and compliance (GRC) technology adoption within the organization.

Lastly, despite significant interest in defining ERM’s position within ESG, many CROs, unfortunately, do not regard strengthening their ESG governance/reporting as a major priority for 2022.

In a podcast hosted by Shamane (co-author of this book), Joanna Knox, the CRO of telecoms giant Telstra, walked through four key categories they focus on in their risk organization framework:

• Safety risk for employees and members of the public is a priority: Joanna prefers to focus on things more likely to have bad outcomes for their customers or communities. The team primarily organizes this around risks to safety, including security for their employees and the safety of members of the public who interact with the company’s infrastructure.
• Resilience risk for their customers: This includes any way in which a disruption of one of Telstra’s services (such as networking services) would impact their customers. This is another area where cyber is a primary concern.
• Meeting customer commitments: For instance, Telstra needs to ensure they sell products and serve customers in a way that meets their expectations.
• Anything to do with regulatory compliance: Telstra manages this risk by doing the right thing for customers, particularly with high-risk obligations, such as privacy and emergency calls.

Every C-level executive has different responsibilities, motivations, and priorities. Understanding the priorities relevant to the CRO’s responsibilities and objectives helps you (whether you’re a CEO or a CISO) develop more effective practices for working with your CROs. While many CROs adapt to new norms and business changes, there are always challenges with emerging risks, whether foreseen or that emerge unexpectedly.

It is for those reasons it is important to explore the challenges faced by CROs.

Identifying the CRO’s challenges

History remains the ultimate teacher; among its lessons is showing that patterns form and repeat themselves. In studying the global economy over time, a significant financial crisis seems to occur roughly every seven years (7-year itch). By this measure, we could infer that, pre-COVID, we were overdue to experience a catastrophic event, given the last one, the Global Financial Crisis (GFC) began in mid-2007 and lasted through early 2009.

Nonetheless, anticipating risks on the horizon is complex, unpredictable, and often have massive negative consequences for companies.

Jeff McArthur, CRO at Greater Bank, shared the following on a Mega C-Suite Stories recording with Shamane: “From now on, the CRO needs to have the capability to take historical, backward-looking insight, and apply intelligence to predict what the future might look like. The next CRO challenge is identifying if the organization is equipped with the ability to respond to an event, regardless of its nature, appropriately within a constantly changing risk profile. This has been one of the most significant challenges, stretching the CRO’s capabilities.”

That’s quite the challenge for a CRO! Challenges constantly evolve within a fast-moving and changing environment. No matter how much CROs focus on their priorities, they will inevitably face roadblocks and challenges.

Unfortunately, risk appetite is not embedded continuously in the decision-making process, and this is especially true when the CRO does not have cybersecurity knowledge or does not work in collaboration with other security stakeholders. Risk is a notion that is intangible, especially when concerning technology. The difficulty in assessing and quantifying the impact of a given risk limits CROs in their ERM strategies, as well as limiting support from the board to identify and address risk appetite and risk tolerance. This is reflected in the pervasive “It can’t happen to us” attitude.

We see this challenge particularly among business managers, CROs, and information technology security/risk analysts or CISOs. For instance, when company management discusses the effect of a loss, they are not referring to the number of servers or IT operating systems that would cease to provide basic services if a cyber event was to occur. Yet such a description is how many of the stakeholders would quantify such losses. Instead, it must be communicated effectively to these stakeholders that the effects of a loss almost always refer to the loss of business activities that impair the company’s capacity to continue operating. Loss of servers or operating systems are a headache, but they can be replaced. No longer being able to conduct business would be catastrophic.

Business management stakeholders are concerned with providing regular transactions and adhering to relevant regulatory standards, which may cause the firm to limit or even cease trading in the face of harsh regulatory and legal penalties if a risk materializes. Similarly, corporate managers often regard losses as threats that may cause the firm to suffer but—more importantly in their eyes—won’t jeopardize their own business positions significantly.

This leads to major challenges with reporting. Risk reporting remains woefully lackluster and most risk reporting rarely conveys the accurate and necessary information to the main stakeholders and the board. Magda (co-author of this book) notes that various risk registers handled by CROs in Asia do not include cyber risk yet but do consider technology risks, which are different. Because most CROs have limited cyber risk knowledge, they can only plan out limited scenarios based on limited expertise and knowledge. They often use a plan template or preprepared plan that is general and not necessarily specific to their company. These plans are theoretical, and in the event of an actual threat, they cannot be executed effectively. Thus, finding the right resources and capabilities to deploy risk plans as quickly as possible is a significant challenge CROs will face.

We have progressed beyond the new technologies of e-channels and e-commerce. With continued digital transformation, another key challenge for Jeff McArthur is, “How do we deal with the risk nodes and, more importantly, how do we use some of the emergent technologies to manage risks?”

CROs must be open to the idea of risks originating from nontraditional sources. Leveraging emerging risks and incorporating them into an organization’s risk profile, CROs can identify more creatively and effectively their lead and lag risk indicators, formulate their risks, and report them.

A good CRO needs to look at the different risk classes on the table and consider the associated impacts of various events. The CRO needs to have the mindset that something will happen, even if they do not know what it might be.

Their thought process is constantly asking the what-ifs, including the following:

• What could go wrong if …?
• What is the road to success if …?
• What assumptions have we made in our scenarios if …?
• What scenarios have we considered, and which ones have we omitted, if …?
• What should we do to improve our forecasts if …?
• Does the board know the organization’s risk tolerance if …? (Most honest boards will admit that they do not know how to define risk tolerance.)

Perhaps some of these questions strike a chord with you, and you wonder how other CROs address them. So, let’s talk about the different strategies, systems, and frameworks that have aided CROs in managing their cyber risks.

Strategies, systems, frameworks to manage cyber risk

One of the value-adds of a risk function is a system in which the business makes risk-informed decisions. Defining risk tolerance requires a structured approach, highlighting the risk and return scenarios that reflect and support strategic objectives and then soliciting a risk/return trade-off that the board of directors agrees on. Often, boards make choices that contradict a stated strategy, demonstrating the lack of a shared understanding of the strategy, or perhaps different motivations.

The strategy informs the risk tolerance and vice versa, so the risk tolerance must be revised to align with the strategy.

Your CRO should develop and maintain a governance framework that aligns cybersecurity risk management with your business operations. This governance framework will enable your organization to consider relevant cybersecurity risks, estimate their severity, and determine their impacts and mitigations.

Where ERM traditionally has been a function of compliance, and cybersecurity an IT problem, cybersecurity now needs to be considered a business risk. This business risk affects the whole organization and spans people, processes, and technology.

There is a school of thought that, in the overall risk taxonomy, cyber risks stand as an independent risk category. However, as cyber risk is very diverse and pervasive within an organization, elements of it often show up in all the other risk categories, creating yet another challenge for CROs today.

The CRO must have a perspective on how effectively they’re managing risk. Cyber can be a challenging domain for CROs to master to get a good perspective and, as such, might create an obstacle or even a critical gap in the process of ERM. Those obstacles and gaps must be overcome and cyber risk needs to be defined and included in your CRO’s strategy, with mitigation strategies put in place. One such mitigation strategy is to link the CRO’s strategy with the CISO’s cybersecurity strategy.

Joanna Knox also shared details the risk effectiveness dashboard they have developed at Telstra, which assesses the effectiveness of the company’s risk management activities. They have gone beyond just looking at risk ratings, residual risk, and control effectiveness and now consider Telstra’s organizational risks more holistically.

When they step back and look at their risks, they ask themselves whether they are managing them effectively. Consider the following key questions they are always asking themselves:

• Is accountability clear?
• Do we have our risk appetite defined and agreed upon?
• Do we have our action plans to manage the risk in place? Are they adequate and on track?
• Have we got the right kind of assurance in place that our risk management actions are effective?

Joanna’s strategy is to have an effective team managing all of Telstra’s top enterprise-level risks, including cyber risks.

Similar to how Joanna manages her other risk management activities, cyber is no exception, even if it’s really specialized and sometimes remains technical. She created a dedicated role within the team whose entire purpose is to understand how effectively the team can manage its cyber risk. Although the specialist is not a cyber expert compared to the CISO’s team, their risk expertise is incredibly useful in assessing how everyone manages cyber risk. They then use that focus to challenge the cyber team, which in turn strengthens their strategies.

Lastly, even within the cybersecurity group itself, there’s a recognition that diversity of thought and expertise is essential in building a robust security capability. It is necessary to critically and constructively challenge how things are done, given the constantly evolving nature of cyber threats.

Thus, Telstra’s cyber team employs a number of staff with diverse backgrounds in nontechnical fields, including journalism, linguistics, education, and even UX and graphic design.

Connecting the dots

In the current environment of intensified cyber risk, the CRO and the job of the central risk team is to connect the dots across all the teams and work together effectively.

The CRO should partner with the CISO and their cyber team to successfully categorize, identify, and quantify cyber risks. The cyber team also should work closely with their physical security teams, health and safety, data governance, and other responsible business teams. Collaboration is key in creating effective risk plans.

The specialist risk teams, together with the cyber specialist risk team, collaborate to ensure the efficiency of risk management across an organization. The CRO then works closely with the CISO on their frameworks, operating models, reporting, and incident management.

Together, they find opportunities to improve their work by considering other parts of the business, such as supply chain risk, physical security, privacy, and other sizable areas with shared governance.

The CISO then owns the mitigation controls and compliance for the digital/cyber risks and ensures alignment between the residual risk and your organization’s risk tolerance.

The CRO, with the support of the CISO, enables discussions on cyber risk management. Such discussions should be given adequate time on a board meeting agenda.

Now that we have demonstrated the different ways the puzzle pieces of team collaboration can fit together, the next section covers the mindset that is vitally important for CROs and other C-level executives to have when managing cyber risk.

Developing the right mindset as a CRO

In risk workshops, the CRO’s focus should not be on why a new project cannot be done or why the company cannot roll something out. Instead of “No, this is not possible,” the CRO’s mindset should be ”Yes, let’s try to find options that can help achieve the goal.” There should be a greater focus on defining the value proposition of a new project with the CEO, instead of focusing just on the risk management processes.

In building your risk management capability, always start with the objective. This crucial leadership principle requires proper training. When your executives are well informed of your corporate goals, combined with a structured way of considering risks, they are empowered to make informed decisions.

The CRO’s job is not to help everyone avoid every potential risk threat. Their job is to build a structured approach into the decision-making process that complements the business goals. The next step is to improve the likelihood of achieving those goals, and the success of the new venture.

Besides its own business, it is even more critical for a telecommunications company to build resilience for its customers. Joanna Knox shared her team’s journey over the years, building different resilience frameworks, from network and IT resilience to cyber resilience, supplier resilience, and business continuity management.

In the last two to three years, they’ve integrated all of these resilience frameworks into one overarching framework, covering all the different areas where resilience is vulnerable, either for their customers or their internal processes. Cyber is one of the key domains in this resilience framework.

CROs are also in charge of crisis management. The most important way to prepare for that is to do thorough post-incident reviews and run crisis management team (CMT) scenarios with a cyber element. Joanna shared how some of their cyber-specific scenarios involve their big enterprise customers, where they run the attack scenarios together.

They also build other scenarios that include cyber elements because cyber incidents often do not occur in isolation. These exercises are conducted with both the risk and cyber teams. They put the cyber operations through their paces to practice their response. One of the key roles of the CRO is to ensure that interactions with the board, the leadership team, and the rest of the company is smooth.

The purpose of such exercises is to help its organization be better at managing its risks if and when attacks do occur. It also demonstrates why a strong trusting relationship between the CRO and CISO is crucial and results in better outcomes.

Understanding the collaboration potential between the CRO and CISO

Shamane shares her observation of the conversations she had with various CROs about their interactions with the board: “They do not want us to be afraid of being contentious. In fact, they welcome an alternative view!” Part of this alternative view is to pivot your message from one of fear of threats to one the CRO can use to better inform their risk management framework/analysis/taxonomy.

CROs have observed that CISOs can use threatening language to scare the board of directors into a decision. However, from a behavioral and psychological perspective, fear only drives irrational decisions that do not pan out well in the long term.

One such CISO reported during a management meeting that cybercrime would be the third-largest industry in the world within a few years. The CISO did not support these claims with facts nor provide an analysis of the consequences. It’s then unsurprising that the CRO, and even the wider management, were left feeling dubious about the context.

Too often, CROs often work in silos, addressing cyber risk based on historical claims rather than collaborating with CISOs. Building on this challenging situation, CISOs do not usually address digital risks quantitatively, instead using a qualitative framework. This makes the risk approach unclear and insufficient to align with an enterprise risk management strategy. Without a quantitative framework that identifies the potential financial losses that may be incurred following a cyber event, you, as the CEO, your board, and your CRO cannot get into alignment, provide adequate security considerations, and identify possible investment or budget allocations for cybersecurity. This is a major challenge for your CISO, which will be further addressed in Chapter 5, Working with Your CISO.

CROs might, therefore, turn to claims-based evaluations for growing risk issues such as cyberattacks and data breaches. This has its limits, however, particularly in the Asia-Pacific region, due to inadequate actuarial data and a lack of data accuracy.

Cyber risk is a relatively new challenge compared to more established hazards such as floods or earthquakes. There may be minimal or no accessible historical data on cyber risk. Yet, by using a structured scenario approach, organizations may effectively estimate cyber risk. This requires a collaboration between the CRO and the CISO. Working together, they can identify cyber risks and quantify them. The CRO needs the help of the CISO to understand the potential cyberattacks and their consequences on the business. The CISO needs the CRO to identify the business priorities and goals.

The board and executives also need to recognize that some risk scenarios may not manifest themselves for a year or two, or perhaps ever. Simultaneously, the CRO needs to educate the board on emerging risks by:

• Estimating the frequency of cyber-risk events
• Considering vectors of attack
• Supplementing the analysis with relevant data
• Considering historical cyber incidents provided by the CISO
• Their expert opinion

Together, the CRO and CISO can build structured scenarios to quantify the severity of cyber events based on loss types and loss drivers. They can then provide real added-value reporting to the board and CEO and an adequate view of cyber risks.

For CEOs, when you talk to your CROs, take the conversation beyond risk management, and start talking about effective decision-making that you and other executives can buy into. Consider the full risk management process, including insurance or risk transfer. In the case of cyber risk transfer, it can be difficult for risk managers to fully identify the effects of cyberattacks on the organization and understand the requirements for good coverage. We cover cyber insurance in further detail in Chapter 6, The Role of the CHRO in Reducing Cyber Risk.

Collaboration between a CRO and CISO is crucial for effective and successful risk management plans and building cyber resilience. But it doesn’t end there. There are core questions the C-suite can ask their CROs to guide them through their journey of managing cyber risk. This also serves as an internal checklist for CROs to develop their perspectives and communicate them effectively.

Questions to ask your CRO

The risk landscape is rapidly changing. Geopolitics, technical advancements, global economic integration, and climate change are all interrelated, which means the manifestation of one risk is more likely to trigger others.

Thus, firms that create a multidimensional strategy to detect and manage complex hazards often achieve success in their risk management goals. The following list provides some questions you can ask your CRO to ensure they are prepared to support cyber risk management:

• Who’s at the top of your calling list? Are you in open communication with the CISO and their cyber team?
• How are you educating yourself about cyber and ensuring you are a powerful advocate in your organization and the community?
• As the CRO, can you agree that the current risk appetite is adequate for the organization?
• How do you rank cyber risk compared to other risks?
• How are we ensuring cyber risk is integrated into our ERM strategy?
• What are the right risk metrics to help the business accurately understand our cyber risk profile? Are the metrics more focused on incidents and attacks, or more on external/internal controls and ensuring risk management actions are in place?
• How is your cyber risk tolerance aligned to or compared to other risks?
• How are you keeping your finger on the pulse of staff security awareness and the cyber risk culture in your organization? How are you working with your communications team and/or HR in reporting the right things to keep everyone on their toes?
• In the last three years, has your attention, time, and focus on cyber increased? If so, how much more do you think it will grow over the next three years?

These questions are meant to widen the boundaries of how we think about our cyber risks, challenges, and cyber culture, and explore how we can align more closely with different stakeholders in our perspective on and tolerance of cyber risks.

Summary

As organizations strive to manage cyber risk at the front line of an ever-changing environment, the CRO’s role is instrumental. We unpacked the different layers of the CRO’s responsibilities and motivations in this chapter. We also looked at the experiences of CRO experts and extracted approaches that aspiring CROs can tap into.

Whether you’re a new CRO or another C-level executive, this chapter provides understanding of the CRO’s approach to designing a technological strategy, system, or framework and grasp the required language to communicate it effectively. The development of this framework is best done in collaboration with the CISO to achieve meaningful business outcomes.

Next, we will address the priorities of another C-level executive and their role in building a cyber-resilient business. The following chapter shows you how your CIO can be your cyber enabler.