Can you share any effective processes/strategies you’ve used to integrate cyber risk management and enterprise risk management at your org?

At our organization, we've taken a structured approach to integrating Cyber Risk Management into the broader Enterprise Risk Management framework. One of the most effective strategies has been aligning cyber risk with enterprise risk taxonomy and appetite. This ensures that cyber risks are not siloed but are evaluated alongside financial, operational, and strategic risks.
We’ve embedded cyber risk into our enterprise risk register, using a common risk scoring methodology to ensure consistency in how risks are assessed and prioritized. This allows executive leadership and the board to view cyber risk in context and make informed decisions.
Another key process has been establishing cross-functional risk committees that include stakeholders from IT, security, compliance, legal, and business units. These groups meet regularly to review emerging threats, assess risk treatment plans, and ensure alignment with business objectives.
Finally, we’ve integrated cyber risk metrics into our enterprise risk dashboards, enabling real-time visibility and reporting. This has helped drive accountability and foster a risk-aware culture across the organization.

I suppose it depends on the organisation and the industry.  Based to my experience, highly regulated organisations such as financial institutions are led by Enterprise Risk Management, and it is usually challenged to integrate cyber risk management into the "old school" ERM. Having separate risk register, governance committees, control testing program for tech/cyber is one option while adhering ERM principles

We implemented a Risk Management Operating Committee that meets on a regular cadence. It has representation from ERM, IT, Cyber and Legal.  This is where we discuss cross-functional risks/issues as well as cover any emerging risks that we should be aware of.

Integrating cyber risk management and enterprise risk management into the onboarding process is key. Old school security by design. If it's part of your onboarding / intake etc. this will help adoption and understanding. Risk and security shouldn't be the function of one team, it should be a collaborative effort, which everyone within the organization practices. 

Ahoi!
Many enterprises implement "business led IT" that means that the organizational owner of a business process (B-1) is accountable for all facilities that directly support this process.
In detail that makes the risk management also part of this accountability.
It is obvious, that we need to have a look at the operational risk to get the link the cyber risk management and IT Security.
First of all, we need to collect the whole set of required parameters (C, I and A) to inherit them top down to the infrastructure, from the application to servers, components and internal and external dependencies.
Bottom up we defined a set of Key Risk Indicators, derived from operation parameters on CIs that work for a certain business process:
* Vulnerabilities
* Incidents
* Defects during testing on self developed software
* descoped featured during the development
All these from a KRI and the Risk Committee decided on the thresholds between which a business owner can decide on his/her own: 0 to 50
51 to 75: The business owner has the plan measures to get back to 50 or below and get that decided by his responsible Board Member
76 and more: The case has to be presented to the Risk Committee
Beside that, the personal goals of a business owner may include the value of the KRIs and affects the bonus there.
The effect was slow but constantly including Cyber Security requirements into the PI planning of IT development and the patching and upgrading of system was easier to achieve.
Prior to that, lifecycle management tasks that led into redevelopment of software were repeatedly down-prioritized and not finished on time.