Can you share any effective processes/strategies you’ve used to integrate cyber risk management and enterprise risk management at your org?

Establishing a Risk Management Board which comprises of stakeholders who also sit in ERM (Enterprise Risk Management) organization is a great start. This helps bridge the gap between Cyber /IA /IT /Business to work as a coalition to fully understand the enterprise risk appetite, not just scoped through the lense of IT but all aspects. This should start off with establishing a Charter, RASCI, Governance Board, Stakeholders, and Workflows of focus. Have monthly reviews of identified risk, with risk acceptance criteria and an application to monitor holistically. Its not the entire plan - but this in general is a working integrated process that has delivered great results pertaining to bridging the to risk area gaps.

It's been different at companies I have worked in. Some have a strong dependency while some have loose coupling. ERM simply raises the flag that a Cyber risk exists, that's it. The details and are in the Cyber risk register to manage confidentially of key risks details as you never know how/where it could get forwarded.

We separate the technical controls aspect of Information Security from the policy side. The policy piece lives in the Risk department and the technical controls live in IT. A regular IT security working group meets to discuss initiatives that overlap (eg a new policy that will require technical enforcement).

The Cyber risk to be effective must be classified as per risk type and compliance, it depends on early assessment of business versus legal compliance and presence, then accordingly match the tools that covers every risk identified or to be compliance against it as requirement, though as process (Assess, Build Risk register, classify as compliance register and Security register, match the tools, implements, report)

At our organization, we've taken a structured approach to integrating Cyber Risk Management into the broader Enterprise Risk Management framework. One of the most effective strategies has been aligning cyber risk with enterprise risk taxonomy and appetite. This ensures that cyber risks are not siloed but are evaluated alongside financial, operational, and strategic risks.
We’ve embedded cyber risk into our enterprise risk register, using a common risk scoring methodology to ensure consistency in how risks are assessed and prioritized. This allows executive leadership and the board to view cyber risk in context and make informed decisions.
Another key process has been establishing cross-functional risk committees that include stakeholders from IT, security, compliance, legal, and business units. These groups meet regularly to review emerging threats, assess risk treatment plans, and ensure alignment with business objectives.
Finally, we’ve integrated cyber risk metrics into our enterprise risk dashboards, enabling real-time visibility and reporting. This has helped drive accountability and foster a risk-aware culture across the organization.