Keep it simple: how to avoid drowning in cyber risk information

Risk managers should feed each level of the company only the risk information it needs

Image of a man afloat in a sea of data

Jack Freund is senior manager, cyber risk framework at TIAA. A solid operational risk management programme must involve integration of activities between the first, second and third lines of defence. But too often the focus is on separating these duties instead – meeting the letter if not the spirit of the model, and harming efforts to monitor and manage operational risks. In cyber risk, in particular, such cursory first-line risk management practices are not sufficient. Asset-level risk as