There is a version of this story that plays out in large organisations with depressing regularity. Cyber risk is incorporated into the enterprise risk framework. A taxonomy is agreed. Residual risk ratings are assigned. The CISO presents regularly at the relevant committee and those involved feel that governance is functioning as intended.
Then something goes wrong. Not necessarily a catastrophic breach – sometimes it’s a near-miss, a regulator’s angry letter, or an incident at a peer that prompts an uncomfortable internal review.
And in the aftermath, a familiar question surfaces: how did this not register more clearly?
The honest answer, in most cases, is that it did register – just not in a way the organisation was structured to act on.
The appeal of operational risk
Placing cyber security within an operational risk framework has an obvious institutional logic. OpRisk governance is mature, understood by regulators, embedded in capital models, and provides a common language across the enterprise. For organisations that have spent years building risk taxonomy and committee structures, it appears to offer cyber a ready-made home.
There is also something reassuring about it. Cyber risk, translated into operational risk language, becomes legible to finance committees and audit functions. It gets a likelihood rating, an impact score, a risk owner. It sits alongside conduct risk, fraud, and third-party risk in the same register. For anyone seeking to demonstrate that cyber is being managed with appropriate rigour, this feels like progress.
The problem is not the framework itself. The problem is what the framework was designed to do – and what it wasn’t.
Three assumptions that don’t survive contact with cyber risk
Operational risk frameworks are built on certain foundational assumptions. They assume that risk can be usefully bounded into discrete events. They assume that historical loss data, even imperfect, provides some signal about future exposure. And they assume, implicitly, that the primary driver of risk is internal failure – be it human error, process breakdown or system malfunction.
Cyber risk breaks all three assumptions in ways that matter.
Cyber threats are adversarial. There is a motivated, adaptive, externally driven actor on the other side of the exposure – sometimes a criminal enterprise, sometimes a nation-state, sometimes an opportunist. That actor observes your defences, learns from failed attempts, and evolves. No equivalent dynamic exists in most operational risk categories. Fraud comes closest, but even there the systemic, coordinated nature of advanced persistent threats is of a different order.
Cyber threats are also deeply interconnected across the enterprise. A compromised identity, a misconfigured cloud environment, a vulnerable third-party integration – the blast radius of a cyber event does not respect the organisational boundaries that operational risk registers tend to reflect. A single incident can simultaneously affect operational continuity, regulatory standing, data privacy obligations, reputational integrity, and financial exposure. Aggregated into an OpRisk category and RAG-rated accordingly, that complexity tends to flatten into something more manageable-looking than it actually is.
And the measurement problem is persistent. The likelihood × impact models that underpin most risk quantification work reasonably well when there is a body of loss event data to draw on. For cyber, particularly in the tail – the events that genuinely threaten enterprise resilience – the data is sparse, the distributions are non-normal, and the most consequential scenarios are precisely those that have not happened before.
The governance problem underneath
These are not merely technical observations about risk methodology. They have direct governance consequences. When cyber risk is fully absorbed into an operational risk framework, a subtle but significant shift in organisational positioning tends to follow. The CISO, however senior, can begin to function as a technical subject matter expert feeding into a risk process owned by someone else. The framing of cyber risk – what gets escalated, how it is described, what threshold triggers a board discussion – gets determined by the operational risk architecture rather than by the nature of the threat.
This is not a criticism of any individual or function. It is a structural outcome. Committees have bandwidth and appetite. Operational risk reports have formats. Cyber risk, if it is to be taken seriously as a strategic concern, has to compete for attention within a framework that was designed before the current threat environment existed and that continues to evolve more slowly than the threats it is meant to capture.
What this means in practice
CISOs who understand enterprise risk governance – not just as a compliance landscape but as an organisational power structure – are in a better position to navigate this. The goal is not to declare cyber exceptional and demand a separate governance track for everything. That battle is rarely worth fighting and often counterproductive. Most boards and group risk functions are not going to reorganise their committee architecture because a CISO makes a principled argument about the adversarial nature of cyber risk.
What is achievable is more targeted. It means understanding where in the governance structure consequential decisions about cyber risk actually get made – and ensuring cyber risk is visible and legible in that space, not just technically accurate in a register. It means building relationships with the CRO, the CFO, and the audit function that go beyond formal reporting. It means knowing which scenarios, framed in which terms, will land differently than a risk rating.
It also means being honest about what the framework can and cannot do. Operational risk governance provides essential discipline. It creates accountability, documentation, and a shared vocabulary. But it was not designed to surface the kind of strategic, adaptive, cross-domain risk that cyber represents at its most serious.
The organisations that handle this well tend not to have fought for a parallel governance structure. They have found ways to ensure that when cyber risk genuinely warrants board-level attention, the path to that conversation is clear – and that the framing, when it arrives, reflects the actual nature of the threat rather than the closest available category in a taxonomy written for a different era.
The framework is not the enemy. But it is not neutral either.
About the Author
This is where Jim Roberts begins Part 1 of his three‑blog series. With decades of senior experience — including serving as Global Head of Cyber at Standard Chartered Bank and Prudential — Jim has seen first‑hand how well‑intentioned governance structures can mask deeper organisational weaknesses. Now, as Founder of Whitecliff Advisory, he works with boards and executive teams to uncover these hidden dynamics and strengthen real‑world cyber resilience.
Connect with Jim on LinkedIn > Jim Roberts | LinkedIn