The Evolution of the Cyber Risk Role within the Three Lines of Defence

Alexander Abramov

Every financial firm from the beginning of time has needed to manage credit risk, market risk and reputational risk. Foreign exchange, volatility, liquidity, inflation, and fiduciary risk management have evolved as markets became more sophisticated. Cyber risk is a relatively new entrant in this field.

The formal organisational governance for risk management goes back to the 1970s. In the 1990s the concept of enterprise risk management (ERM) became widely adopted and came to be a mechanism to integrate different risk disciplines as well as to address regulatory requirements. ERM has provided the capability to align risk appetite and strategy; identify and manage cross-enterprise risks; and offer an integrated response to multiple risks. As the author once heard the chief risk officer (CRO) of a large investment bank say to his staff, ERM requires people to “be intergalactic risk managers – think laterally across different risk stripes”.

Operational Risk was defined as a separate risk category in the late 1990s. At that point, the Basel Committee on Banking Supervision (BCBS) stated, “At present, there is no agreed upon universal definition of operational risk” (BCBS 1998, p. 3

To continue reading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: