Reports on Risk, Culture and Performance

Written By Rock Lambros

 This time, I am going to cover the 3rd and final point under the COSO guiding principle of Information, Communication and Reporting which is Reports on Risk, Culture and Performance.

As a reminder, the COSO guiding principle of Information, Communication and Reporting has three points:

  1. Leverages Information and Technology

  2. Communicates Risk Information

  3. Reports on Risk, Culture and Performance

Organizations need to stay abreast of cybersecurity related regulatory reporting requirements. High profile breaches, have lawmakers calling for stricter regulations to protect user data and critical infrastructure and to minimize the impact of such incidents.

In the United States, as of 2021, Congress has failed to pass any meaningful, comprehensive cybersecurity legislation, so organizations must contend with a hodge-podge of overlapping laws and standards at both the industry and state level.

With all these different laws, regulations, and standards flying around, it is just about impossible for an organization to keep track of them all. Unfortunately, I don’t anticipate a consolidation of these laws and regulations soon, so be sure to cozy up with your legal teams to stay in front of it all!

Organizations must implement a process for relevant and timely reporting of pertinent cybersecurity risks at all levels. These levels may include the cybersecurity team, the ERM team, horizontal business units, the executive leadership team, the board of directors, external third parties and external regulators.

Many crisis communications publications state that crisis communications should contain the "Five Ws" (Who, What, When, Where, and Why). Each of the "Ws" may not be practical every time. For instance, at the beginning stages of a cyber incident, you may not know exactly "who" is affected, but you want to communicate proactively. The point is to have a communications plan BEFORE the communication needs to occur.

Key Activities

  • Understand regulatory cybersecurity reporting and disclosure requirements that are in-scope for your organization.

  • Work with your legal team to sort through overlapping and conflicting requirements of the different regulations.

  • Come up with a communications plan before it is needed.

  • Tailor communications to your audience.

  • Drill your communications plan through designed and scheduled exercises.

 Well, we are at the end of COSO! You have done it! You have endured these videos on how to align cyber risk with your organization’s enterprise risk management framework. While not the sexiest of topics, it is critical to elevating your profile and executive presence within your organization. Remember, the 5 guiding principles of COSO are:

  1. Governance and Culture

  2. Strategy and Objective Setting

  3. Performance

  4. Review and Revision

  5. Information, Communication and Reporting

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up. Stay tuned for a poll on LinkedIn asking what topic you would like me to start covering next.

Thanks, and have a great week!

Rock Lambros
Next

Information, Communication and Reporting