Although cyber risk typically is cited as the biggest board preoccupation in terms of risk, at least among public and larger companies, other data suggests that preoccupation with cyber risk is over-stated.

According to the World Economic Forum (2015 study), the ten top “global risks” in order of likelihood places cyber-attacks tenth, well behind inter-country conflicts, collapses of national governments, extreme weather and the water crisis. And, in terms of impact, cyber-attacks do not even make the list of the top ten (water, infectious diseases and WMDs lead the list).

On the other hand, public boards (2015 NACD survey) indicate that at least one-third of all United States public directors consider the quality of information concerning cyber security, delivered by management, to be unsatisfactory, and a majority consider information quantifying that risk to be unsatisfactory.

Where do public companies place responsibility for risk oversight? During the last couple of years, one suspected a trend in designating specific Risk Committees. However, at the public company level, the audit committee continues by far to be the typical depository of that function. If there is any trend, it is towards placing ERM responsibility on the full board of directors, and not at any committee level.