INF80043: Executive Briefing on Organix Cyber Risk Appetite

Verified

Added on 2022/09/07

AI Summary

This executive briefing paper, prepared for the senior executive team and board of directors of Organix, provides an overview of managing the organization's cybersecurity risk appetite. The briefing aligns with ethical security frameworks such as COBIT, ISO, and COSO, highlighting the importance of integrating cyber risk management into the business strategy. It addresses the digital revolution, the COSO framework, risk management components, and the challenges in defining a cyber risk appetite. The paper emphasizes the need for Organix to establish risk targets, integrate cyber risks, and develop a corporate risk appetite statement. The briefing also provides recommendations for improving cyber resilience, including the inclusion of cyber resilience in strategic decision-making and categorizing sensitive data. The report stresses the importance of communication, information, and reporting to manage cyber risks effectively, providing a comprehensive analysis of the current cyber risk landscape and potential mitigation strategies for Organix.

Executive Briefing Assignment 1
Managing Organix Organization Cyber Risk Appetite: Executive Briefing
Student’s Name
Instructor’s Name
Institutional Affiliation
City/State
Date

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Executive Briefing Assignment 2
Executive Summary
Organix company has been under some healthy growth since the year 1995, when first
established in Australia. The company have been operating both though the use of physical shops
and online shop. Organix company senior executive team, just like any other business board of
management, need to consider essential ideas of the cyber risk management practices into their
business. In considering cyber risk management practices, the company can hamper business
processes that lead to losses ranging from thousand to millions of dollars. It is also understood
that it is necessary significant to eliminate some of the cyber risks associated with the
organization's operations. These risk appetites provide an insight into an organizational cyber
risk approach in general.
Table of Contents

Executive Briefing Assignment 3
Executive Summary.......................................................................................................................2
Table of Contents...........................................................................................................................3
Managing Organix Organization Cyber Risk Appetite.............................................................3
Digital revolution...........................................................................................................................5
The COSO Framework.................................................................................................................5
Risk management components.....................................................................................................6
Cyber risk appetite challenges......................................................................................................7
Organix company risk target........................................................................................................8
Integrating Cyber risks into Organix Risk Appetite..................................................................9
Organix Corporate Risk Appetites..............................................................................................9
Cyber risk appetite statement.....................................................................................................11
Conclusion....................................................................................................................................12
Managing Organix Organization Cyber Risk Appetite
The purpose of this executive briefing paper is to provide an overview for the senior
executive team and the board of directors of the Organix company on the management of the

Executive Briefing Assignment 4
organization's cybersecurity risk appetite. This is done in line with ethical security frameworks
such as COBIT, ISO, COSO, and other enterprise risk management frameworks. Managing risk
involves balancing act for businesses, as well as organizations without the consideration of size
and the disciplines. In this context, some organizations cautiously take the manageable risk as
others take too much. Hence, this has ranked cyber risk among the most impactful sources of
uncertainty in our modern enterprises due to the complication of balancing the equation. And
recently, cybersecurity is increasingly reviewed by the corporate board of directors and, in most
cases, discussed with financial analysts, who view this risk as a looming plus supreme business
risk. Due to the fact, the consequences of its failure may be damaging to business revenues as
well as reputation. And in some cases, CEOs have lost their positions due to inept preparation
and planning as well as data breaches. This briefing paper provides context related to the
essential ideas of the cyber risk management practices, although, not envisioned to be a complete
guide, to advance as well as implementing the technical strategies.
As in its business plan, Organix business scope and operation show that it has to maintain
its online as well as a physical presence. The key priorities of the organization include having the
best IT infrastructure that will ensure robust cybersecurity for its system. As the organization's
information technology professionals, we are responsible for delivering robust cyber risk metrics
around the organization's policy as well as the cyber risk. While this is a reasonable undertaking
for every information technology professional in the current generation, the main challenge
involves providing the metrics for contextualizing risk data by having a clear understanding of
the risk level within the corporate.
This briefing is meant for the board of directors and senior executives of the Organix
company. It enables them to understand their responsibility in cyber risk management as follows.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Executive Briefing Assignment 5
 They understand their importance as the senior executive in the participation for an
effective cyber risk management program.
 Pull the proper Enterprise Risk Management (ERM) framework to improve the
cybersecurity, monitoring as well as executive programs.
 Understanding Essential ideas, as well as understanding cyber risk management
techniques.
 The senior executives should be well equipped with an overview of cyber risk
‘consideration as well as the mitigation strategies.
 And understand how cyber risk fits into an enterprise risk management approach.
Digital revolution.
Cyber-attacks and threats continuously grow in complexity and numbers as the business
world increasingly develops, as business and technology evolve, so the case of the ERM
framework. Looking at an example of the COSO enterprise risk management framework, COSO
updated in 2017 (Winter, P., 2018, pp 23). Among the significant drive reason behind the update
of the ERM framework was the necessity to address the evolution of risk management in the
cyber age. Also, to encourage organizations to improve cyber risk, managing approaches for an
evolving business environment demands to be meat (Chiarini, 2017, pp 71). It has been enhanced
in several ways to highlight the need for considering risk in both driving performances as well as
the strategy-setting process.
The COSO Framework.
 It offers better vision hooked on the value of risk management when setting as well as
implementing the approach.

Executive Briefing Assignment 6
 Improves configuration among risk management as well as performance to enhance the
setting of performance aims also understands the effect of risks on performance.
 Frame operates expectations for authority as well as mistakes.
 Knows globalization of markets as well as the operation and the need to apply a common,
albeit tailored, approach across geographies.
 Brings about different methods of viewing risk, setting as well as achieving objectives in
the context of greater business complexity.
 Increases the reporting to address expectations for greater stakeholder transparency.
 They are accommodating evolving technology and the proliferation of information as
well as for analytics in supporting decision-making.
 Has helped in Setting out main components, principles as well as descriptions for all
levels of management involved in designing, implementing, and conducting ERM
practices.
COSO, 2017 EEM Frameworks strategies. The emergence of new readily available cloud-based
solutions and the proliferation of the internet has made it clear that technology plus the business
has woven a fabric of connectivity that is rich and as well as complex ( Zhao &
Singhaputtangkul, 2016, pp 06). As companies agile and innovate more in the emergence of
digital reach, new and ever-present vulnerability emerges.
Risk management components.
Governance and culture: The basis of other ERM components formed by management
and culture. Governance reinforces the importance of cyber vigilances as well as establishes the
oversight responsibilities for the entity (Halder at al., 2013, pp.1120-1127). Hence management
sets an entity's stone.

Executive Briefing Assignment 7
Strategy as well as objective- setting: though the process of setting strategy and business
objectives integration of cyber risk management into the entities can be done. Having understood
the business context, an organization can look into the external and internal factors as well as
their impacts on the risk (Epstein et al. 2015, pp. 1622-1636). Accompany sets its cyber risk
appetite in accordance to the strategic-setting. The strategies of a business are allowed by the
business objectives to be put in practice hence shaping the entity's day-to-day priorities as well as
operations.
Review and revision: An organization can be in good apposition to consider how well
cyber risk management competences, as well as activities, have increased value over time by
reviewing its entity's performance relative to its targets (Al Ayubi, Parmanto, Branch and Ding,
2014, pp25). Management capability and practice review also continue to drive value in light of
substantial changes.
Communication, information as well as reporting: A continuous interactive process of
driving or getting information and sharing through the entities is termed as communication.
Management should use both the external and internal relevant sources in supporting cyber risk
management (Kosub et al., 2015, pp 112). An organization influences the information system to
manage data, capture, process pieces of information. In adhering to the information that applies
to all components, the Organix company reports on risk, performance as well as culture.
Performance: An organization assesses any identified risk that may impact an entity's
ability to achieving its business objectives and strategy. In this case, the management prioritizes
risk according to their strictness as well as considering the entity's cyber risk appetite (Liu and
Staum, 2010, pp 30). The Organix company or organization can develop a portfolio view of the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Executive Briefing Assignment 8
quantity of risk the entity has assumed in pursuing its strategy as well as entity-level business
objectives by monitoring performance for a change.
Cyber risk appetite challenges.
Some cyber risk appetite challenges include the following:
Quantification challenges: this is a challenge that comes about when the organization has
not yet come into a conclusion on the standard approach of quantifying cyber risk and hence
working under a more broadly chance (Duncan, Zhao, and Whittington, 2017, pp 12-45)
Data challenges: With rapidly evolving cyber risk, makes the historical data for the
design of a cyber-risk appetite to be limited (Green, Prince, Busby, and Hutchison, 2017, pp.
103-109).
Communication challenges: Reporting and metrics of cyber risk tend to be overwhelming
to the board. This calls for the need of organizations to strike the right balance between being too
chemical and too abstract to ensure risk appetite is actionable.
Embedding challenges: cybersecurity is a crucial area of concern as it spans time in
processes in technology. "Therefore, it is difficult to design a top-of-the-house risk appetite
statement that is meaningful and communicable, can be cascaded to granular levels of the
institutions and can be translated into actionable business decisions." (Lanz, 2018, pp 6-10)
Organix company risk target.
The Organix company, as a large company with several branches, should consider a risk
target that specifies the optimal levels of risk that the organization desires taking into account its
risk capacity, appetite, and desired returns (Sard at al., 2010, pp 34). The Company should have a
risk target of efficient frontier concepts. In this case, the board should employ a value-centric
approach for a given level of capital approach. The senior executive of the Organix company

