Financial Services

a new litmus test for board directorships

A New Litmus Test for Board Directorships

A New Litmus Test for Board Directorships 1200 628 Axio

A New Litmus Test for Board Directorships

by Michael O’Halleran, Experienced Public Company Director

February 21, 2019

Over the course of my career I’ve had the privilege to serve on numerous Boards of Directors of both public and private organizations. It’s a great honor to have the shareholders and stakeholders of an organization put trust in you, and fellow board members, to watch out for their interests as the highest stewards of that organization. It’s also an honor that comes with great responsibility because if the Board fails, individual board members can be held personally liable.

That’s why deciding to accept a directorship requires meaningful thought.  There’s no failsafe playbook for this decisioning process but elements certainly need to include an evaluation of what the business does and what markets it operates in, whether the management team has shown itself to be competent and trustworthy, and at a practical level, if the company maintains the right type of D&O insurance.  Some of these elements might be personal in nature such as whether you support the nature of the business itself, and some are very practical like confidence in management.

I’ve used my own decisioning framework consistently for many years until very recently when it became necessary to add a new and very practical element: the need to understand how the organization understands and manages its cyber risk.  It’s an issue that has become too important, and too relevant to the Board, to simply trust as a byproduct of trusting management and believing that the organization probably spends a lot of money and has smart cybersecurity folks.

That’s because events of the last few years have shown that spending a lot of money and having smart cybersecurity folks does not solve the problem.  Companies like Maersk, Merck, FedEx, Marriott and others all presumably had seasoned cyber leaders, spent extraordinary amounts of money and thought that their insurance programs were sound, only to look back on major events that cost hundreds of millions of dollars and wonder how they could have gotten everything so wrong.  That coupled with the SEC’s 2018 new guidance on how companies should achieve a proactive understanding of their cyber risk, Moody’s announcement that it will start considering cybersecurity in financial ratings, and the recent D&O settlement related to Yahoo’s security breach all combine to definitely embed cybersecurity as a Board of Directors concern.

Therefore as a Board concern and one that speaks specifically to a Board’s fiduciary responsibility, prospective Board members ought to evaluate cybersecurity specifically.  But how, given the deeply technical nature of the concern and language that is foreign to most people outside of the cybersecurity discipline?

My advice is to use the following four-part evaluation framework:


Understand the cyber risk of the organization in business terms.

Meaning what type of cyber events could the organization suffer, and what costs and losses would result from those variety of events?  Not only does this approach make cyber risk comprehensible to you, but whether the organization can articulate their risk this way is a great initial litmus test on how well they understand it.  If the question can’t be answered, that’s a red flag.


Understand how the organization manages its cyber risk.

With the most important component being an understanding of the methodologies or frameworks used to guide the strategy. Does the organization do an annual assessment, fulfill the recommendations and call it a day until the next time around? Or does it use a maturity-based methodology that drives continual understanding, road-mapping, and evolving?


Understand the organization’s recovery ability.

Is the organization prepared to respond to and recover from the variety of events described in step one?  Can it pay for the anticipated costs and losses?  Is the right insurance portfolio in place, recognizing that for many organizations, insurance for cyber risks requires a combination of insurance types and not just a single “cyber insurance” policy?


Gain confidence with the data behind these components and what drives decision making.

Ideally, you want to gain confidence that the organization has aligned its controls and processes to its greatest areas of risk and is not just plugging holes. That’s the difference between a risk-based approach and compliance approach, the latter being a vastly inferior way to manage the problem (despite necessity in some industries).

A good way to contextualize this all is to imagine yourself at the emergency board meeting called when the organization suffers a major security event and is on the cusp of having to announce it.  Do you want the board briefing to sound something along the lines of “We’ve suffered a serious cyber event that we had no idea was possible.  We thought we had the right controls in place and we spent a lot of money on a lot of different things but it looks like we missed something obvious.  We’re scrambling to find folks that can help and we think we bought the right insurance.  We’ll figure all of that out over the next days and weeks.”

Alternately, “We’ve suffered a serious cyber event but one that we’re prepared for because we understood our risk and we can prove that our cybersecurity strategy was operating a very mature level.  The damage is far less than it would have been and we’ve now activating the recovery plan designed for this situation.  Further, we should have sufficient insurance proceeds to cover the majority of losses.  We’re going to be ok.”

The first briefing sadly happens time and time again.  The latter is from the type of organization that I’d be proud to serve on the Board of, and that’s why it’s important to consider cybersecurity when evaluating a Board opportunity.

Contact Axio today to learn more about how your organization can better manage cyber risk.

Moody's the Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors 1200 628 Scott Kannry
Moody’s; The Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors

Intent to rate cybersecurity risk is the third major Board of Directors wake-up call

by Scott Kannry, CEO, Axio and Scott Underwood, Director of Business Development, Axio

November 27, 2018

The past 36 months has seen two significant developments that should have woken up Boards of Directors to their cybersecurity obligations.

First, a spate of high-profile cyber events, namely those experienced by Equifax, Maersk, Mondelez, FedEx and others, proved that regardless of money spent on protection, employing high-caliber cybersecurity professionals, and good intentions to purchase the right amount of insurance, current cybersecurity approaches were not working.  And in Equifax’s case, the severity of the event resulted in a CEO and CISO change and securities class action litigation that remains ongoing.

Second, in February of this year, the SEC released updated cybersecurity disclosure guidance that implored companies to disclose their understanding of cyber risk versus mere disclosure of events after the fact.  As Axio’s post on that announcement noted, “By forcing companies to identify and publish their ongoing cyber risks, [the SEC] is elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.”  Subsequent to this disclosure, the SEC didn’t waste much time evidencing its intent to act when it fined Altaba (formerly Yahoo!) $35M for failing to disclose its breach in a timely manner.

And now, the Trifecta – an announcement by Moody’s that it will soon start incorporating an evaluation of an organization’s risk to a major cyber event into its existing credit ratings, with a future possibility of offering stand-alone cyber risk rating.  While the specific means by which Moody’s will accomplish this have not yet been disclosed (and may not ever be disclosed), the impact of such a decision cannot be ignored because Moody’s ratings’ importance to the investment landscape.  Simply put, if Moody’s issues an un-favorable rating based on its analysis that an organization lacks cybersecurity maturity, that organization could expect to incur higher borrowing costs at a minimum and could suffer further if other entities or investors use the ratings beyond investment transactions.

If the previous two series of events did not garner appropriate Board of Director attention, hopefully Moody’s announcement does.  Because unlike those events, an unfavorable rating from Moody’s could cost a company a considerable amount of money and thus precipitate an argument the company’s executives and Board of Directors is not fulfilling its fiduciary responsibility.  This announcement and the potential implications should not be disregarded.  So what are companies and their Boards of Directors to do?

Luckily achieving appropriate cybersecurity understanding and management is very available today and presumably in a way that could be used to answer any questions raised by Moody’s and others:


Understand your cyber risk exposure as it relates to the business and in financial terms.

Start by asking one question: “If a cyber event happens to us, what might it look like?” Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be. Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury? Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the impact of those events. Gaining this knowledge is especially critical if Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event. They simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You have that knowledge and can use it to your advantage.


Utilize a maturity based cyber program management framework, such as NIST-CSF or the C2M2.

Align it with the scenarios that you’ve quantified in step one, and ensure that it is reported to the Board in an understandable means. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met. And why align the methodology with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards effectively understand the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.


Maintain the resources and financial ability to recover from a meaningful event.

At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See Step One.


Evidence all of the aforementioned components with peer benchmarking and best practices insight.

Because cyber risk is incredibly dynamic and traditional means of risk management, such as complying with standards or achieving certifications can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line or more favorable than your peers? Is your cyber program in line or more favorable than your peers? Have you purchased an insurance program that is in line or more favorable than your peers?

Put it all together and Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”

what do the new cybersecurity risk guidelines mean for you as a board member

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member? 1200 628 Axio Global
What Do The SEC’s New Cybersecurity Risk Guidelines Mean For You As A Board Member?

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?

by Chris Amery, VP Professional And Financial Services

February 26, 2018

This week, the Securities and Exchange Commission (SEC) published updated interpretive guidance on cybersecurity disclosure requirements for public companies.

Following significant post-breach reporting delays from SEC-regulated entities, including Yahoo and Equifax, the Commission clearly desires to standardize cyber disclosure practices surrounding impactful cyber events. As noted in the interpretation , “[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The investing community and public at large should welcome this standardization as a step in the right direction for fair markets.

The more interesting component of the SEC guidance, however, is the following: “Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registrations statements under the Securities Act of 1933 … and the Securities Exchange Act of 1934.” Here, the SEC is speaking to general ongoing risk factor identification as opposed to specific post-incident disclosures. The Commission believes that firms must identify and disclose possible risk events even if they haven’t suffered a breach. This is a sea change in the regulatory view of cybersecurity. The SEC is pointing out that it’s no longer good enough to purchase technology controls and meet compliance mandates. By forcing companies to identify and publish their ongoing cyber risks, they are elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.

Axio’s CEO, Scott Kannry, wrote about this just last October:


Cybersecurity should be at the top of every upcoming executive and board of directors meeting.  Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between.  But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that “something similar must never happen to us.

