Key role sought for risk managers in cyber governance

02 August 2017

Leading European and US risk management associations are calling on organisations to establish cyber risk management frameworks to identify, measure and mitigate cyber risk.

Starting point

The Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) have joined forces to produce a guide to cyber risk governance. The guide, developed by a FERMA/ECIIA joint working group, urges companies to take a more structured approach to identifying the business impact of cyber risk.

FERMA and ECIIA believe that the quantification of cyber exposures should be the starting point for decisions on mitigating and transferring the most significant cyber risks. As a result, they advocate that organisations establish a cyber risk governance system, supported by a cyber risk management framework.

This would see organisations establish a dedicated cyber risk governance group, reporting to the risk committee, and ideally chaired by the organisation’s risk manager.

Breaking down siloes

The role of the cyber risk governance group is to determine cyber risk exposures and design possible mitigation plans. This group should be cross-disciplinary, bringing together operational functions from IT with key business functions, including the chief information security officer (CISO) and the data protection officer. 

Such a cross-function team, headed by the risk manager, would ensure that all the most critical processes and valuable assets of the organisations are examined through a ‘cyber lens’. The group can then present senior leadership with possible mitigation plans, including investments in cyber security and risk transfer solutions such as cyber insurance.

Central role

The role of the risk manager in cyber risk governance is key, according to FERMA and ECIIA. The risk manager is responsible for defining the cyber risk exposure of the organisation and acts as a facilitator between the board and relevant business functions. The FERMA/ECIIA guide highlights the “unique value” that risk managers add in identifying and quantifying risk exposure. They are also able to advise the CFO on insurance strategy, including how to obtain the most effective level of insurance cover at the best achievable cost.

Leading the debate

FERMA’s recommendations follow similar recent guidance on cyber risk governance published by the US risk management body RIMS and its UK equivalent Airmic.

Like FERMA, Airmic’s Cyber Risk - Understanding your Risk and Purchasing Insurance report says that risk managers should be leading the “cyber risk conversation”. Risk managers can help their organisations understand the risks, establish an enterprise risk management framework,  and provide insights into the insurance market and its associated services, Airmic said.

RIMS also believes that a strong partnership between IT, legal, risk management and public relations is critical for an effective cyber security program. In its Cyber Protection: What to Do Before and After a Cyber Incident report, RIMS highlights the value of preparing for a cyber attack and collaboration between business areas.

Download Cyber Decoder 

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter