Every organization must define its risk appetite for every risk category. Organizations should use the same risk taxonomy to categorize the risk areas at the business unit, aggregation, and board level to bring all stakeholders on board.
There are several benefits in using the same risk taxonomy across an organization. The most important one is that cyber risk reporting is in the same form as all other risks. It helps cover the entire set up— right from the business unit to the organizational level.
Leveraging a risk taxonomy also helps break down strategic cyber risk from the organizational level to the business unit level and every single information asset. It helps to delegate cyber risk to different risk taxonomy groups, as the language of cyber risk reporting becomes the same as the language used for other risks and gains recognition and acknowledgment from the leadership.
While the information flow is bottom-up in the beginning, it begins to show newer benefits as it matures. When this happens, Enterprise Risk Management (ERM) committee members and the board start identifying top-down and strategic areas of cyber risk that impact the selection, design, and operations of technology.
A risk taxonomy ensures that all cybercrimes have a footprint that can be zeroed down to the business unit level or even to the information asset level. This proof is enough for the board members to realize that the threat is real and measurable.
Click here to read the original article published by ISACA.
Please give your feedback on this article or share a similar story for publishing by clicking here.