Scott Kannry, Axio CEO

What must board members understand about the new disclosure requirements? First, the good news – they are not technology based. This will not require board members to become tech experts in the latest cyber security technology. They are ‘risk-based’, which means that they require a more holistic approach, and that the current paradigm of assessments, technology controls, and compliance frameworks is clearly not enough to satisfy the SEC guidance. Maintaining accurate risk disclosures requires a dynamic cyber risk management program. In our view, the following four components of a cybersecurity program allow companies to meet this hurdle, and Board members to confidently sign off on these disclosures:

  1. Quantify your exposure in financial terms. As the SEC notes , “The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude…[and] also depends on the range of harm that such incidents could cause.”
  2. Evaluate the caliber of your current cyber program within a maturity-based framework. This approach recognizes that cyber risk and maturity is dynamic and allows a company to evolve continually as the cyber landscape changes. Compliance standards can act as a floor, but they do not appear sufficient to meet the SEC guidance that “[w]here a company has become aware of a cybersecurity … risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities.”
  3. Maintain adequate insurance and reserves to recover from a cyber incident. This goes hand in hand with required public disclosures, as firms utilizing this approach will naturally manage their financial risk to appropriate levels on an ongoing basis. Steps one and two inform the proper levels of financial defense on a dynamic basis.
  4. Benchmark your performance against your peers. Cyber risk management is ultimately in the public interest, and the ability to measure your current program against both an internal target state and your peers will be a significant input in determining whether a Board has met it’s duties with respect to cyber risk.

When these four key components of cyber risk management have been employed on an ongoing basis, a Board can confidently say to the public markets, “We know what our risk profile looks like, we have an updated analysis of our program maturity, our financial controls are adequate to survive a cyber incident, and our overall program is in the top 10% of our industry group.”

We applaud the SEC guidance and look forward to a world where Boards, executive teams, risk managers, and technologists embrace this comprehensive risk- and maturity-based approach to cyber program management.

External Documents

tips for developing improving metrics

Tips for Developing or Improving Metrics

Tips for Developing or Improving Metrics 1200 628 Lisa Young
Tips for Developing or Improving Metrics

Tips for Developing or Improving Metrics

by Lisa Young, VP of Cyber Risk Engineering

February 6, 2018

Reposted Content from ISACA Newsletter @ISACA Volume 1

Everywhere we turn, vast amounts of facts, figures, numbers, records and files are being processed, interpreted, organized, structured and presented in a way that turns those data bits and bytes into meaningful information. Putting the raw data into context is what makes information useful for business decisions and underlies many dashboards being developed across the enterprise. Data and information are important components for measurement and, if put into a suitable context, may also become meaningful metrics.

Let us begin with a few definitions and examples:

  • Data—Raw, unorganized facts, records, numbers, etc. An example is the number 2 or the letters “e, g, s.” By themselves, it is hard to know what exactly is meant by their use.
  • Information—Data that are structured, organized or presented in context to make them useful. An example is “I had 2 eggs for breakfast.”
  • Measure (or measurement)—Is the value of a specific characteristic of data. An example is “the number of staff that completed information security awareness training.” Without more context, it is hard to know what value is derived from the statement.
  • Metric—The aggregation of one or more measures to create a piece of business intelligence, in context. An example is “percentage of staff trained vs. expected (planned vs. actual numbers)” or “percentage of new users (internal and external) who have satisfactorily completed information security awareness training before being granted network access.” These statements give context for whether or not the information provided is meeting the intended objective. If I have 10 staff members and 9 of them have completed the relevant training, then my percentage of satisfactory completion is 90%. If I have 10,000 staff members and only 900 of them have completed the relevant training, then I know I still have more work to do, especially if the untrained staff have been granted access to the network.

Consistent, timely and accurate metrics are an important feedback mechanism for managing any activity. When seeking to develop or improve metrics, here are some considerations to keep in mind:

  • Establish objectives—What questions are intended to be answered with the metric? Who is the audience for the metric? Which information needs will be satisfied with the metric? Who collects the measurement data? What techniques for analysis and reporting will be used?
  • Prioritize objectives—Data collection and analysis are costly and time consuming. It is important to consider the purpose and intended use of the metrics. What actions or decisions would the metric inform? If no action, decision or behavior change occurs as a result of the metric, then why are you spending resources to collect and analyze the data?
  • Identify candidate metrics—Candidate metrics should be based on documented measurement objectives. Identify existing metrics that may already address the objective. Metrics may already exist to satisfy 1 purpose and may also be used for additional purposes or to answer additional questions.
  • Specify data collection and storage procedures—Procedures should be based on the objective to be satisfied and the capability of the organization for collecting, storing, managing and disposing of data. Remember, data by themselves may not be sensitive or personally identifiable, but when aggregated, there may need to be explicit procedures for protecting and sustaining the information and subsequently developed metrics. Being explicit about data collection and storage may also help with overall data management, maintaining data integrity and governance. Other considerations in this category are frequency of collection and where the source data are created, stored, used, transported, etc. Data flow diagrams are useful for better understanding the data’s unique characteristics and attributes.
  • Update objectives as needed—Do not be afraid to retire a metric if it is not driving decisions, behavior or actions. The most important consideration here is to ask yourself, “What is the value of this metric in comparison to another metric?” If the metric is not meeting the intended objective, then it is no longer useful to collect and maintain. You may need to iterate several times before getting to a small set of meaningful metrics that drive better decisions, actions and behaviors. Often, the best metrics are conveyed by reporting trends over time versus a single point-in-time metric.

Make sure your questions are the ones most important to your target audience (management, operations, strategic) and your assumptions are stated. If there are estimates used in the metric calculations (because you do not have a piece of data or have just started collecting and have no trends in the data), make sure to state that somewhere in your visualization. Good metrics are those that are used often, answer important business questions, cost little to collect in relation to their value, are easily collected and do not require extensive manual intervention or manipulation. There is a difference between metrics and metrics that matter. Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

isaca tips

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach 1200 628 Axio Global
ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

by Lisa Young, VP of Cyber Risk Engineering

November 1, 2017

Reposted Content from ISACA Newsletter @ISACA Volume 22

In today’s modern and dynamic environment, the audit profession must evolve continuously and synergistically with the business and technology changes that occur every day. Professionals who are innovative, forward-thinking and fearless in the face of mental model adjustments will be the leaders of tomorrow. Mental models are the paradigms, or lenses, through which we view the world, and they can serve to limit our thinking if we are not receptive to hearing new views or thinking critically about our current practices.

At the North America and European CACS Conferences, ISACA holds 2 invitation-only IT Audit Leaders Forums and publishes the results for those who were not in attendance. This article contains my interpretation and guidance in applying one of the IT Audit Leader forum’s discussion topics to your enterprise. Challenges in the audit field are not only limited to the audit field; they are shared across many other disciplines and professional domains. If you are a security, governance, risk management or IT professional, consider these tips and how this challenge applies to your enterprise. The first challenge is moving from a controls-based, or checklist, approach to a risk-based approach:

  • The controls-based approach — This approach is well-defined in the audit and assurance discipline. Audit and assurance roles are focused on the inspection, verification or conformance to a set of practices or controls to ensure guidance is being followed, records are accurate and effectiveness targets are being met. I know there are some nuances between types of engagements, but for the purposes of this article, it is assumed that audit and assurance professionals are tasked with ensuring and evaluating that things are operating according to a prescribed or bounded set of criteria. Many of the criteria that are audited or for which assurance is provided have already occurred, meaning that we look to the past to evaluate what has previously happened. This means that the online transaction has been performed, the security control is implemented and operating, or the financial statement has been attested to. There is no uncertainty in the result of the transaction (pass or fail), if the control is implemented or not, or if the financial statement is finalized. The primary risk in audit and attestation is in reaching an incorrect conclusion from the engagement or the risk of noncompliance if controls and practices are not operating as intended. Organizations spend a lot of time and money on implementing and testing controls rather than managing risk.
  • The risk-based approach — This is a forward-looking view of uncertainty. In the landscape in which an organization operates, there are many things that impede an enterprise from accomplishing its objectives, achieving its financial or operational targets, or meeting its mission. A risk-based approach is best paired with a strategic view of the organization to understand which potential uncertainties or risk factors have the highest potential to prevent the organization from meeting its intended targets, objectives, mission, etc. A thoughtful risk assessment will consider the general things that can affect all organizations (about 80% of an enterprise risk) and will also consider those things that are specific to your individual type of business or organization (about 20% of an enterprise risk). The reason there are so many compliance regulations, control catalogs or best practices is that many organizations do not perform risk assessments with the rigor, depth or thoughtful analysis (qualitative and quantitative) that is needed to really understand where to focus the appropriate resources to manage the uncertainties that may materialize in a given day.

Implementing a set of prescribed controls or compliance regulations will generally protect an organization from about 75-85% of the risk in the environment, and it can be put into effect without the benefit of a comprehensive risk assessment. It is far easier to report on gaps in controls, security incidents or phishing attempts as risk events because they have already happened. Reporting on the uncertainty of what might or might not happen is a discipline that takes an investment of education, time and resources to report to management in a way that improves decision-making and does not rely solely on guessing, previous audit findings or reporting realized risk.

