https://www.csoonline.com/article/3311986/risk/what-is-enterprise-risk-management-how-to-put-cybersecurity-threats-into-a-business-context.html
By Maria Korolov
Contributing Writer
CSO
OCT 11, 2018
Enterprise risk management (ERM) is the process of assessing risks to
identify both threats to a company’s financial well-being and
opportunities in the market. The goal of an ERM program is to understand
an organization's tolerance for risk, categorize it, and quantify it.
When companies look at enterprise risk, the traditional approach is to
look at financial risks, regulatory risks and operational risks. What
happens if the exchange rate drops and the interest rate rises, if new
drugs don't get FDA approval, or if your main warehouse burns down?
To make the calculation, you take the potential impact of an event and
multiply it by the odds of that event happening. For low-impact events,
even a high probability of occurrence won't affect the company's total
risk exposure by much, while for high-impact events, even a low
probability of occurrence is potentially devastating.
Risks posed by the cybersecurity threat landscape are increasingly part of
the ERM equation, and that poses a challenge for CISOs and other senior
security professionals. Quantifying the business impact of a cybersecurity
event is a very difficult, if not impossible task, and quantifying the
likelihood of such an event is even harder.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
