The State of Risk Quantification In 2022

Feb. 25, 2022
Effective risk management requires a proactive, quantitative, diligent plan, and its presence within boardrooms has skyrocketed up priority lists

In cybersecurity, as with any operational risk, the fun starts when anything is measurable. With cyber risk quantification, organizations can justify their return on investment (ROI), optimize their spending, tangibly explain their cyber risk exposure and investments to their CEO and board, and above all, more easily manage risk.

It’s important for organizations to develop a standard for risk management because simply put, most organizations are not managing their cyber risk as well as they could. According to a recent PwC survey, only 45% of surveyed organizations have a formalized process to identify, evaluate, and rank cyber risks in line with their business priorities. Thankfully, the growth of cyber risk quantification practices can help buck that trend.

Today, effective cyber risk management is no longer a luxury. Cyber risks are continually escalating, along with increases in data breaches and cyberattacks. Advances in risk quantification have allowed for risk – and the data that accompanies it – to be processed quicker and more efficiently than ever before. Cyber risk quantification gives organizations an effective way to analyze all the data – sourced across types of risks, products, and business lines - that will come their way.

With Risk Quantification Comes an Ease in Understanding

Financial currency is a common language that everyone can understand, from leadership down to various members of an organization. With a simplified, shared standard of measure, CISOs and corporate boards can better align to make more informed decisions about how to measure and mitigate cyber risks. Board questions such as return on cyber risk investments, the scale of organizational protection, risk trends, and risk prioritization get cleaner answers when expressed in dollar terms.  

Using scenario planning, risk leaders can anticipate the rate of various threats and determine how to assess given risks using that information. Risk professionals can adjust risk based on different factors and how likely they are to occur. This is especially useful for the CISO, who can manage their risk budget – not only in terms of dollars but also where they are strategically placing their risk bets. Optimizing risk means taking calculated risks. With quantification, CISOs can adjust their allocations to give greater weight toward the risks that are of a higher concern – as well as rationalize and optimize cyber spend.

Automation Is Changing the Industry for The Better

Automation is another best practice for quantifying risks. Given the huge amount of data available that organizations have access to, it is virtually impossible to assess the risks of a given sector. Third-party risk, for example, is too wide-ranging to manage manually. Automation and the use of technologies like artificial intelligence (AI), specifically, make the process so much more manageable. With this “connected net,” more people and risks can be included in a singular risk assessment, preventing certain important risks from being omitted from the equation.

As one example, third-party risk is a major security risk. Third-party risks extend out to suppliers, contractors, partners – essentially, the various partners whom you would regularly conduct business with. Their risk is your risk.

If a contractor takes an organization’s passwords and causes a data breach, that’s on you. That’s far beyond an annoyance; it can cause supply chain issues among other problems. To avoid such a scenario, it’s essential to assess critical third parties and suppliers so that you make sure you’re looking at partners who are pivotal to running your business.

Trends To Watch In 2022

As the year progresses, I predict the following trends to occur within the ever-growing concept of risk management:

Organizations will build in “always-on” risk monitoring processes: For cyber risks to be quantified effectively, they must be constantly monitored. But with so much time it takes to get familiar with these risks, it also raises the question: what would you do if risk occurrences do happen?

The best way to be prepared for this question is to be operationally resilient. According to Gartner, operational resilience is defined as “initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders.”

Specifically, the best approach here is to develop a strategic operational resilience plan to combat any bumps in the road that may appear.

Increased dependence on Cyber Risk Quantification: As a standard is developed to measure risks in numerical terms, quantification will become prevalent to the point that organizations will fully be expecting quantification as the “new normal” way of measurement.

Risk professionals will look to quantify risks of all kinds, to optimize spends and risks, making the most of organizational budgets. Although the trend is still somewhat coming-of-age, advances made in 2022 will push cyber risk quantification to be the standard for measuring risk.

Expect more risk events in 2022: Cyber risk activity is increasing around the world, particularly in countries like Russia and China, which are engaging in their own cyberwar. This back-and-forth will have ripple effects around the world. At the forefront, it’s taught us about information leaks and how cyber can be leveraged to get more information out of countries.

Additionally, the rise of 5G is has added a new layer into the ever-growing risk atmosphere. While 5G has brought a rise in internet connection to surrounding devices, it’s also brought greater cyber risk for internet-connected devices that contain an IP address.

Ultimately, as more devices are put into the world, the web of opportunities for cybercriminals to conduct hacks increases as well.

Cyber requirements from regulators will increase: To develop more standard measurements for risk across multiple industries, expect an increase in requirements on cybersecurity imposed by various industry regulators and governing bodies. Organizations can look to the banking and financial services sector, which is one of the most highly regulated industries today following the events of the 2008 financial crisis. In this industry, where the interconnectivity of banks creates a highly risky environment in the event of a major cyberattack, a standard of unity is instrumental for compliance when 250+ new banking regulations are implemented each day

Similar regulations are to be expected in other industries as well, particularly with the growing focus on environmental, social, and corporate governance (ESG) drawing new regulations related to climate risk disclosures. With increased cyber risk events and a growing movement for ESG regulation, capital requirements and more transparent, quantified disclosure of cyber risk is sure to follow.

 Moving Forward with Cyber Risk Management

As it stands now, the evolution of cyber trends and practices has changed the entire way in which the banking industry conducts business. As technology becomes more widespread, extending the web of cyber across the world, the network of IP addresses will lead to a fully connected world.

With the increased focus on cyber, I believe one of the most significant developments will be the risk data exchange between companies, which not only gives us better historical data to learn from, but it will prove useful for the banks as they learn from their competitors. If a certain bank gets hacked, this information can be gathered in real-time, and it’s a regulation that the bank has to share with the other banks to inform them of this breach.

Here’s the bottom line – effective risk management requires a proactive, quantitative, diligent plan, and its presence within boardrooms has skyrocketed up priority lists. Thankfully, the industry is on the right track. Within the next one to two years, a standardized quantitative risk management plan will be put into place across the board that forever changes the way that risks are measured, analyzed, and understood. Developments such as an increased focus on operational resilience and prioritizing and optimizing cyber spend will speed up having a true, comprehensive quantitative risk management standard across the globe.

About the author: Joy Bhowmick is an SVP, Head of Product Development, Product Manager - IT and Cyber Security at MetricStream, and has 20-plus years of experience in leading institutional, retail, and commercial banking technology initiatives. He has delivered many solutions in Risk Management, Finance, Compliance, Cyber Security and Audit. He is known for his expertise in determining strategic financial direction, leveraging business and technical acumen to generate solutions for complex issues.

He specializes in championing strategic initiatives to deliver effective results, participating in critical decision-making processes while working proactively with cross-functional teams to drive competitive advantage. His mission is to stay committed to cultivating exceptional stakeholder relationships, meeting their needs and expectations at every step. His ability to provide exceptional service, resources, and methods to meet ever-changing objectives and ensure compliance with all regulatory requirements is what makes him the best at what he does.