How to Harmonize Cybersecurity Risk and Enterprise Risk Management

28 July 2025 - ID G00821135 - 15 min read

By Deepti Gopal

Senior executives must all manage risks effectively, including cybersecurity risks, to ensure the organization can achieve its strategic goals. Cybersecurity leaders that align cyber-risk practices with enterprise risk management processes will enhance insight and enable better decision making.

Overview

Key Findings

Cyber risk is seen as an Investment area with the greatest positive impact on shareholder value over the period from 2025 to 2026 by 39% of non-executive directors surveyed in the 2025 Gartner Board of Directors Survey.
Cybersecurity leaders equipped with harmonized cyber and enterprise risk insights demonstrate superior decision making by gaining visibility into the interdependencies and enterprisewide impacts of risks.
Eighty-five of CEOs say cybersecurity is critical for business growth and 45% of CEOs are not comfortable defending a cyberbreach to the press, according to the 2025 Gartner CEO and Senior Business Executive Survey.

Recommendations

Enhance executive-level business-aligned risk management decision making by leveraging a structured approach to managing risks that is informed by a set of interconnected cybersecurity and enterprise risk processes.
Improve executive-level decision making by using the cyber-risk register as a source of truth and key input to help inform discussions and enterprise-level decision making by business unit leaders.
Improve engagement in risk management through a clearly defined responsible, accountable, supportive, consulted and informed (RASCI) chart to establish accountability and decision rights in cybersecurity and enterprise risk management at every organizational level.

Strategic Planning Assumption

By 2028, 60% of organizations will design dynamic risk appetite definitions that would lead to improved strategic alignment.

Introduction

Boards and executive teams that consider their cybersecurity governance is sufficient are often surprised when incidents reveal otherwise. Executives claim to understand the importance of cybersecurity with 85% of CEOs saying cybersecurity is critical for business growth,¹ but they often fail to put cybersecurity risks into the proper context compared with other threats to the enterprise. Evidence from well-publicized breaches such as the UnitedHealth and CDK Global breaches points to a lack of governance.

Despite the integration of cybersecurity frameworks into risk management policies, significant gaps persist; only 21% of organizations engage in strategic risk management.² Organizations must deepen their understanding of how cybersecurity risks affect their business in order to properly contextualize these risks. To demonstrate adequate governance, cybersecurity frameworks must be harmonized with the enterprise’s enterprise risk management (ERM) program (see Note 1).

Cybersecurity threats do not exist in isolation; they interact with various aspects of business operations, creating a multifaceted challenge for risk management. Compounding this complexity is the need to align cybersecurity investments with the organization’s risk appetite and business strategy to help ensure that organizations allocate resources effectively to mitigate the most significant risks. Without a unified approach to risk management, organizations risk inefficient resource allocation, ineffective incident management, potential penalties from regulatory bodies and difficulty maintaining stakeholder trust and support for business growth.

Improving the alignment between ERM and cyber-risk management provides a better view on business risks that are crucial for business growth and sustainability. Ignoring interdependencies between cybersecurity risks and other business risks leads to fragmented risk management practices that fail to deliver tangible value to the organization. Organizations achieve a comprehensive approach to risk mitigation by recognizing dependencies across various risk management disciplines. This approach aligns with their overall business strategy and enhances stakeholder trust.

Analysis

Harmonize Cybersecurity and Enterprise Risk Management Processes to Ensure Alignment With Business Objectives

Reconciling cybersecurity risk management (CyRM) with enterprise risk management (ERM) structures the identification, assessment and management of risks across an organization, ensuring consideration of all risk types, including cybersecurity, in decision-making processes. Effectively aligning cybersecurity with ERM provides senior executive stakeholders with a better view on business risks, allowing for more effective identification, mitigation and communication of risks. This aids in improving the transparency of risk decision making, increases the accuracy of obligatory risk reporting and in turn, helps build and sustain trust and confidence among the organization’s stakeholders.

