The following is a guest post from principal research lead Kelley Pruetz and writer Kristen Senz at APQC. Opinions are the authors’ own.
Preventing a data breach requires much more than strong cybersecurity defenses. Yet, in many organizations, cyber risk still sits outside enterprise risk management, limiting visibility into emerging threats and slowing decisions that could reduce exposure before an incident occurs.
That separation persists even as cyber risk is widely understood to be a multifaceted threat with serious financial implications. Based on global data from 5,000 companies, new research by the American Productivity & Quality Center shows that only 41% of organizations have achieved any meaningful integration between cybersecurity and enterprise risk management. Just 23% apply unified risk management structures to suppliers and partners, despite the growing role of third parties in major breaches. Few organizations consistently frame cyber risk reduction in financial terms that support enterprise-level decision making. The data is clear: Awareness is high, but alignment is low.
Organizations that connect cybersecurity with ERM gain a more complete view of risk, enabling earlier detection, more coordinated response and faster recovery. Integration shifts cyber risk management from a defensive function to a shared enterprise responsibility, anchored in governance, embedded in business processes and reinforced through collaboration across the C-suite.
The challenge for finance leaders
Finance leaders play a central role in how enterprise risk management functions in practice. ERM is meant to give organizations a common language for weighing risk, allocating resources and making tradeoffs amid uncertainty. When cyber risk sits outside that framework, finance loses visibility into exposure and coordination suffers.
Stronger cyber-ERM integration is associated with coordinated governance, shared measurement and the embedding of cyber risk into business processes and decision routines. Finance leaders are uniquely positioned to influence those conditions through the roles they already play in governance, measurement and enterprise decision-making.
Here are four practical levers finance leaders can use to foster a more unified approach to risk management:
1. Bring cyber risk into enterprise-level conversations
One of the most effective ways finance leaders can encourage better integration is through governance. In many organizations, cybersecurity is still reviewed in separate forums, disconnected from the ERM structures that shape enterprise priorities. Organizations with stronger integration are far more likely to review cyber risk through standing ERM governance, including risk councils and board-level reporting. That visibility matters. What shows up consistently in enterprise forums gets attention, resources and follow-through.
Finance leaders often sit at the center of these governance structures. By ensuring cyber risk is discussed alongside financial, operational and strategic risks, they normalize it as an enterprise issue, not a technical update.
2. Insist on financial framing that supports leadership decisions
Another critical lever is how cyber risk is measured and communicated. Few organizations consistently express cyber risk reduction in financial terms, even though cyber incidents are widely understood to have financial consequences. Without that translation, cybersecurity investments compete poorly against other priorities.
Finance leaders are uniquely positioned to change this dynamic. By asking how specific controls reduce exposure, limit downtime or protect revenue, you can help translate cyber risks into the ERM context. The goal here is not precision. Even directional estimates help leaders compare options and align investments with risk appetite.
3. Connect cyber risk to business processes
Organizations with stronger cyber-ERM integration embed controls and monitoring directly into business processes, with security teams partnering with end-to-end process owners to address critical handoffs. This more decentralized approach reflects where cyber risk most often emerges: Not from within individual systems, but in the cracks where data moves and access increases, across teams and third parties.
Finance leaders can help make this integration stick by reinforcing process ownership through ERM. Many of the organization’s highest-risk processes run through finance, procurement and shared services. By pushing risk discussions closer to those workflows, CFOs help ensure cyber exposure is addressed where decisions are made and work is executed. ERM becomes less about static risk registers and more about the daily work of managing risk.
4. Extend ERM thinking to the broader ecosystem
Finance leaders can also help broaden the scope of ERM by pushing for more consistent oversight of high-impact vendors and partners. This does not mean treating every supplier the same, but instead applying ERM principles — clear accountability, shared standards and ongoing monitoring — where exposure is greatest.
When third-party risk is managed through ERM rather than one-time assessments, organizations gain earlier visibility into emerging issues and more leverage to act. Integration at the ecosystem level strengthens resilience without expanding bureaucracy.
Resilient by design
An organization’s ability to withstand a cyber incident is shaped well before any system alarms get triggered. Preparedness depends on whether risks are visible early, understood in context and governed in ways that support coordinated action across the enterprise. When cybersecurity operates in isolation, those conditions are harder to achieve.
Preparedness improves as cyber risk is more fully integrated into ERM. Governance routines surface issues sooner. Process-level integration clarifies accountability. Common measurement helps leaders more meaningfully evaluate tradeoffs. ERM provides the structure that connects these elements, without replacing the technical rigor required to manage cyber risk day to day.
For finance leaders, the role is not to direct cybersecurity efforts, but to help ensure technical insight flows into enterprise decision-making. By reinforcing integration through governance, measurement and cross-functional collaboration, CFOs and their teams can strengthen the organization’s capacity to anticipate, respond to and recover from disruption with confidence.