Executive Briefing Assignment 9
needs to set risk objectives so that monitoring of the risk profit is easy, if the risk is outside the
target, then actions are easily taken to reduce, enhance or increase risk-taking.
While the Organix Company is well prepared to handle risks in the physical aspect, cyber
risk is a new venture that the organization should give a priority. While there are sufficient data
to support the information security risks, the inefficiency in the historical data cannot keep
Organix corporate from including the digital risks into the blend. The lack of historical
information regarding information security, along with the inefficient understanding of
information security, can significantly affect an organization's performance on the off chance
that a cyber-attack occurs (Vacca, 2012, p.16-73). As a result, Organix corporate is challenged
with embracing the cyber risk qualifications and implement the security management strategies
into the organization's cyber risk appetite or face the challenges resulting from the cyber-attacks.
Integrating Cyber risks into Organix Risk Appetite
As far as information security is concerned, reporting the cyber metrics without a context
further keeps the business side and the information security side of the corporate apart. It is
identified by Gartner's study regarding a risk posture stating that these are the most significant
metrics of reporting (Libicki, Ablon, and Webb, 2015, p.115). In most cases, information
security professionals may be tempted to spend time into details and come up with information
that does not meet the context of what is required (Johnson and Goetz, 2017, p.16-24). Organix
organization, incorporating cyber risk into the corporate risk appetite statement, leads to one
source of truth for the corporate managers to identify what they are expected of by others. In this
spirit, the following risk appetite statement would be appropriate for the organization.

Executive Briefing Assignment 10
Organix Corporate Risk Appetites
Organix faces a lot of risk in its operations, including Logistics, CMOs management of
food and herbal as well as healthcare supplement industry, among other areas. Be that as it may,
acceptance of certain risks is sometimes required in order to foster the organization's efficiencies
and innovations in its business operations. The risks that arise from the online presence can be
vital. These kinds of risks can be managed by emphasizing the significance of confidentiality,
integrity, and availability of the organization's information to the right parties.
Figure 1: Risk Appetite Framework
The organization is also exposed to some significant cyber risks involving marketing as it
collaborates with a web-marketing company, which may put its information system into a higher
risk. Along with this, all data Centre’s also require robust protection as far as operational risk is
concerned. Organix has a low appetite, and we also make all resources necessary for controlling
the risks available to an acceptable level. It is also understood that it is necessary significant to
eliminate some of the cyber risks associated with the organization's operations. These risk
appetites provide an insight into an organizational cyber risk approach in general. Precisely, the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Executive Briefing Assignment 11
risk appetite statement highlights the risks that are necessary to tolerate in order to operate in the
business industry. Since there are specific risks to specific sectors and besides the fact that cyber-
security risks are the aspect that brings many organizations together, for chief information
security officers, this cybersecurity appetite helps in understanding where information security
management resources should go as on the basis of the organization's prioritization from a high
level to low-level risks.
Organix also has a tolerance for risk enabling it to meet its business goals in a manner
that enables protection to its assets. The Organix Company has a medium risk appetite for losing
its business data—however, the risk appetite for the physical security of its information security
assets. The organization's assets are protected; they have a moderately high-risk appetite for their
assets for the threats to their assets that come from external malicious attacks. The information
system executives operate robust internal security controls for a secure system. Organix has a
high-risk appetite for its access control. All-access, including both physical and online access to
the organization's critical infrastructure, is controlled through authentication. These risk appetites
prioritize some risks over other risks. The statement offers significant insight for the
organization's chief executives into what risks should be prioritized over others for the business
to operate efficiently. The cyber risks are contextualized within risk landscapes in general for the
business executives, including the information security management team.
Cyber risk appetite statement
The Organix Company has to put in toleration for risk to allow it achieve its business
goals as well as objectives in a way that is compliant with the laws and regulations in the
jurisdiction in which it operates. Organix should have either low, medium, or high appetite for
the loss or breach of its customers or business data in pursuit of its aims (Gontarek, 2016, pp

Executive Briefing Assignment 12
120-129). And the same should apply to risk appetite for physical information security assets.
This will help in protecting information assets as per the organizational data classification
framework.
Conclusion
In summary, cyber-security will continue to increase as attackers continue to exploit the
technological disruption and digitization to their advantage. It, therefore, becomes a critical
aspect of every organization. For it to survive in the current digitized environment, Organix must
have a structured security management approach to manage cyber risks. This summary offers an
insight into organization's cybersecurity appetite. It is the responsibility of the information
security executive team to communicate a sense of urgency and severity and challenge the state
of the information security awareness in the organization.
Reference List
Al Ayubi, S.U., Parmanto, B., Branch, R. and Ding, D., 2014. A persuasive and social mHealth
application for physical activity: a usability and feasibility study. JMIR mHealth and
uHealth, 2(2), p.e25.
Chiarini, A., 2017. Risk-based thinking according to ISO 9001: 2015 standard and the risk
sources European manufacturing SMEs intend to manage. The TQM Journal.