The alignment between ERM and cyber-risk management provides a better view on business risks that are crucial for business growth and sustainability. Ignoring interdependencies between cybersecurity risks and other business risks leads to fragmented risk management practices that will fail to deliver tangible value to the organization. It may also impact the ability of the board of directors to meet their fiduciary duties if they can’t make optimized risk decisions that best serve the organization’s interests. Organizations can facilitate efficient risk aggregation, monitoring, evaluation and treatment across all business units by adopting standardized outcomes, a dynamic risk appetite, streamlined governance and an engaged risk culture.

Steps to Lay the Foundation for Linking CyRM and ERM

The linkage between CyRM and ERM is not intuitive to most cybersecurity leaders. ERM leaders, well-versed in financial analysis, may be blinded by the technical elements of cybersecurity controls or struggle to grasp the implications of low-likelihood, high-impact risks like major breaches. Chief information security officers (CISOs), for their part, usually began their careers as engineers and often lack formal financial training or visibility into the organization’s business operations or mission.

To build the bridge between the two communities, CISOs must first take three concrete steps to begin translating their risks into the ERM organization’s common language:

Clearly articulate the organization’s risk appetite, which is the amount of risk the organization is willing to take to achieve its objectives. This should be communicated across all levels of the organization to guide decision making (see How to Use Risk Appetite to Drive Balanced Growth and Risk Taking and Six Steps to Manage Cybersecurity Risk Appetite Through Protection-Level Agreements for more details).
Collaborate with business unit leaders and other stakeholders in the risk management process to ensure that risk appetite statements and risk management strategies are relevant and actionable for those who will implement them. Aligning risk management activities with the organization’s strategic objectives involves assessing how risks impact the achievement of these objectives and ensuring that risk considerations are included in strategic discussions.
Develop metrics that link risk management outcomes to business performance. Regularly report on these metrics to demonstrate how effective risk management contributes to achieving business goals, thereby fostering a culture of risk awareness and proactive management. Establish a process for regularly reviewing and updating risk management practices to adapt to changing business environments and objectives. This includes conducting periodic assessments of the risk landscape and the effectiveness of risk management strategies.

By following these structured steps, organizations can effectively align their risk management efforts with their strategic objectives, ensuring that risks are managed in a way that supports business growth and resilience (see Figure 1).

Figure 1: Business Strategy Catalyzed by Cybersecurity Investments

Cybersecurity investments align IT strategy and security measurement with business goals, enabling simplified operations, new revenue, and customer satisfaction through integration, resilience, financial optimization, and innovation.

Align Cyber and Enterprise Risk Registers to Enhance Executive Insight and Decision Making

Gathering risk information, including cybersecurity risks, from across the organization into a risk register is a crucial element of effective enterprise risk management. Effective risk management programs not only have a risk register, but also record a higher number of risks. Internal dashboards, technical security assessment reports, audit reports and incident reports are also sources to identify risks and are especially effective for those organizations that do not have a formal ERM program. For all parts of the organization, these risk registers or enterprise risk registers (ERRs) provide a central place to track any potential risks (personnel, cyber, safety, etc.) — and the information about them. This could impact the organization’s ability to achieve operational objectives.

Cybersecurity leaders should use a cybersecurity risk register (CRR) as their primary tool for capturing, monitoring, managing cybersecurity risks they are managing on the organization’s behalf. The CRR also provides the critical foundation for coordinating cybersecurity risk management activities, including ensuring that accurate and timely cybersecurity risk information is shared with ERM decision makers.

The goal is to ensure that high-quality cybersecurity risk information is effectively communicated to inform enterprise-level risk management processes and decision making. Therefore, those risk registers at the system and organizational levels play a vital role in communicating cybersecurity risks to the enterprise. Enterprise risk officers then use this information to develop the ERR and ERP, which ultimately helps senior leadership make strategic decisions about resource allocation and overall direction. Importantly, the flow of information and guidance is bidirectional, with the enterprise also providing risk direction back down to influence cybersecurity efforts at lower levels of the organization (see Figure 2).

Figure 2: Bidirectional Risk Management

Risk management is a continuous process linking policy definition, control development, operational activity and feedback. Reporting and tool interfaces support alignment with business goals and enable regular updates and improvements to risk controls.

Process Effectiveness Needs to Translate to Technology Effectiveness

ERM organizations often have technology solutions built on platforms with complex risk analysis functionality. These solutions are often purpose-built for the organization and can model risk scenarios for business outcomes. However, these solutions are seldom built with the participation of cyber, and they can be poorly suited to address cyber risks. Cybersecurity leaders often have their own cyber governance, risk and compliance (cyber GRC) solution that manages risk registers, but these are often incompatible with the ERM system.

This proactive approach for harmonizing CRRs and ERRs through a joint risk assessment allows for timely identification and remediation of risks before they escalate into significant issues, and a targeted approach enhances efficiency and effectiveness in risk management efforts. Wherever possible, mandate vendors to enhance data sharing capabilities between your organization’s governance, risk, compliance and privacy solutions to enhance risk management. This enables scalable data exchange, providing a comprehensive view of your risk ecosystem.

Using ERRs to define key performance, risk, and control indicators alone provides only part of the picture, despite their effectiveness in hitting performance goals and managing risks. To get a full view, Cybersecurity leaders should work with ERM leaders to develop and set up a solid lineup of KPIs, key risk indicators (KRIs), and key control indicators (KCIs) that sync up with strategic goals and key business processes; these KCIs should be extended to the cyber-risk mitigation strategy. This is useful to create a visual map to show how these indicators align with specific initiatives, processes, risks and controls, making it easier to see how everything connects and affects one another (see Figure 3 for some examples).

Figure 3: Examples of KRIs and Their Corresponding KPIs and KCIs

Key risk indicators, key performance indicators and key control indicators work together to help organizations monitor, measure and improve areas like incident response, compliance, data protection and operational continuity.

Set Up Adequate Governance and Accountability

Focusing solely on the likelihood of a risk can lead cybersecurity leaders to chase the intangible for several reasons:

Uncertainty and complexity: Threat landscapes change rapidly, and attackers are unpredictable, and accurately assigning the probabilities of specific risks is extremely difficult.
Data limitations: There’s often insufficient or unreliable data to make precise likelihood estimates, especially for rare or novel threats.
False sense of precision: Quantifying likelihoods can give a misleading sense of accuracy, leading to overconfidence in risk assessments.

Instead, a balanced approach that emphasizes impact, preparedness and organizational resilience provides a more practical and effective path to managing uncertainty. To effectively manage risks, it is essential to thoroughly understand the business impact of any decision, as this context allows for more effective risk assessment. This is a key reason why aligning cyber-risk management with overall enterprise risk efforts is so important. By harmonizing these approaches, organizations can ensure that all risks are evaluated and addressed within the broader business context.

The board’s role is to provide oversight and ask critical questions, instead of managing the day-to-day operations of the business. Conversely, governance responsibilities cannot simply be handed off to management. An enterprisewide approach to viewing cybersecurity as a systemic risk is essential for effective governance. When ensuring that cybersecurity risks are considered within the bigger picture of all organizational risks, you deal with different stakeholder expectations and involved teams. You’ve got the cybersecurity team who understands the technical risks, and you’ve got the enterprise risk management people who are looking at the broader strategic and financial risks.

A RASCI chart can help clarify:

Who is responsible for identifying specific cybersecurity risks that need to be integrated into the ERM process and included in business unit risk registers where relevant. Is it the system owners or the cybersecurity team?
Who is accountable to ensure that those risks are communicated to the ERM team and integrated into the ERR. Maybe it’s the CISO or a designated risk manager.
Who supports the cybersecurity risk management process and its alignment to ERM to ensure effective decision making, but does not have formal responsibilities in that process. This could include administrative staff or corporate governance team members responsible for producing meeting packs for the senior executive.
Who is consulted during this process. Maybe legal teams for regulatory implications, or different business units that might be affected and that also need cyber risks pertinent to their operations to be captured and managed effectively.
Who is informed about the key cybersecurity risks that are being tracked at the enterprise level. Possibly senior executives or the board of directors.

The RASCI chart is a simple but powerful tool that clarifies roles when connecting cybersecurity risks to overall ERM efforts. It helps avoid confusion, promotes accountability, and ultimately supports better risk management across the board. Download the following RASCI workbook and refer to the tab “RASCI Matrix — Example” as a possible division of authorities.

Download the RASCI Matrix for Harmonization of ERM and Cyber-Risk Management

Download (xlsx)

Evidence

NIST Cybersecurity Framework (CSF) 2.0, National Institute of Standards and Technology (NIST).

2025 Gartner Board of Directors Survey. This survey was conducted to understand how C-suite executives can work more effectively with the board of directors (the nonexecutive director board) and provide appropriate information to the board with confidence in their ability to deliver on the enterprise strategy in the near term and in the future. The survey also focused heavily on current issues of the day for boards that are either caused by technology or are mitigated by technology. The survey was conducted online from June through August 2024 among 328 respondents from North America (n = 169), Latin America (n = 12), Europe (n = 77) and Asia/Pacific (n = 70). Respondents came from organizations with $50 million or more in annual revenue in industries except governments, nonprofits, charities and nongovernmental organizations (NGOs). Respondents were required to be nonexecutive members of corporate boards of directors. Disclaimer: Results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.

¹ 2025 Gartner CEO and Senior Business Executive Survey. This survey was conducted to examine CEO and senior business executive views on current business issues, as well as some areas of technology agenda impact. The survey was conducted from June 2024 through November 2024, with questions about the period from 2024 through 2026. One-quarter of the survey sample was collected from June through July 2024, and three-quarters was collected from October through November 2024. In total, 456 actively employed CEOs and other senior executive business leaders qualified and participated. The research was collected via 421 online surveys and 35 telephone interviews. The sample mix by role was CEOs (n = 303); CFOs (n = 95); COOs or other C-level executives (n = 39); and chairs, presidents or board directors (n = 19). The sample mix by location was North America (n = 194), Europe (n = 118), Asia/Pacific (n = 91), Latin America (n = 35), the Middle East (n = 15) and South Africa (n = 2). The sample mix by size was $50 million to less than $250 million (n = 32), $250 million to less than $1 billion (n = 122), $1 billion to less than $10 billion (n = 200) and $10 billion or more (n = 102). Disclaimer: Results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.

² 2024 Gartner Role of Risk Management in Improving Decision Survey. This study was conducted to identify how risk management can improve organizations’ decision-making, including decision quality, decision speed and overall business success. It also sought to provide risk management leaders with a focus and orientation for their services. The research was conducted online from June through August 2024 among 300 respondents from organizations in North America (n = 167), EMEA (n = 80) and Asia/Pacific (n = 53). Quotas were established for company sizes and for industries (excluding government, education, and nonprofit organizations) to ensure a good representation across the sample. Organizations needed to have $100 million or more in total annual revenue for fiscal year 2023. Respondents were required to be executive leaders within three layers of the most senior executive (e.g., CEO) and not primarily from risk management functions (e.g., Enterprise Risk Management, Audit, Legal, Compliance or Information Security). They were required to be responsible or accountable for at least one major business initiative (e.g., acquisition or new product launch) and needed to receive support from the risk management function for that initiative. Disclaimer: The results of this study do not represent global findings or the market as a whole but reflect the sentiments of the respondents and companies surveyed.

Note 1: A Definition of ERM

Enterprise risk management (ERM) is a comprehensive framework that integrates risk management practices across an organization to align with its strategic objectives and business goals. ERM encompasses the identification, assessment, mitigation and monitoring of risks, ensuring that they are managed in a holistic and coordinated manner. The integration of cyber governance, risk and compliance (cyber GRC) into ERM is essential for managing cyber risks effectively and ensuring regulatory compliance within the digital landscape.