A clear and bold header

Should Your CISO Be Your Chief Risk Officer (CRO)?

Posted by Admin on Sep 12, 2013 3:32:00 AM

Not in our opinion. We are in Chris Buses' camp when it comes to this issue. It is true that 5-7 years ago information security dominated the risk concerns when it came to outsourced and third party relationships, but with the FFIEC examination handbook updated in March 2008 the emphasis broadened to include many other dimensions of risk. Ultimately, that laid the groundwork for where we are today. Information security is just one small part of the vendor, or third party, risk management equation. And vendor risk management must be successfully integrated into an enterprise’s ERM program. Certainly, vendor management is a big enough, and complex enough process, that when done correctly, crosses a lot of organization boundaries and it requires its own system and dedicated resources to run efficiently and achieve good compliance. But vendor management also has to be integrated into a good ERM framework, which is why we built VendorINSIGHT® the way we did. In banking, for example, the successful CRO has broad-ranging risk management skills that span the two primary business elements - lending and deposits - as well as other affiliate services (insurance, etc.) and often brings a big-audit perspective that is essential to maintaining integrity in the ERM framework. The CRO often has a risk orientation focused on narrative and good documentation about business risks and trends and residual risks, as much as information security. We see information security as a specialty within the risk management department led by the CRO. Perhaps in a very small community bank this role can be assumed by one individual but we wouldn’t recommend it in a bank that is $1 B in assets or greater.

Read More

Topics: Chief Risk Officer, Chief Information Security Officer, vendor risk management

VendorInsider Blog

Insight into Vendor Management Best Practices, Challenges, Solutions and Trends from Industry Insiders

As one of the longest running and most advanced vendor management software solutions, the helpful people of VendorInsight® have a unique perspective on third-party risk, compliance and management.  In the VendorInsider Blog, we share our insights on timely and relevant issues facing vendor managers.  You can subscribe using the button below, or contact us with questions.

Subscribe to Our Blog

Recent Posts