An Introduction to Cyber-Risk Management

Big businesses employ many people to ensure their business risks are covered

Business risks can be defined in many ways. For example, Gartner has summarized the Top 10 Emerging Risk Trends of 2Q21 as:

  1. Cybersecurity Control Failures
  2. ESG Regulatory Requirements
  3. Remote Talent Management
  4. Organizational Culture Degradation
  5. Supply Chain Disruption
  6. Talent Post-COVID-19
  7. Diversity, Equity, and Inclusion (DEI) Responsiveness
  8. Corporate Tax Changes
  9. Post-COVID China
  10. Politicizing of Decision Making


Now, that list captures the strategic, compliance, operational, and reputational risks that leaders of major businesses (“big businesses” throughout the world) are worrying about. Each of those 10 areas of risk contains many small pieces of risks. Around the world, big-business leaders are planning how to deal with numerous pieces of risk and creating strategies and tactics to protect their businesses and the people affected by their business decisions.

This article will introduce some of the big-business thinking that leaders of smaller businesses can use to protect their businesses and the people affected by their business decisions.

In this article, we will focus on the risk that is ranked #1 by Gartner: Cybersecurity Control Failures. We will provide some context, but we will not dig deep into details. The goals here are to:

  1. introduce the thinking and processes big-business leaders are trained to use and
  2. introduce how leaders of smaller businesses can use similar approaches to cover cybersecurity.


IT Risks – the way leaders of big businesses view them

While there are many ways to describe IT risks, I favour the way a Canadian expert, Michael Parent of Simon Fraser University, summarizes them:

  1. IT Competence Risk
  2. Infrastructure Risk
  3. IT Project Risk
  4. Business Continuity Risk
  5. Information Risk


When big-business leaders of publicly-traded companies consider these 5 risks they work through complex processes involving many people with “C-level titles such as CIO, CSO, CDO, CISO, CITA, and many others, including, of course the CEO, CFO, etc. Also, many Directors of their big-business board are involved in various committees, including audit committees and risk-management committees. Considering the expansion of legal and regulatory laws and rules and the creativity of predatory cyber-criminal minds, enterprise risk management truly is a challenging package of work. Big businesses apply massive resources to create and deliver enterprise risk management.

IT Risks – the way leaders of SMBs need to cover them

Leaders of smaller businesses cannot call upon such massive resources to address cybersecurity. SMB leaders need to work within smaller-budget realities. As cyber-risks escalate, SMB leaders need to find workable processes for dealing with their cybersecurity risks. Fortunately, SMB can make efficient use of the processes and tools used by big-business directors and operating leaders. The SMB cyber-risk management process can be performed with affordable amounts of time and affordable amounts of money.

The right way to get started is to think of the following five steps.

SMB leaders reduce their cyber-risks very quickly when they:

  1. Identify those risks – naming and claiming them,
  2. Assess each one of those risks – quantifying, ranking them, and choosing the ones to address,
  3. Plan to cover each of those risks and take action – considering goals and budget realities,
  4. Monitor performance – setting metrics and capturing relevant data, and
  5. Report performance – looking objectively at results and beginning to take the next “Identify” step.


These steps can be taken easily and quickly, following well-defined, proven risk-management procedures.

Together our conversations can expand solutions and value

We look forward to helping you bring your ideas and solutions to life.
Share the Post: