Cyber risk management in SMEs: insights from industry surveys

PurposeThis article aims to gain insights on the current state of small- and medium-sized enterprises’ (SMEs’) cyber risk management process and to derive future research directions.Design/methodology/approachThis is done by collecting market insights from 37 recent industry surveys and structuring them based on the steps of the risk management process. From this analysis, major challenges are derived and future fields of research identified.FindingsThe results indicate that deficiencies in risk culture as well as the strained market for IT experts are the major obstacles with respect to the implementation of cyber risk management in SMEs, and that these challenges are similar across countries. The findings suggest that especially the relationship between cyber security culture and cyber risk management should be investigated further, and that a stronger link between the research streams on enterprise risk management and cyber risk management would be desirable.Originality/valueThis paper contributes to the literature by providing a systematic overview on the current state of SMEs' cyber risk management from a market perspective. The findings provide support for the existing academic literature by emphasizing the central role of cyber security culture (perception, knowledge, attitude) for a successful cyber risk management, which however should be addressed in more depth in future (empirical) research.

Download Full-text

Customisable framework for project risk management

Construction Innovation ◽

10.1108/ci-04-2015-0022 ◽

2017 ◽

Vol 17 (1) ◽

pp. 68-89 ◽

Cited By ~ 4

Author(s):

Jennifer Firmenich

Keyword(s):

Risk Management ◽

Management Practices ◽

New Institutional Economics ◽

Future Research ◽

Project Risk Management ◽

Management Process ◽

Project Risk ◽

Content Type ◽

Risk Management Process ◽

Management Concepts

Purpose The purpose of this paper is to emphasise on the need for efficient and effective project risk management practices and to support project managers in increasing the cost certainty of projects by proposing a new framework for project risk management. Design/methodology/approach The author adopts a “constructivist” methodology, drawing on practices common in construction management sciences and new institutional economics. Findings The author presents a holistic and customisable project risk management framework that is grounded in both practice and academia. The framework is holistic because, amongst others, all steps of the typical risk management process are addressed. The framework is customisable, because it allows for alternative ways of implementing the project risk management steps depending on the project-specific circumstances. Research limitations/implications The framework does not address the potential unwillingness of the project players to set up a project risk management process, at all. The proposed framework has not yet been tested empirically. Future research will seek to validate the framework. Originality/value The framework is designed to account for the difficult circumstances of a complex construction project. It is intended to support decision makers in customising a practical yet comprehensive project risk management concept to the characteristics of the unique project. Although many other project risk management concepts are designed based on the assumption that actors are perfectly rational and informed, this framework’s design is based on the opposite assumption. The framework is dynamic and should adapt over time.

Download Full-text

A critical analysis of supply chain risk management content: a structured literature review

Journal of Advances in Management Research ◽

10.1108/jamr-10-2015-0073 ◽

2017 ◽

Vol 14 (1) ◽

pp. 69-90 ◽

Cited By ~ 29

Author(s):

Surya Prakash ◽

Gunjan Soni ◽

Ajay Pal Singh Rathore

Keyword(s):

Risk Management ◽

Supply Chain ◽

Literature Review ◽

Critical Analysis ◽

Future Research ◽

Supply Chain Risk Management ◽

Supply Chain Risk ◽

Marked Rise ◽

Content Type ◽

Risk Management Process

Purpose The research on supply chain risk management (SCRM) is visibly on the rise, although its literature still lacks the state of the art that critically analyzes its content. The SCRM literature seems to require studies that utilize risk typology, sources of risk, etc. for reviewing the topic. The purpose of this paper is to bridge the gap by synthesizing the information obtained from 343 articles across 85 journals. This study also presents a critical analysis of the content of SCRM in a structured manner to identify the directions for future research. Design/methodology/approach A systematic literature review (SLR) was devised and adopted, which involved the selection, classification, and evaluation of 343 research articles published over a period of 11 years (2004-2014). The content of extant SCRM literature was critically analyzed and synthesized from the perspective of the risk management process (RMP). Findings The analysis of extant literature shows that there is a marked rise in research in the SCRM area, especially after the year 2005. It was observed that not only risk but also different forms of uncertainties make supply chain (SC) operations difficult to manage. The SCRM actions yielded most benefits when their implementation was at chain or network level and managed strategically. The analysis also reveals that the manufacturing sector is most affected by risks and highly investigated by researchers. Practical implications A complete process for SCRM based on risk stratification, objectives of risk management, and RMP will be a guiding model for firms to manage risks. The research gaps identified and future directions provided here will encourage researchers and managers to devise new methods, tools, and techniques to address the risks in modern SC operations. Originality/value An SLR and risk-based content classification of SCRM literature were performed. To identify, locate, select, and analyze the SCRM literature, a structured and systematic process was adopted with some very rarely used methods such as two levels of search keywords, and strings were formulated to locate the most relevant articles in major academic databases.

Download Full-text

Enterprise Risk Management: A Literature Review and Agenda for Future Research

Journal of Risk and Financial Management ◽

10.3390/jrfm13110281 ◽

2020 ◽

Vol 13 (11) ◽

pp. 281

Author(s):

Sorin Gabriel Anton ◽

Anca Elena Afloarei Nucu

Keyword(s):

Risk Management ◽

Literature Review ◽

Organizational Factors ◽

Enterprise Risk Management ◽

Empirical Literature ◽

Future Research ◽

Enterprise Risk ◽

Risk Management Process ◽

Starting Point ◽

Enterprise Level

The Enterprise Risk Management (ERM) process has heterogeneously developed across the world, although it represents a leading paradigm, supporting organizations to identify, evaluate, and manage risks at the enterprise level. Academics have studied the process, but there is no complete picture of the determinants and implications of such an integrated risk management process. Therefore, we present a systematic empirical literature review on ERM, based on a research protocol. The review highlights that the ERM literature can be divided into four general lines of research: the ERM adoption, the determinants of the ERM implementation, the effects of ERM adoption, and other aspects. In contrast to the richness of studies devoted to ERM engagement in small and medium-sized enterprises (SMEs), studies exploring ERM adoption in banks or insurance are relatively few. The literature review has revealed that the most frequently investigated effect of ERM is on firm performance. Little effort has been dedicated to the analysis of the effectiveness of ERM by its components and to institutional, individual, and organizational factors that affect ERM adoption. The study can serve as a starting point for scholars to explore research gaps related to ERM, while the practitioners can rely on the presented findings to identify the effects of the ERM implementation.

Download Full-text

Enterprise risk management: history and a design science proposal

The Journal of Risk Finance ◽

10.1108/jrf-03-2017-0048 ◽

2018 ◽

Vol 19 (2) ◽

pp. 137-153 ◽

Cited By ~ 11

Author(s):

Michael McShane

Keyword(s):

Risk Management ◽

Management Practices ◽

Design Science ◽

Enterprise Risk Management ◽

Content Type ◽

Research And Practice ◽

Enterprise Risk ◽

Risk Management Process ◽

Management Concepts ◽

Science Approach

Purpose This paper aims to investigate the evolution of enterprise risk management (ERM) out of fragmented disciplinary perspectives to provide a foundation for promoting interdisciplinary research and proposes a design science approach for more effective ERM implementation in organizations. Design/methodology/approach This conceptual paper synthesizes ERM research and practice from multiple disciplines. Findings Corporate risk management concepts were born in academic finance and developed further in the finance subset known as risk management and insurance. With the advent of ERM, efforts must broaden beyond applying statistical models to quantifiable risks. Other disciplines have expanded ERM research by embracing techniques to investigate risk management practices to produce knowledge that integrates practice and theory. ERM is promoted as integrated risk management, yet silos still remain in both practice and research. Originality/value This study provides a foundation and a proposal for moving ERM past academic and organizational silos, which is necessary to achieve the ERM philosophy and increase organizational resilience. Understanding the evolution and fragmented nature of ERM research and practice provides a foundation for interdisciplinary cooperation necessary to achieve the holistic ERM philosophy. A next frontier is effective ERM implementation. This paper argues for an organizational design science approach for mitigating the resistance to change that confounds effective implementation of ERM in organizations facing an increasingly uncertain environment and outlines future research for applying the approach to implementing the ISO 31000 risk management process.

Download Full-text

Obtaining reasonable assurance on cyber resilience

Managerial Auditing Journal ◽

10.1108/maj-11-2017-1690 ◽

2019 ◽

Vol ahead-of-print (ahead-of-print) ◽

Cited By ~ 2

Author(s):

Filip Caron

Keyword(s):

Risk Management ◽

Real World ◽

Cyber Security ◽

Design Methodology ◽

Content Type ◽

Security Controls ◽

Conceptual Designs ◽

Testing Techniques ◽

Traditional Process ◽

Cyber Risk

PurposeThe purpose of this paper is to highlight the potential of cyber-testing techniques in assessing the effectiveness of cyber-security controls and obtaining audit evidence.Design/methodology/approachThe paper starts with an identification of the applicable cyber-testing techniques and evaluates their applicability to generally accepted assurance schemes and cyber-security guidelines.FindingsCyber-testing techniques are providing insight in the effectiveness of the actual implementation of cyber-security controls, which may significantly deviate from the conceptual designs of these controls. Furthermore, cyber-testing techniques could provide concise input for cyber-risk management and improvement recommendations.Originality/valueThe presented cyber-testing techniques could complement traditional process-oriented assurance techniques with specialized technical analyses of real-world implementations that focus on the adversaries’ viewpoint.

Download Full-text

Managing cyber risk in supply chains: a review and research agenda

Supply Chain Management An International Journal ◽

10.1108/scm-10-2018-0357 ◽

2019 ◽

Vol 25 (2) ◽

pp. 223-240 ◽

Cited By ~ 7

Author(s):

Abhijeet Ghadge ◽

Maximilian Weiß ◽

Nigel D. Caldwell ◽

Richard Wilding

Keyword(s):

Supply Chain ◽

Literature Review ◽

Supply Chains ◽

Conceptual Model ◽

Systematic Literature Review ◽

Cyber Security ◽

Future Research ◽

Security Systems ◽

Content Type ◽

Cyber Risk

Purpose In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply chain contexts. Design/methodology/approach Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis, were established using data mining techniques to conduct a comprehensive, replicable and transparent review. Findings The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between information technology, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention because of a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience. Research limitations/implications Different types of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience. Practical implications A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions. Originality/value To the best of the authors’ knowledge, this is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies.

Download Full-text

Cyber Risk Management Process for Space Missions

ASCEND 2020 ◽

10.2514/6.2020-4114 ◽

2020 ◽

Author(s):

Jeremy L. Pecharich ◽

Kendra Cook ◽

Wesley Walker ◽

Michel D. Ingham ◽

Kymie Tan ◽

...

Keyword(s):

Risk Management ◽

Space Missions ◽

Management Process ◽

Risk Management Process ◽

Cyber Risk

Download Full-text

Supporting strategic success through enterprise-wide reputation risk management

The Journal of Risk Finance ◽

10.1108/jrf-09-2015-0083 ◽

2016 ◽

Vol 17 (1) ◽

pp. 26-45 ◽

Cited By ~ 22

Author(s):

Nadine Gatzert ◽

Joan Schmit

Keyword(s):

Risk Management ◽

Future Research ◽

Risk Governance ◽

Content Type ◽

Risk Management Framework ◽

Technological Advances ◽

Key Stakeholders ◽

Enterprise Risk ◽

Reputation Risk ◽

Strategic Success

Purpose – The purpose of this paper is to present a coherent and effective enterprise risk management (ERM) framework that includes necessary steps and processes for integrating reputation risk management into an organization’s overall ERM approach which is intended to support corporate strategic success. In particular, reputation creation, enhancement, and protection are critical to an organization’s success, yet highly challenging given the wide ranging and somewhat opaque nature of the concept. These qualities call for a strong ERM approach to reputation that is holistic and integrative, yet existing knowledge of how to do so is limited. Design/methodology/approach – The paper evaluates and synthesizes existing reputation literature in developing an enterprise-wide reputation risk management framework incorporating necessary steps, processes, and considerations. We address risk strategy, risk assessment, risk governance, and risk culture as key elements of ERM and conclude with suggestions for future research. Findings – The results suggest several important ideas which are of great relevance when integrating reputation risk management into an ERM framework. Among these are the importance of: identifying and understanding the purpose of key stakeholders, appreciating the multidimensional and layered effect of events on organizational reputation and monitoring the influence of technological advances. Originality/value – The authors contribute to the literature by developing a framework for enterprise-wide reputation risk management that applies across industries. In contrast to previous work, the authors offer a broader perspective on the underlying causes and consequences of reputation damage based on empirical evidence and insight from the academic literature and provide additional detail in identification of reputation determinants, antecedents, and drivers. While much of this information exists in various places in the literature, it has not been organized into a cohesive framework nor used in developing an ERM strategy.

Download Full-text

Development and Reliability Review of an Assessment Tool to Measure Competency in the Seven Elements of the Risk Management Process: Part One—The RISKometric

Safety ◽

10.3390/safety7010001 ◽

2020 ◽

Vol 7 (1) ◽

pp. 1

Author(s):

Garry Marling ◽

Tim Horberry ◽

Jill Harris

Keyword(s):

Risk Management ◽

Assessment Tool ◽

Management Practice ◽

Health And Safety ◽

Future Research ◽

Management Process ◽

Risk Management Process ◽

Work Health ◽

Risk Scenario ◽

The Individual

Ineffective and inefficient workforce involvement can negatively impact risk management practice for work health and safety (WHS) issues. Often the risk management process is undertaken by a single person, or by teams without a facilitator and without regard to the participants’ levels of competency in the risk management process. This study aimed to develop a tool to assess the competence of individuals in different elements of the risk management process and then review its reliability. This tool, termed the RISKometric, incorporated a 360° performance review method whereby peers upline and downline colleagues and the individual themselves gave competence ratings. The RISKometric was tested using 26 participants. Results showed that a significant positive relationship existed between the feedback given by peers and downline colleagues. Initial results gained from using the tool suggest it is able to discriminate the competence of participants, in each of the elements of risk management, through the opinions of self and others. In future research, we test assumptions through a further two studies. Firstly, that individuals’ RISKometric results are comparable with their performance in a risk scenario exercise; so, providing validity for the tool. Secondly, that a collectively-optimised team (formed using the Riskometric) can perform a risk assessment exercise better than marginally- or sub-optimised teams.

Download Full-text

Flood warning in a Swedish local risk management context

Disaster Prevention and Management An International Journal ◽

10.1108/dpm-07-2014-0140 ◽

2015 ◽

Vol 24 (3) ◽

pp. 383-396 ◽

Cited By ~ 5

Author(s):

Erik Stig Persson ◽

Lars Nyberg ◽

Inge Svedung

Keyword(s):

Risk Management ◽

Value Added ◽

Well Being ◽

Early Warning Systems ◽

Added Value ◽

Management Process ◽

Content Type ◽

Risk Management Process ◽

Management Context ◽

Local Risk

Purpose – The purpose of this paper is to explore how local early warning systems (EWSs) for floods are established at the municipality level in Sweden. The study also aims to analyse the role of EWSs in a risk management context. The overall purpose of this study is to elucidate how and to what extent the adoption of local EWSs can generate value-added benefits throughout the wider risk management process. Design/methodology/approach – Semi-structured interviews have been conducted with supervisors at each municipality in order to depict how local EWS are established at the municipality level in Sweden. The interviews went through a content analysis with respect to theory on EWS and theory on the risk management process. Findings – The possible effects from an EWS is not only reduced flood losses but also potential spinoff. The possibility of spinoff effects from the system, but also the mitigating effectiveness in case of a flood is largely dependent on the well-being of the organisation and its risk management processes. Originality/value – This study widens the understanding of the value of an EWS and that the organisational culture and state of risk management system has influence on the availability of such value. Identifying the potential added value from EWSs is important from a more general disaster risk reduction perspective, as it helps to further motivate implementation of proactive risk management measures. This knowledge can be of help to others who investigate the possibilities of investing in EWSs.

Download Full-text