Home
Webinar1.3 - From scenarios to Board appetite: the L2 taxonomy that changes governance
Final episode of the 3-episode series on: Cyber Risk Management, Rebuilt: From ISO 27005 to the Boardroom
What Marco Bresciani and Neil MacGowan covered:
- How to translate cyber scenarios into board-relevant business outcomes
- How to use a Level 2 taxonomy aligned to business impact and risk appetite
- How to integrate cyber into ERM and appetite/tolerance decisioning

This third webinar in a three-part series focused on how to move from cyber risk scenarios and quantified outputs to board-level discussions—specifically around risk appetite and regulatory reporting. The session emphasized that boards do not primarily care about cyber “scenarios”; they care about business outcomes and the impact those outcomes could have on the enterprise.
Key Topics Discussed
- Board priorities vs. cyber technical framing
- Boards focus on business impacts (e.g., revenue loss, reputation damage, regulatory consequences), not technical scenario details.
- Business-impact evidence using real incidents
- Retail example (Marks & Spencer, UK): the critical question is not “what happened,” but “how big is the expected impact” (stated impact: over £300M and profit disruption).
- Manufacturing example (Jaguar Land Rover): focus is on production uptime and supply chain impact (stated impact: 5,000+ vendors and >£1B impact on the UK economy).
- Financial services example (Medibank, Australia): an incident tied to compromised third-party credentials and weak MFA led to exposure of 9.7M sensitive records; downstream effects included regulators requiring $250M capital add-ons and ongoing class actions (and importantly: no cyber insurance coverage).
- Structural gap between security and leadership
- Security measures risk operationally (controls, vulnerabilities, SOC alerts).
- Leadership decides in financial/consequence terms (loss of revenue, customer churn, capital impact).
- The “translation layer” problem prevents meaningful board-level decision-making.
- Why cyber risk must be integrated into enterprise risk management (ERM)
- Boards have limited “decision bandwidth” and can’t govern 50+ scenarios.
- Budget competition requires a clear way to justify priorities.
- ERM focuses on consequences, making it the natural alignment point for cyber.
- Level 2 taxonomy and the translation layer method
- A structured taxonomy connects FAIR risk scenarios → Level 2 categories → enterprise risk categories.
- Level 2 categories are outcome-based (business impact), designed to remain stable even as threats evolve.
- Categories carry aggregated numbers derived from lower-level scenarios to support trend visibility and actionable reporting.
- Risk appetite alignment
- Risk appetite is used as a yardstick: compare exposure to a defined appetite and tolerance.
- The method supports board decisions such as acceptance vs. mitigation investment vs. insurance-limit review.
- Control analytics and next-step path
- The next webinar (July 2) will dive into FAIR-CAM/control analytics: how controls affect loss frequency vs. loss magnitude.
Key Takeaways
- Translate cyber scenarios into board-relevant business outcomes (loss of revenues, reputation, regulatory consequences) to enable governance.
- Use a Level 2 taxonomy aligned to business impact and risk appetite so reporting becomes comparable, actionable, and trend-based—not a long list of technical scenarios.
- Integrate cyber into ERM and appetite/tolerance decisioning to support pre-incident acceptance and mitigation choices (including reviewing cyber insurance limits).
> Replay is available: here
Lorem
Lorem ipsum dolor sit amet, consectetur adipiscing elit.
No items found.