Search results

The purpose of this study is to examine how companies integrate cyber risk into their enterprise risk management practices. Data breaches have become commonplace, with thousands occurring each year, and some costing hundreds of millions of dollars. Consequently, cyber risk has become one of the gravest risks facing organizations, and has attracted boardroom-level attention. On the other hand, companies already manage many kinds of difficult and growing risks, and that firms lose less than 1% of annual revenues as a result of cyber incidents. Therefore, how should firms appropriately address cyber risk? Is it indeed a materially different kind of risk area, or is it simply just one more risk that can seamlessly be integrated into existing enterprise risk management (ERM) practices?

The authors performed thematic analysis based on semi-structured interviews, with non-probabilistic, purposive sampling, to answer two main questions. First, how do firms manage enterprise risks, generally? And second, how are they integrating cyber risk into these existing processes?

The authors find that there is considerable variation in the approach and sophistication in ERM practices, such as whether they are driven more like an auditing function, or as a risk champion. The authors also find that despite the novelty of cyber risk, it can be integrated like other enterprise risks, and that cyber risk is most often seen as an operational risk (similar to workplace accidents or fraud), rather than a strategic risk, emerging from, for example, technology innovation and R&D.

The generalization of the results is limited by the sample size and variation of firms interviewed. While the authors attempted to interview enterprise risk managers across a wide variation of firms, there were clear limitations in the scope. That being said, the authors were fortunate to be able to examine ERM and cyber risk practices across small and large, private and publicly traded companies, from a variety of business sectors.

The authors believe these finding are important because they present evidence that while cyber risk may be new, it does not require specialized handling or processes to track it at the enterprise level. While some firms may choose to provide special accommodations or attention because of their data collection or business practices, this approach is neither necessary nor required of all firms in all situations.

This research is one of the only papers that, to the best of the authors’ knowledge, examines how cyber risk is integrated at an enterprise level.

To assess which partnerships were most critical during the recovery planning process following Hurricanes Maria and Irma. We discuss the roles and impact of different types of partners, barriers and facilitators to partnerships and lessons in collaboration during the development of the economic and disaster recovery plan for Puerto Rico.

The Homeland Security Operational Analysis Center (HSOAC) was tasked with assisting the Puerto Rican government with an assessment of damages from Hurricanes Maria and Irma and the development of the Recovery Plan. During the process, a small team compiled and coded a database of meetings with non-HSOAC partners. The team was divided into sector teams that mirrored FEMA’s Recovery Support Functions. Each sector completed two surveys identifying high impact partners and their roles and contributions, as well as barriers and facilitators to partnerships.

A total of 1,382 engagements were recorded across all sectors over seven months. The most frequently identified high impact partners were federal and Puerto Rican governmental organizations partners. NGOs and nonprofits were noted as key partners in obtaining community perspective. Sector teams cited a lack of trust and difficulty identifying partners as barriers to partner engagement. Given the expedited nature of disaster response, establishing partnerships before disasters occur may help facilitate community input. Early networking, increased transparency and defining roles and responsibilities may increase trust and effectiveness among partnerships.

To our knowledge, this is one of the few studies that quantifies and illustrates the partnerships formed and their contributions during recovery planning, and lessons learned.