So, in the absence of a mature risk management program and process, the organization can be generally effective in preventing realized risk with a robust compliance or controls program. However, to ensure that you are managing the risk factors that have the most relevance to your organization, thoughtful risk identification, risk analysis, risk management and risk monitoring processes must be defined, implemented and measured for effectiveness. In general, an effective risk management process is comprised of the following components:

  • Establish the organizational context — What are the mission, objectives and strategy?
  • Identify risk — To meeting the objectives, mission and strategy
  • Analyze risk — Qualitative and quantitative; not guesswork
  • Evaluate and prioritize risk — Based on analysis, not on what is in the news
  • Respond to or treat risk — With projects that are managed to completion
  • Measure and control the risk management process — By defining the processes and procedures and using standard templates and measurement scales

Here is one example to sum up the recommendations in this article:

  • Conclusion: Looking backward, as a result of [audit finding], the company lost US $3 million in revenue during the third quarter.
  • Risk: Looking forward, without a strategic plan to correct [audit finding], the company could potentially lose an additional US $3 million in the fourth quarter and US $4 million in the first quarter of the new year.

If you are interested in learning more about risk management, there are many quality ISACA publications that cover the topic in more detail. I will also be delivering a workshop on risk assessment and risk management at the upcoming 2018 North America CACS in Chicago, Illinois, USA.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

tips for understanding the role of rcsa in risk management

Tips for Understanding the Role of RCSA in Risk Management

Tips for Understanding the Role of RCSA in Risk Management 1200 628 Lisa Young

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

by Lisa Young, VP of Cyber Risk Engineering

January 1, 2017

Reposted Content from ISACA Newsletter @ISACA Volume 1

Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).

In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a 4-volume report titled Internal Control—Integrated Framework. This report presented a common definition of internal control, providing a framework against which internal control systems could be assessed and improved. Around the same time, the Turnbull Report was published and set out internal control best practices for UK-listed companies. After a few years of focus on internal control systems and corresponding internal controls, the management of risk was added to both the COSO and Turnbull reports. This was the genesis of risk and control self-assessment (RCSA) as we now know it.

An RCSA is one tool for surveying or interviewing the business and frontline personnel to understand their view of the risk factors that might impede their progress toward objectives. For the areas of concern identified as a potential risk, a set of corresponding controls that would assist in mitigating the risk or reducing its impact is determined. When an RCSA is used as the only source for risk identification, the organization’s capability to perform risk management is not fully developed, and important risk may go unnoticed. Here are some tips for thinking about how your organization identifies risk that may lead you to a more complete picture of the risk that your organization faces:

  • Do I begin with business goals and objectives and then identify IT-related risk to those business objectives? Many RCSAs are focused on known risk rather than new areas of concern or factors that have not materialized as realized risk yet.
  • Is my organization engaged in actively building skills in risk management? Do we have a common language for risk terms? Risk and controls are complementary, but they are not the same.
  • Do senior leaders in my organization seek out risk management insights to improve performance (not just manage the risk of noncompliance)?
  • Is robust and realistic scenario analysis a primary technique in my risk identification approach? If you are not using the COBIT 5 risk scenarios, consider looking at them and trying to incorporate them into your risk identification process.
  • Do business cases for all strategic initiatives (and major projects) include a detailed and specific description of risk in design, implementation and operations, along with steps to proactively manage them?
  • When conducting an RCSA, is the interviewee or survey participant asked about their concerns (that might not be part of the RCSA)?
  • Do I align strategic goals and objectives to a set of control objectives rather than prescribe a set of controls to use? Having a set of control objectives provides the ability to actively manage risk by changing the process or procedures, avoiding the activity that contributes to risk, or detecting a risky activity sooner. Controls are not the only way to manage risk.
  • Do I actively refine control objectives and the associated controls to make them simpler to save time and cost in design, implementation, use and monitoring?

Risk management is an ongoing organizational capability that can be improved over time. The goal is to keep the business operating with minimum impact from a realized risk or incident. Risk and control self-assessments are but one tool in the risk management tool kit. Make sure your RCSAs are robust enough to add value to the risk management process.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Organizations exist to produce a product or deliver a service and generally have a strategy or a set of goals. Risk management is an organizational discipline that, when combined with strategic planning, ensures that the risk with the greatest potential negative impact on the ability to achieve the organization’s stated goals is identified, analyzed and responded to in an appropriate way (given the risk tolerances of that organization).




Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.