Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Elevating the Board’s Oversight of Cyber Risk

Comments Views

​I have known Jim DeLoach of Protiviti for a very long time. He's a friend.

While we may disagree on details and the way of saying things, we tend to agree more than we disagree.

For example, I frequently quote Jim when it comes to the periodic review of a list of risks. As he says, this is "enterprise list management," not enterprise risk management — which is about taking the right level of the right risks (my expression).

When it comes to cyber risk and the board's role, I think we again agree on more than we disagree. He has written a couple of posts for the (U.S.) National Association of Corporate Directors (the second is a continuation of his thinking):

These are both good food for thought. But are they enough? Are his questions and insights consistent with what I would do as a board member?

Frankly, no.

I would take each of the organization's key objectives (such as the earnings target, customer satisfaction goal, and so on) and ask the executive team how a breach might affect their achievement. It's a simple question, but it's not simple for them to answer. They would have had to complete a careful assessment of the risk to the enterprise, the effect on its various business initiatives, of a breach.

Most don't go far enough. They may consider the effect on a critical application and its availability, or the cost of disruption, but they haven't thought through how a breach could affect its ability to provide quality products and services to their customers, the organization's reputation and what that means to revenue, and so on.

So, I would start with a single simple question. The discussion may extend to consideration of his other points, such as the ability to detect a breach and then respond. I have decided that it is better for the board (and management, including the risk officer) to stop trying to manage or mitigate risk. Instead, they should focus on what it will take to achieve the objectives of the organization: How will potential events, situations, and decisions affect that achievement?

It is easy to go overboard with concern about cyber risk. Of course it is important. But is it the most significant threat to earnings per share?

The only way to know is to answer my question: "How would a breach affect our ability to attain our critical targets, our measures for success?"

I welcome your thoughts and comments.

Please join the conversation by subscribing to this post. See link below.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3